I’ve seen it too many times: an S3 bucket accidentally exposed, data spilled, and the clean-up is a nightmare. This isn’t rocket science, it’s basic hygiene.
The fix? Enable S3 Block Public Access at the account level. This is your fail-safe, the guardrail that prevents a simple configuration mistake from becoming a front-page headline. It overrides individual bucket settings, so even if someone tries to make a bucket public, the account-level block stops it cold.
You need to enable all four settings under “Block Public Access settings for this account”: Block public access to buckets and objects granted through new access control lists (ACLs), Block public access to buckets and objects granted through any access control lists (ACLs), Block public access to buckets and objects granted through new public bucket policies, and Block public and cross-account access to buckets and objects through any public bucket policies. No excuses.
If you’re not doing this, you’re leaving the door wide open. Go implement it now.
The fix
# Enable account-level block\naws s3control put-public-access-block --account-id $(aws sts get-caller-identity --query Account --output text) \\\n --public-access-block-configuration \\\n \
Reference: CIS AWS Foundations Benchmark 2.1.5