diff --git a/public/README.md b/public/README.md
index dc99fb7..73b26fb 100644
--- a/public/README.md
+++ b/public/README.md
@@ -1,7 +1,8 @@
# About aws-s3 :: public
This submodule allows you to create a public S3 bucket using the standard prefixes and settings under the
-rare condition that a public bucket is approved for use.
+rare condition that a public bucket is approved for use. It sets `bucket_public_policy` to false, and forces the use of
+SS3-S3 encryption.
# Usage
To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=3`), otherwise leave this part off.
@@ -14,10 +15,8 @@ module "my-bucket" {
bucket_name = "my-public-bucket"
access_log_bucket = "my-logbucket"
- # kms_admin_roles = [ aws_iam_role.cloud-admin.arn ]
## optional
- # kms_policy_document = data.aws_iam_policy_document.my-policy.json
# bucket_policy_document = data.aws_iam_policy_document.my-bucketpolicy.json
# bucket_policy_document_template = data.aws_iam_policy_document.my-bucketpolicy-template.json
# name_include_account = true
@@ -148,8 +147,8 @@ No modules.
| [access\_log\_bucket\_prefix](#input\_access\_log\_bucket\_prefix) | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no |
| [allowed\_cidr](#input\_allowed\_cidr) | List of allowed source IPs (NOT from within the VPC). If empty, there will be no restrictions on source IP. If provided, you must also use allowed\_endpoints for access within a VPC. | `list(string)` | `[]` | no |
| [allowed\_endpoints](#input\_allowed\_endpoints) | List of allowed VPC endpoint IDs. If used, it will enable access to the bucket from the specific VPC endpoints. | `list(string)` | `[]` | no |
-| [block\_public\_acls](#input\_block\_public\_acls) | S3 Public block setting to block public ACLs | `bool` | n/a | yes |
-| [block\_public\_policy](#input\_block\_public\_policy) | S3 Public block setting to block public policy | `bool` | n/a | yes |
+| [block\_public\_acls](#input\_block\_public\_acls) | S3 Public block setting to block public ACLs | `bool` | `true` | no |
+| [block\_public\_policy](#input\_block\_public\_policy) | S3 Public block setting to block public policy | `bool` | `false` | no |
| [bucket\_folders](#input\_bucket\_folders) | List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata\_tags and data\_safeguard labels. | `list(string)` | `[]` | no |
| [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `true` | no |
| [bucket\_name](#input\_bucket\_name) | AWS Bucket Name. Standard prefix will be applied here, do not include here. | `string` | n/a | yes |
@@ -160,7 +159,7 @@ No modules.
| [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | `[]` | no |
| [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `false` | no |
| [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
-| [ignore\_public\_acls](#input\_ignore\_public\_acls) | S3 Public block setting to ignore public ACLs | `bool` | n/a | yes |
+| [ignore\_public\_acls](#input\_ignore\_public\_acls) | S3 Public block setting to ignore public ACLs | `bool` | `true` | no |
| [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default. | `list(string)` | `[]` | no |
| [kms\_key\_arn](#input\_kms\_key\_arn) | AWS KMS Key ARN, a key created external to this module call. | `string` | `null` | no |
| [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored (and deprecated). | `string` | `null` | no |
@@ -174,7 +173,7 @@ No modules.
| [object\_lock\_enabled](#input\_object\_lock\_enabled) | Flag to enable object lock. This can only be set on bucket creation. See AWS documentation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html | `bool` | `false` | no |
| [override\_prefixes](#input\_override\_prefixes) | Map of strings to override prefixes such as s3 and kms. Recommended ONLY for advanced useage (say, for inf* things) | `map(string)` | `{}` | no |
| [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no |
-| [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | S3 Public block setting to restrict public buckets | `bool` | n/a | yes |
+| [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | S3 Public block setting to restrict public buckets | `bool` | `true` | no |
| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
| [use\_kms\_encryption](#input\_use\_kms\_encryption) | Enable AWS:KMS encryption (default). If false, enables SSE-S3 (AES256), needed for some AWS services access. Enforced to FALSE for public buckets | `bool` | `false` | no |
| [versioning](#input\_versioning) | Flag to enable ot disable bucket versioning. This may be used for the standard submodule, but it is ignored for title26 (enforced to be enabled) | `bool` | `false` | no |
diff --git a/public/main.tf b/public/main.tf
index dfb2b8e..e98d6c6 100644
--- a/public/main.tf
+++ b/public/main.tf
@@ -2,7 +2,8 @@
* # About aws-s3 :: public
*
* This submodule allows you to create a public S3 bucket using the standard prefixes and settings under the
-* rare condition that a public bucket is approved for use.
+* rare condition that a public bucket is approved for use. It sets `bucket_public_policy` to false, and forces the use of
+* SS3-S3 encryption.
*
* # Usage
* To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=3`), otherwise leave this part off.
@@ -15,10 +16,8 @@
*
* bucket_name = "my-public-bucket"
* access_log_bucket = "my-logbucket"
-* # kms_admin_roles = [ aws_iam_role.cloud-admin.arn ]
*
* ## optional
-* # kms_policy_document = data.aws_iam_policy_document.my-policy.json
* # bucket_policy_document = data.aws_iam_policy_document.my-bucketpolicy.json
* # bucket_policy_document_template = data.aws_iam_policy_document.my-bucketpolicy-template.json
* # name_include_account = true
diff --git a/public/variables.s3_public_block.tf b/public/variables.s3_public_block.tf
index 373ede1..377f5b7 100644
--- a/public/variables.s3_public_block.tf
+++ b/public/variables.s3_public_block.tf
@@ -1,24 +1,24 @@
variable "block_public_acls" {
description = "S3 Public block setting to block public ACLs"
type = bool
- defualt = true
+ default = true
}
variable "block_public_policy" {
description = "S3 Public block setting to block public policy"
type = bool
- defualt = false
+ default = false
}
variable "ignore_public_acls" {
description = "S3 Public block setting to ignore public ACLs"
type = bool
- defualt = true
+ default = true
}
variable "restrict_public_buckets" {
description = "S3 Public block setting to restrict public buckets"
type = bool
- defualt = true
+ default = true
}