diff --git a/samples/sample-mono-repo/apps/alpha/template.yml b/samples/sample-mono-repo/apps/alpha/template.yml
index 643a4599c..609cb1e41 100644
--- a/samples/sample-mono-repo/apps/alpha/template.yml
+++ b/samples/sample-mono-repo/apps/alpha/template.yml
@@ -8,3 +8,15 @@ Metadata:
 Resources:
   Bucket:
     Type: AWS::S3::Bucket
+    Properties:
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+      VersioningConfiguration:
+        Status: Enabled
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
diff --git a/samples/sample-mono-repo/apps/beta/template.yml b/samples/sample-mono-repo/apps/beta/template.yml
index d71ca0237..547ee8cde 100644
--- a/samples/sample-mono-repo/apps/beta/template.yml
+++ b/samples/sample-mono-repo/apps/beta/template.yml
@@ -8,3 +8,15 @@ Metadata:
 Resources:
   Bucket:
     Type: AWS::S3::Bucket
+    Properties:
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+      VersioningConfiguration:
+        Status: Enabled
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
diff --git a/src/lambda_codebase/cross_region_bucket/main.py b/src/lambda_codebase/cross_region_bucket/main.py
index 2749397d2..94ea8c394 100644
--- a/src/lambda_codebase/cross_region_bucket/main.py
+++ b/src/lambda_codebase/cross_region_bucket/main.py
@@ -74,6 +74,7 @@ def create_(event: Mapping[str, Any], _context: Any) -> CloudFormationResponse:
     bucket_name_prefix = event["ResourceProperties"]["BucketNamePrefix"]
     bucket_name, created = ensure_bucket(region, bucket_name_prefix)
     ensure_bucket_encryption(bucket_name, region)
+    ensure_bucket_has_no_public_access(bucket_name, region)
     if policy:
         ensure_bucket_policy(bucket_name, region, policy)
     return PhysicalResource(region, bucket_name, created).as_cfn_response()
@@ -87,6 +88,7 @@ def update_(event: Mapping[str, Any], _context: Any) -> CloudFormationResponse:
     bucket_name_prefix = event["ResourceProperties"]["BucketNamePrefix"]
     bucket_name, created = ensure_bucket(region, bucket_name_prefix)
     ensure_bucket_encryption(bucket_name, region)
+    ensure_bucket_has_no_public_access(bucket_name, region)
     if policy:
         ensure_bucket_policy(bucket_name, region, policy)
     return PhysicalResource(
@@ -169,6 +171,19 @@ def ensure_bucket_encryption(bucket_name: str, region: str) -> None:
     )
 
 
+def ensure_bucket_has_no_public_access(bucket_name: str, region: str) -> None:
+    s3_client = get_s3_client(region)
+    s3_client.put_public_access_block(
+        Bucket=bucket_name,
+        PublicAccessBlockConfiguration={
+            "BlockPublicAcls": True,
+            "IgnorePublicAcls": True,
+            "BlockPublicPolicy": True,
+            "RestrictPublicBuckets": True,
+        },
+    )
+
+
 def ensure_bucket_policy(bucket_name: str, region: str, policy: MutableMapping) -> None:
     s3_client = get_s3_client(region)
     for action in policy["Statement"]:
diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml
index c48b3bb0d..3c2802b31 100644
--- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml
+++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml
@@ -126,8 +126,13 @@ Resources:
         Status: Enabled
       BucketEncryption:
         ServerSideEncryptionConfiguration:
-            - ServerSideEncryptionByDefault:
-                SSEAlgorithm: AES256
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
   CodeCommitRole:
     Type: AWS::IAM::Role
     Properties:
diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/regional.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/regional.yml
index ea718f537..d28909919 100644
--- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/regional.yml
+++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/regional.yml
@@ -18,6 +18,11 @@ Resources:
               SSEAlgorithm: AES256
       VersioningConfiguration:
         Status: Enabled
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
   DeploymentFrameworkRegionalPipelineBucketPolicy:
     Type: AWS::S3::BucketPolicy
     Properties:
@@ -94,4 +99,4 @@ Outputs:
     Description: The KMSKey used for cross region codepipeline deployments
     Value: !GetAtt DeploymentFrameworkRegionalKMSKey.Arn
     Export:
-      Name: !Sub "KMSArn-${AWS::Region}"
\ No newline at end of file
+      Name: !Sub "KMSArn-${AWS::Region}"
diff --git a/src/template.yml b/src/template.yml
index 6c0b03174..86fb74e1e 100644
--- a/src/template.yml
+++ b/src/template.yml
@@ -83,6 +83,19 @@ Resources:
   BootstrapArtifactStorageBucket:
     DeletionPolicy: Retain
     Type: AWS::S3::Bucket
+    Properties:
+      AccessControl: BucketOwnerFullControl
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+      VersioningConfiguration:
+        Status: Enabled
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
   BootstrapTemplatesBucket:
     Type: "AWS::S3::Bucket"
     DeletionPolicy: Retain
@@ -90,10 +103,15 @@ Resources:
       AccessControl: BucketOwnerFullControl
       BucketEncryption:
         ServerSideEncryptionConfiguration:
-            - ServerSideEncryptionByDefault:
-                SSEAlgorithm: AES256
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
       VersioningConfiguration:
         Status: Enabled
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
   LambdaLayerVersion:
     Type: "AWS::Serverless::LayerVersion"
     Properties:
@@ -757,6 +775,7 @@ Resources:
       ServiceToken: !GetAtt CrossRegionBucketHandler.Arn
       Region: !Ref DeploymentAccountMainRegion
       BucketNamePrefix: !Sub "adf-shared-modules-${DeploymentAccountMainRegion}"
+      Version: 3.1.2
       PolicyDocument:
         Statement:
           - Action:
@@ -806,6 +825,7 @@ Resources:
                 - s3:DeleteBucket
                 - s3:PutEncryptionConfiguration
                 - s3:PutBucketPolicy
+                - s3:PutBucketPublicAccessBlock
               Resource: "arn:aws:s3:::adf-shared-modules-*"
             - Effect: Allow
               Action: ssm:GetParameter