Amazon S3 Block Public Access now supports organization-level enforcement
Amazon S3 Block Public Access (BPA) now allows organization-level control through Amazon Organizations, allowing you to standardize and enforce S3 public access settings across all Amazon Web Services accounts in your Amazon organization through a single policy configuration.
S3 Block Public Access at the organization-level uses a single configuration that controls all public access settings across accounts within your organization. When you attach the policy at the root or Organizational Unit (OU)-level of your organization, it propagates to all sub-accounts within that scope, and new member accounts automatically inherit the policy. Alternatively, you can choose to apply the policy to specific accounts for more granular control. To get started, navigate to the Amazon Organizations console and use the "Block all public access" checkbox or JSON editor. Once enabled, the policy applies to your selected accounts without individual account setup. Additionally, you can use Amazon CloudTrail to audit or keep track of policy attachment as well as enforcement for member accounts.
This feature is available in the Amazon Organizations console as well as Amazon CLI/SDK, in all regions where Amazon Organizations and Amazon S3 are supported, with no additional charges. For more information, visit the Amazon Organizations User Guide and Amazon S3 Block Public Access documentation.