- Keep S3 Block Public Access ON at the account and bucket level.
- Triage IAM Access Analyzer external access findings
- Enforce AWS Config rules:
s3-bucket-public-read-prohibiteds3-bucket-public-write-prohibited
- Review any new bucket at creation
- Track findings to closure in Jira