Preventing Data Leaks with S3 Block Public Access

One of the most common causes of massive data breaches is accidentally misconfigured Amazon S3 buckets. An engineer might apply a permissive bucket policy or ACL during testing, inadvertently exposing sensitive PII or corporate data to the public internet.

To combat this, AWS introduced S3 Block Public Access. This feature acts as an account-level or bucket-level override. When enabled, it preemptively blocks any public access granted by ACLs or bucket policies, ensuring that human error does not result in a data leak.

In Terraform, applying this security control is mandatory for any private bucket. You provision an `aws_s3_bucket_public_access_block` resource and attach it to your bucket ID, setting all four blocking parameters to true. This effectively seals the bucket from outside access, regardless of individual object permissions.

resource "aws_s3_bucket_public_access_block" "secure_storage" {
  bucket = aws_s3_bucket.private_data.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}