Set Up S3 Bucket
Production-grade.
Overview
Production-grade S3 buckets ship with encryption at rest, versioning, public-access block, and lifecycle policies on day one. Default settings are unsafe at scale; every recurring data-leak headline involves an S3 bucket someone forgot to lock down. The discipline is making the right defaults the only defaults the team can ship.
- Production-grade defaults. Encryption at rest, versioning, public-access block, lifecycle. The combination that prevents the recurring incidents.
- Encryption. SSE-S3 minimum; KMS for sensitive data. Compliance frameworks require this.
- Versioning. Protects against accidental deletion or overwrite. Recovery becomes possible.
- Public-access block plus lifecycle. Org-wide and per-bucket public-access block prevents accidental exposure; lifecycle tiers old objects to Glacier and expires ancient.
The approach
Three habits make S3 buckets safe by default: Terraform-managed for reviewability, encryption and public-access block enforced at account level, lifecycle policies configured before the first object lands.
- Terraform-managed. AWS provider creates the bucket. Configuration in source control; drift caught at next plan.
- Encryption default. SSE-S3 minimum; KMS for sensitive. Per-bucket choice documented.
- Versioning on. Default for production buckets. Recovery from accidental deletion comes free.
- Public-access block plus day-one lifecycle. Account-level block plus per-bucket; lifecycle tiers and expirations configured before ingest starts.
Why this compounds
Each correctly-configured bucket ships with safety the team does not have to remember. Cost efficiency, recovery posture, and exposure protection all come from defaults; new buckets inherit the conventions.
- Exposure risk drops. Public-access block prevents the accidental-public-bucket incident class.
- Cost efficiency. Lifecycle policies tier and expire automatically. Storage cost stays predictable.
- Recovery posture. Versioning supports rollback after accidental delete or overwrite.
- Year-one investment, year-two habit. First bucket is investment. By the third, defaults are settled.