AWS recently announced two changes to Amazon Simple Storage Service (Amazon S3). All buckets in a region have S3 block public access enabled and access control lists (ACLs) disabled by default. These changes will take effect in April 2023 and will be rolled out by the company in all AWS Regions in the coming weeks.
Amazon S3 is AWS’s managed object storage service, and its S3 buckets and objects are always private by default. The company added blocking public access in 2018, and in 2021 he added the ability to disable ACLs, giving customers more control. In addition, customers can also leverage his AWS Identity and Access Management (IAM) policies to manage access.
Both S3 Block Public Access enabled and Access Control List (ACL) disabled were the default settings in the console. Starting April 2023, these will be the defaults for buckets created using the S3 API, S3 CLI, AWS SDKs, or AWS CloudFormation templates.
Source: https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/
With these new defaults, customers who want their applications to make their buckets publicly accessible or use ACLs must intentionally configure their buckets to be public or use ACLs. Configuring these settings requires updating your automation scripts, AWS CloudFormation templates, or other infrastructure configuration tools.
Other public cloud providers Microsoft and Google also offer managed storage services with security defaults. For example, Azure storage accounts don’t allow public access to containers by default. However, the default configuration of an Azure Resource Manager storage account allows users with appropriate permissions to configure public access to containers and blobs within the storage account. Similarly, you can prevent public access to your Google Cloud Storage buckets.
Ann IT & Infosec Consultantwith respect to the default, murmured:
It usually makes it easier to do the right thing and usually harder to do the wrong thing.
Additionally, a respondent in the Reddit thread commented:
Good security to make it the default. I hope many lab blogs will update this procedure. Otherwise, many new AWS users will be confused while learning. I’ve seen too many labs using public buckets.
Finally, check out our FAQ page for more information on the changes.
