Skip to main content

AWS Security

Enforce S3 Public Access Block Settings with Service Control Policies

Learn how to use AWS Service Control Policies to prevent the modification of S3 Public Access Block settings, ensuring your buckets remain protected from public exposure across your entire organization.

Cloud Associates

Cloud Associates

This Service Control Policy (SCP) provides a critical security guardrail by preventing users from disabling S3 Public Access Block settings at both the bucket and account levels. By denying the PutBucketPublicAccessBlock and PutAccountPublicAccessBlock actions, this policy ensures that once public access protections are enabled, they cannot be turned off by anyone within the affected AWS accounts.

Public S3 buckets are one of the most common sources of data breaches and security incidents in cloud environments. Attackers actively scan for publicly accessible buckets containing sensitive information, and accidental misconfigurations can expose confidential data to the internet within seconds. This SCP acts as a preventive control that operates at the organisational level, making it impossible for individual users or roles to weaken your security posture, even if they have administrative permissions within their accounts.

The key benefits of implementing this policy include:

  • Preventing Data Breaches: Eliminates the risk of accidental or intentional public exposure of sensitive data stored in S3
  • Compliance Enforcement: Helps meet regulatory requirements that mandate data protection and access controls
  • Defense in Depth: Adds an organisational-level control that works alongside bucket policies and IAM permissions
  • Audit and Governance: Demonstrates security best practices during audits and security assessments
  • Reduced Risk Surface: Protects against insider threats and compromised credentials that might otherwise disable security controls

This policy should be applied to AWS organisational units or accounts where S3 buckets should never be publicly accessible, which typically includes production environments and accounts handling sensitive data.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:PutBucketPublicAccessBlock",
        "s3:PutAccountPublicAccessBlock"
      ],
      "Resource": "*",
      "Effect": "Deny"
    }
  ]
}