25th April 2023

Amazon S3 best practice security changes for new buckets

In April 2023 Amazon S3 will change the default security configuration for all new S3 buckets, making buckets private by default across all creation mechanisms
AWS S3 Cloud Storage

Amazon S3 will automatically enable S3 Block Public Access and disable Access Control Lists

Amazon S3 (Simple Storage Service) is a cloud storage service offered by Amazon Web Services. It offers customers a secure, cost-effective and highly scalable solution for storing and managing data. With Amazon S3, customers can store and access any amount of data from anywhere in the world, with low latency and high durability, particularly when paired with content delivery through CloudFront. S3 provides customers with a range of features, such as versioning, encryption, access control and lifecycle management, and offers a variety of storage classes, allowing customers to choose the best option for their data and budget.

We use S3 extensively for almost all our web projects, particularly within serverless solutions and for permanent off-instance storage for applications using load balanced EC2 instances.

What are the changes for S3 buckets?

In December 2022, Amazon announced that from April 2023, all new S3 buckets created through any means would be made private by default, with S3 Block Public Access being enabled, and S3 access control lists (ACLs) being disabled.

These defaults were already in place for S3 buckets created via the AWS Console, however CloudFormation and other means such as the AWS CLI, APIs and SDKs required these settings to be provided explicitly on creation of the bucket. This update by Amazon brings all the mechanisms of creating S3 buckets in line with the same default settings.

Why are Amazon changing the default settings for S3 buckets?

In short, to make S3 even more secure. By ensuring customers explicitly specify buckets as public, it reduces the likelihood that a bucket is accidentally created in a way that allows public access. Amazon have also noted that "The majority of S3 use cases do not need public access or ACLs" - an observation that is likely backed by their ability to analyse the usage patterns across the entire S3 ecosystem.

How this S3 change affects us

The majority of our use-cases for S3 buckets are private - used for data storage in ETL systems or for storage of dynamic documents created by web applications and accessed using IAM Role permissions. Furthermore the majority of our buckets are created via CloudFormation, so in most cases we are already explicity configuring our non-public security settings for S3 buckets within our CloudFormation templates. Nevertheless, we'll review our existing codebases during our regular maintenance operations and bear these AWS S3 changes in mind for our next new web application development.

Schedule of S3 security changes

The annoucement from AWS provides only a general timeline: - "The changes will begin to go into effect in April and will be rolled out to all AWS Regions within weeks.".

Read more about S3 Bucket security changes at the offical AWS blog page: https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/

Do you have any thoughts on this article? Get in touch: hello@sinovi.uk

About the author

James Galley

An AWS-certified developer, James architects and produces cloud-based web applications using Amazon Web Services. Recent projects include high-throughput event driven applications using Kinesis and DynamoDB, fully serverless web applications powered by AWS Lambda and high-performance static sites deployed to S3.

Profile image of James Galley
contact us

We're here to help

Contact us to learn more about our AWS support, management and infrastructure services.

We're a software development and cloud consultancy, operating as an outsourced technology partner for businesses - building, hosting and maintaining functional web based applications in the AWS cloud with trusted web technologies.

Discuss your next project