> Permission Checks – The S3 Console now displays a prominent indicator next to each S3 bucket that is publicly accessible.
> Default Encryption – You can now mandate that all objects in a bucket must be stored in encrypted form without having to construct a bucket policy that rejects objects that are not encrypted.
Given how many companies lost data through misconfigured S3 buckets, and how easy it is to do, these two seem like a good idea.
Companies should be using auto-remediation with AWS Config and Lambda to detect any S3 bucket that is publicly available and immediately removing that access unless the bucket is whitelisted. An indicator is nice, but if your policy doesn't exist as code, it doesn't exist.
Disclaimer: We built this at my current org to prevent people from cutting their fingers off with self-service S3 access across application development teams.
> Default Encryption – You can now mandate that all objects in a bucket must be stored in encrypted form without having to construct a bucket policy that rejects objects that are not encrypted.
Given how many companies lost data through misconfigured S3 buckets, and how easy it is to do, these two seem like a good idea.