Beginning in April 2023, AWS will implement two default security settings for all new S3 buckets, automatically enabling S3 Block Public Access and disabling S3 access control lists (ACLs).
Once completed, the settings will apply to all new buckets created using the AWS CLI, APIs, SDKs, or AWS CloudFormation, regardless of how they were generated.
The settings became available in 2018 and 2021 and have been applied by default for buckets created in the S3 management console since. They’re considered security best practices. Existing buckets will not be affected.
Privacy is key
By default, Amazon S3 buckets have always been private and will remain private. Only the bucket owner has access to the bucket unless they provide access to other users.
AWS launched Block Public Access in 2018 to limit public access to S3 buckets. ACLs were disabled by default in 2021 in favour of AWS Identity and Access Management (IAM) rules as a more straightforward and adaptable access control approach.
Millions of users have since embraced these configurations as best practices for protecting their buckets and simplifying access control, AWS said.
All AWS regions
The settings automatically extend a streamlined and reliable access management strategy to all new S3 buckets. Under the new defaults, the few apps that require their buckets to be openly available or use ACLs require an admin to configure the settings manually.
Users may need to update AWS CloudFormation templates, automation scripts and other infrastructure setup tools to adjust to the change. The default security settings will apply to all new S3 buckets created in all AWS regions from April 2023.