How do S3 buckets keep ending up public by accident?
Default settings have tightened, but legacy buckets, overly broad bucket policies, and ACLs set by SDKs still leak data. Block Public Access at the account level is the fix.
AWS now enables "Block Public Access" by default on new buckets, but accounts created years ago, or buckets explicitly opened for a CDN, often stay misconfigured.
Common mistakes: a bucket policy with Principal: "*", an ACL of public-read set by an old SDK, or a CloudFront distribution that bypasses the block.
Turn on Block Public Access at the AWS account level — it overrides any bucket-level setting. Use CloudFront with Origin Access Control for public content instead of opening the bucket.
Run aws s3api get-public-access-block and AWS Config rules (s3-bucket-public-read-prohibited) to catch drift. Many leaks are found by external scanners before the owner notices.
Upvotes help us prioritise what to answer next.