BlogCloud
Locking down S3: block public access and enforce encryption
Turn on account-wide Block Public Access, require TLS and encryption with a bucket policy, and verify it.
Almost every public-S3 headline is the same misconfiguration: a bucket left open and unencrypted. Two account-wide settings and one bucket policy close the door — and take two minutes to verify.
Block public access, account-wide
bash
aws s3control put-public-access-block \--account-id 111122223333 \--public-access-block-configuration \BlockPublicAcls=true,IgnorePublicAcls=true,\BlockPublicPolicy=true,RestrictPublicBuckets=true
This is the master switch. Even if someone later writes a public bucket policy, the account-level block overrides it.
Require TLS and encryption
bucket-policy.json
{"Statement": [{"Sid": "DenyInsecureTransport","Effect": "Deny","Principal": "*","Action": "s3:*","Resource": ["arn:aws:s3:::acme-app/*"],"Condition": { "Bool": { "aws:SecureTransport": "false" } }}]}
Turn on default encryption too
Set SSE (SSE-S3 or SSE-KMS) as the bucket default so objects are encrypted even if a client forgets to ask. It is a one-line bucket setting.
Verify it
aws s3api get-public-access-block --bucket acme-appall four flags: true