BlogCloud

Locking down S3: block public access and enforce encryption

Turn on account-wide Block Public Access, require TLS and encryption with a bucket policy, and verify it.

Jul 2, 2025·7 min readBeginner

Almost every public-S3 headline is the same misconfiguration: a bucket left open and unencrypted. Two account-wide settings and one bucket policy close the door — and take two minutes to verify.

Block public access, account-wide

bash
aws s3control put-public-access-block \
--account-id 111122223333 \
--public-access-block-configuration \
BlockPublicAcls=true,IgnorePublicAcls=true,\
BlockPublicPolicy=true,RestrictPublicBuckets=true

This is the master switch. Even if someone later writes a public bucket policy, the account-level block overrides it.

Require TLS and encryption

bucket-policy.json
{
"Statement": [{
"Sid": "DenyInsecureTransport",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": ["arn:aws:s3:::acme-app/*"],
"Condition": { "Bool": { "aws:SecureTransport": "false" } }
}]
}
Turn on default encryption too
Set SSE (SSE-S3 or SSE-KMS) as the bucket default so objects are encrypted even if a client forgets to ask. It is a one-line bucket setting.

Verify it

bash — confirm the blocklive
aws s3api get-public-access-block --bucket acme-app
all four flags: true
Go deeper in a courseAWS security for DevOps engineersS3, IAM, OIDC federation, and org-wide guardrails.View course

Related posts