Posted On: Dec 13, 2022
Starting in April 2023, Amazon S3 will introduce two new default bucket security settings by automatically enabling S3 Block Public Access and disabling S3 access control lists (ACLs) for all new S3 buckets. Once complete, these defaults will apply to all new buckets regardless of how they are created, including AWS CLI, APIs, SDKs, and AWS CloudFormation. These defaults have been in place for buckets created in the S3 management console since the two features became available in 2018 and 2021, respectively, and are recommended security best practices. There is no change for existing buckets.
Amazon S3 buckets are and always have been private by default. Only the bucket owner can access the bucket or choose to grant access to other users. Amazon S3 added Block Public Access in 2018 to prevent granting public access to S3 buckets, and the ability to disable ACLs in 2021 in favor of using AWS Identity and Access Management (IAM) policies as a simplified and more flexible access control alternative. Since then, millions of customers have adopted these settings as best practices to protect their buckets and simplify their access management. As the new defaults, these settings automatically extend a simplified and secure access management posture to all new S3 buckets.
With these new defaults, the few applications that need their buckets to be publicly accessible or use ACLs must deliberately configure their buckets to be public or use ACLs. In these cases, you may need to update automation scripts, AWS CloudFormation templates, or other infrastructure configuration tools to configure these settings. To learn more about how to prepare for the change, read Heads-Up: Amazon S3 Security Changes Are Coming in April of 2023 in the AWS News Blog or Default access settings for new S3 buckets FAQ in the S3 User Guide.
These new default security settings will apply to all new S3 buckets in all AWS Regions, including the AWS GovCloud Regions and the AWS China Regions. We will publish another What’s New Post when we start to deploy the change in April 2023, and another one when the deployment has reached all AWS Regions. To learn more, visit S3 Block Public Access and S3 Object Ownership in the S3 User Guide. You can also find more information on these two settings in the AWS CloudFormation User Guide (S3 Block Public Access - S3 Object Ownership).