AWS has announced it would make a few changes to its S3 services. Starting April 2023, all buckets in a region will have S3 Block Public Access enabled and access control lists disabled by default.
AWS added Block Public Access in 2018 and the ability to disable ACLs in 2021 to provide customers more control. In addition, customers can also leverage AWS Identity and Access Management (IAM) policies to manage access.
Both S3 Block Public Access enabled and access control lists (ACLs) disabled were default settings in the console. Starting April 2023, they will become the default for buckets created using the S3 API, S3 CLI, the AWS SDKs, or AWS CloudFormation templates.
However customers who do require applications to have their buckets publicly accessible or use ACLs must deliberately configure their buckets to be public or use ACLs. To configure these settings, they must update automation scripts, AWS CloudFormation templates, or other infra configuration tools.
Microsoft and Google also offers managed storage services with security defaults. For instance, Azure Storage accounts, by default, do not allow public access to containers. The default configuration for an Azure Resource Manager storage account permits a user with appropriate permissions to configure public access to containers and blobs in a storage account. Similarly, public access to Google Cloud Storage buckets can be prevented