S3 data protection
Block Public Access, TLS/encryption policies, Object Lock.
S3 is where most AWS data breaches happen, and almost always through misconfiguration rather than a broken control. The defenses are layered and, applied together, make an accidental public object nearly impossible.
Block Public Access is the backstop
Account-level Block Public Access overrides any bucket ACL or policy that would grant public access — turn it on for the whole account so a single misconfigured bucket cannot leak. Below it, prefer bucket policies over legacy ACLs (disable ACLs entirely with Object Ownership = BucketOwnerEnforced), and write policies that require TLS (aws:SecureTransport) and the expected encryption on every put.
{"Version": "2012-10-17","Statement": [{ "Sid": "DenyInsecureTransport", "Effect": "Deny", "Principal": "*","Action": "s3:*", "Resource": ["arn:aws:s3:::acme-data","arn:aws:s3:::acme-data/*"],"Condition": { "Bool": { "aws:SecureTransport": "false" } } },{ "Sid": "DenyUnencryptedPuts", "Effect": "Deny", "Principal": "*","Action": "s3:PutObject", "Resource": "arn:aws:s3:::acme-data/*","Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption": "aws:kms" } } }]}
Encryption, cost, and integrity
SSE-KMS gives you governance SSE-S3 cannot — key policy, decrypt audit, revocation — and S3 Bucket Keys cut the KMS request cost by reducing per-object calls. For data that must never be silently altered, enable Object Lock (WORM) with a retention period; it is also what makes a bucket a trustworthy audit-log sink. VPC gateway endpoints keep S3 traffic off the public internet, and access-point policies scope access per application without one giant bucket policy.