AWS Security ChangesHomeSearch

AWS AmazonS3 high security documentation change

Service: AmazonS3 · 2025-11-28 · Security-related high

File: AmazonS3/latest/userguide/access-control-block-public-access.md

Summary

Added documentation about managing Block Public Access at AWS Organizations level, including policy inheritance rules and enforcement hierarchy between organization/account/bucket levels

Security assessment

The changes explicitly document security controls for preventing public access misconfigurations across organizations. The added organization-level enforcement ('override account-level settings' and 'most restrictive policy' application) directly addresses potential security gaps in multi-account environments. This helps prevent accidental public exposure through centralized policy management, a critical security consideration for S3 buckets.

Diff

diff --git a/AmazonS3/latest/userguide/access-control-block-public-access.md b/AmazonS3/latest/userguide/access-control-block-public-access.md
index 13beffd6d..668f7d608 100644
--- a//AmazonS3/latest/userguide/access-control-block-public-access.md
+++ b//AmazonS3/latest/userguide/access-control-block-public-access.md
@@ -5 +5 @@
-Block public access settingsPerforming block public access operations on an access pointThe meaning of "public"Using IAM Access Analyzer for S3 to review public bucketsPermissionsConfiguring block public access
+Block public access settingsManaging block public access at organization levelPerforming block public access operations on an access pointThe meaning of "public"Using IAM Access Analyzer for S3 to review public bucketsPermissionsConfiguring block public access
@@ -9 +9 @@ Block public access settingsPerforming block public access operations on an acce
-The Amazon S3 Block Public Access feature provides settings for access points, buckets, and accounts to help you manage public access to Amazon S3 resources. By default, new buckets, access points, and objects don't allow public access. However, users can modify bucket policies, access point policies, or object permissions to allow public access. S3 Block Public Access settings override these policies and permissions so that you can limit public access to these resources. 
+The Amazon S3 Block Public Access feature provides settings for access points, buckets, accounts, and AWS Organizations to help you manage public access to Amazon S3 resources. By default, new buckets, access points, and objects don't allow public access. However, users can modify bucket policies, access point policies, or object permissions to allow public access. S3 Block Public Access settings override these policies and permissions so that you can limit public access to these resources. 
@@ -11 +11 @@ The Amazon S3 Block Public Access feature provides settings for access points, b
-With S3 Block Public Access, account administrators and bucket owners can easily set up centralized controls to limit public access to their Amazon S3 resources that are enforced regardless of how the resources are created.
+With S3 Block Public Access, organization administrators, account administrators, and bucket owners can easily set up centralized controls to limit public access to their Amazon S3 resources that are enforced regardless of how the resources are created.
@@ -13 +13 @@ With S3 Block Public Access, account administrators and bucket owners can easily
-For instructions on configuring public block access, see Configuring block public access.
+You can manage Block Public Access settings at multiple levels: organization level (using AWS Organizations), account level, and bucket and access point level. For instructions on configuring public block access, see Configuring block public access.
@@ -15 +15 @@ For instructions on configuring public block access, see Configuring block publi
-When Amazon S3 receives a request to access a bucket or an object, it determines whether the bucket or the bucket owner's account has a block public access setting applied. If the request was made through an access point, Amazon S3 also checks for block public access settings for the access point. If there is an existing block public access setting that prohibits the requested access, Amazon S3 rejects the request. 
+When Amazon S3 receives a request to access a bucket or an object, it determines whether the bucket or the bucket owner's account has a block public access setting applied. If the account is part of an AWS Organizations with Block Public Access policies, Amazon S3 also checks for organization-level settings. If the request was made through an access point, Amazon S3 also checks for block public access settings for the access point. If there is an existing block public access setting that prohibits the requested access, Amazon S3 rejects the request. 
@@ -17 +17 @@ When Amazon S3 receives a request to access a bucket or an object, it determines
-Amazon S3 Block Public Access provides four settings. These settings are independent and can be used in any combination. Each setting can be applied to an access point, a bucket, or an entire AWS account. If the block public access settings for the access point, bucket, or account differ, then Amazon S3 applies the most restrictive combination of the access point, bucket, and account settings. 
+Amazon S3 Block Public Access provides four settings. These settings are independent and can be used in any combination. Each setting can be applied to an access point, a bucket, or an entire AWS account. At the organization level, all four settings are applied together as a unified policy - you cannot select individual settings granularly. If the block public access settings for the access point, bucket, or account differ, then Amazon S3 applies the most restrictive combination of the access point, bucket, and account settings. Account-level settings automatically inherit organization-level policies when present, and S3 takes the most restrictive policy between bucket-level and effective account-level settings. For example, if your organization has a Block Public Access policy enabled, but a specific bucket has Block Public Access disabled at the bucket level, the bucket will still be protected because S3 applies the more restrictive organization/account-level settings. Conversely, if your organization policy is disabled but a bucket has Block Public Access enabled, that bucket remains protected by its bucket-level settings. 
