Describe the bug

When a bucket is created without specifying the blockPublicAccess property:

const myBucket = new Bucket(this, "MyBucket");

It is equivalent to explicitly setting all BlockPublicAccess options to true:

const myBucket = new Bucket(this, "MyBucket", {
  blockPublicAccess: new BlockPublicAccess({
    blockPublicAcls: true,
    ignorePublicAcls: true,
    blockPublicPolicy: true,
    restrictPublicBuckets: true,
  }),
});

This might lead you to assume that all BlockPublicAccess options default to true. However, that's not the case. For example, if you deploy a bucket like this:

const myBucket = new Bucket(this, "MyBucket", {
  blockPublicAccess: new BlockPublicAccess({
    blockPublicPolicy: false,
    restrictPublicBuckets: false,
  }),
});

You would get this configuration:

This happens because all options within BlockPublicAccess are undefined by default, which is equivalent to false.

This behavior is counterintuitive. If you do not define blockPublicAccess, all options default to true. However, if you define a BlockPublicAccess, any unspecified options default to false.

This seemingly paradoxical situation stems from a change introduced a couple of years ago.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

see above.

Current Behavior

see above.

Reproduction Steps

see above.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.174.1

Framework Version

No response

Node.js Version

22.12.0

OS

Ubuntu 24.04.1

Language

TypeScript

Language Version

No response

Other information

No response