Posted On: Dec 14, 2022

Starting in April 2023, Amazon S3 will introduce two new default bucket security settings by automatically enabling S3 Block Public Access and disabling S3 access control lists (ACLs) for all new S3 buckets. Once complete, these defaults will apply to all new buckets regardless of how they are created, including Amazon CLI, APIs, SDKs, and Amazon CloudFormation. These defaults have been in place for buckets created in the S3 management console since the two features became available in 2018 and 2021, respectively, and are recommended security best practices. There is no change for existing buckets.

Amazon S3 buckets are and always have been private by default. Only the bucket owner can access the bucket or choose to grant access to other users. Amazon S3 added Block Public Access in 2018 to prevent granting public access to S3 buckets, and the ability to disable ACLs in 2021 in favor of using Amazon Identity and Access Management (IAM) policies as a simplified and more flexible access control alternative. Since then, millions of customers have adopted these settings as best practices to protect their buckets and simplify their access management. As the new defaults, these settings automatically extend a simplified and secure access management posture to all new S3 buckets.

With these new defaults, the few applications that need their buckets to be publicly accessible or use ACLs must deliberately configure their buckets to be public or use ACLs. In these cases, you may need to update automation scripts, Amazon CloudFormation templates, or other infrastructure configuration tools to configure these settings.

These new security configurations will apply to all new S3 buckets in the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) Region, operated by NWCD. We will publish another What’s New Post when we start to deploy the change in April 2023, and another one when the deployment has reached all Amazon Web Services Regions. To learn more, visit S3 Block Public Access and S3 Object Ownership in the S3 User Guide. You can also find more information on these two settings in the Amazon CloudFormation User Guide (S3 Block Public Access - S3 Object Ownership).