@@ -19 +19 @@ Amazon S3 Block Public Access provides four settings. These settings are indepen
-When Amazon S3 evaluates whether an operation is prohibited by a block public access setting, it rejects any request that violates an access point, bucket, or account setting.
+When Amazon S3 evaluates whether an operation is prohibited by a block public access setting, it rejects any request that violates an organization policy (which enforces the account BPA setting) or an access point, bucket, or account setting.
@@ -23 +23 @@ When Amazon S3 evaluates whether an operation is prohibited by a block public ac
-Public access is granted to buckets and objects through access control lists (ACLs), access point policies, bucket policies, or all. To help ensure that all of your Amazon S3 access points, buckets, and objects have their public access blocked, we recommend that you turn on all four settings for block public access for your account. Additionally, we recommend that you also turn on all four settings for each bucket to comply with AWS Security Hub Foundational Security Best Practices control S3.8. These settings block public access for all current and future buckets and access points. 
+Public access is granted to buckets and objects through access control lists (ACLs), access point policies, bucket policies, or all. To help ensure that all of your Amazon S3 access points, buckets, and objects have their public access blocked, we recommend that you turn on all four settings for block public access for your account. For organizations managing multiple accounts, consider using organization-level Block Public Access policies for centralized control. Additionally, we recommend that you also turn on all four settings for each bucket to comply with AWS Security Hub Foundational Security Best Practices control S3.8. These settings block public access for all current and future buckets and access points. 
@@ -38 +38 @@ Enabling Block Public Access helps protect your resources by preventing public a
-  * You can enable block public access settings only for access points, buckets, and AWS accounts. Amazon S3 doesn't support block public access settings on a per-object basis.
+  * You can enable block public access settings only for organizations, access points, buckets, and AWS accounts. Amazon S3 doesn't support block public access settings on a per-object basis.
@@ -41,0 +42,2 @@ Enabling Block Public Access helps protect your resources by preventing public a
+  * When you apply organization-level block public access policies, they automatically propagate to selected member accounts and override account-level settings.
+
@@ -48,0 +51,2 @@ Enabling Block Public Access helps protect your resources by preventing public a
+  * Managing block public access at organization level
+
@@ -68 +72,12 @@ Enabling Block Public Access helps protect your resources by preventing public a
-S3 Block Public Access provides four settings. You can apply these settings in any combination to individual access points, buckets, or entire AWS accounts. If you apply a setting to an account, it applies to all buckets and access points that are owned by that account. Similarly, if you apply a setting to a bucket, it applies to all access points associated with that bucket.
+S3 Block Public Access provides four settings. You can apply these settings in any combination to individual access points, buckets, or entire AWS accounts. At the organization level, you can only enable or disable all four settings together using an "all" or "none" approach - granular control over individual settings is not available. If you apply a setting to an account, it applies to all buckets and access points that are owned by that account. Account-level settings automatically inherit from organization policies when present. Similarly, if you apply a setting to a bucket, it applies to all access points associated with that bucket.
+
+The policy inheritance and enforcement works as follows:
+
+  * Organization-level policies automatically apply to member accounts, enforcing any existing account-level settings
+
+  * Account-level setting inherit from organization policies when present, or use locally configured settings when no organization policy exists
+
+  * Bucket-level settings operate independently but are subject to enforcement restrictions. S3 applies the most restrictive combination across all applicable levels - organization/account-level and bucket-level settings. This means a bucket inherits the baseline protection from its account (which may be organization-managed), but S3 will enforce whichever configuration is more restrictive between the bucket's settings and the account's effective settings.
+
+
+
@@ -105,0 +121,6 @@ To use this setting effectively, we recommend that you apply it at the _account_
+## Managing block public access at organization level
+
+Organization-level block public access uses AWS Organizations policies to centrally manage S3 public access controls across your entire organization. When enabled, these policies automatically apply to selected accounts and override individual account-level settings.
+
+For additional information on block public access at an organization level, see [S3 policy](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_s3.html) in the _AWS Organizations user guide_.
+