Posted On: Nov 6, 2022

Starting on March 1, 2023, Amazon S3 will change the default security configuration for all new S3 buckets. For new buckets created after this date, S3 Block Public Access will be enabled, and S3 access control lists (ACLs) will be disabled. These defaults are the recommended best practices for securing data in Amazon S3.

Amazon S3 buckets have always been private by default. Any bucket access outside the account must be explicitly authorized by the bucket owner. To simplify the application of bucket security best practices, Amazon S3 launched Block Public Access in 2018 and the ability to disable ACLs in 2021. S3 Block Public Access prevents inadvertently granting public access to an S3 bucket. ACLs were the original method to control access to S3 objects, and since 2011, S3 buckets have supported access control using Amazon Identity and Access Management (IAM) policies. By disabling ACLs, you simplify access control using only IAM-based bucket policies. With the updates to default bucket configuration, new S3 buckets will have Block Public Access enabled and ACLs disabled.

The majority of S3 use cases need neither public access nor ACLs. For most customers, no action is required. Customers who have use cases for public bucket access or the use of ACLs will be able to disable Block Public Access or enable ACLs after they create an S3 bucket. In these cases, you may need to update automation scripts, Amazon CloudFormation templates, or other infrastructure configuration tools to configure these settings.

These new security configurations will have no additional cost, and will apply to all new S3 buckets in the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) Region, operated by NWCD. To learn more, visit S3 Block Public Access and S3 Object Ownership in the S3 User Guide. You can also find more information on these two settings in the Amazon CloudFormation User Guide (S3 Block Public Access - S3 Object Ownership).