Deploy VPC Block Public Access across AWS Organizations
Networking & Content Delivery Blog
This article explains how to deploy VPC Block Public Access (BPA) across AWS Organizations using declarative policies for centralized security management.
- VPC BPA prevents unauthorized public internet access to VPC resources organization-wide
- Declarative policies enforce baseline configurations automatically across all accounts
- Assess current environment using account status reports and Network Access Analyzer first
- Create exclusions at VPC/subnet level before enabling BPA to prevent traffic disruption
- Choose internet gateway mode: block_ingress or block_bidirectional based on security needs
- Attach policy to organization root or specific OUs for gradual rollout
- Verify enforcement shows "Managed by Declarative Policy" in VPC settings
- Use VPC Flow Logs to monitor blocked traffic and identify legitimate exclusion needs
- Start with non-production OUs before expanding to production environments
This approach provides enterprise-scale VPC security with centralized control, automatic enforcement on new accounts, and reduced operational overhead.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
Nov 19
2024
2024
Enhancing VPC Security with Amazon VPC Block Public Access
Jun 10
2026
2026
Best practices for securing your IPv6 infrastructure on AWS using VPC Block Public Access
Nov 19
2024
2024
AWS announces Block Public Access for Amazon Virtual Private Cloud
Nov 26
2025
2025
Amazon S3 Block Public Access now supports organization-level enforcement
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.