We’ve all seen the headline: “Another S3 bucket left exposed.”
It’s almost a meme at this point, but it keeps happening because the easy path wins. A team spins up object storage, leaves the public endpoint in place, tightens IAM, and ships. The plan is to “lock it down later.” Later never comes. The bucket powers more workloads. A contractor grabs a quick link for testing. Someone opens wider access “just for a week.” Then security finds it—or a researcher does—and your brand is in the news.

This isn’t an S3 problem. It’s a defaults problem. And defaults are the enterprise architect’s job.

The story behind the headline

• A launch team needs somewhere to land build artifacts and logs.

• Public endpoint is the default, tools work out of the box, and the sprint stays on track.

• Over a few releases, that “temporary” bucket becomes a dependency for three services and two vendors.

• Now changing the access pattern feels risky and expensive, so it gets kicked down the road—until it can’t.

Temporary is the most permanent word in IT.
If the paved road lets teams hit the internet, they will—because it’s fast.

What the enterprise architect actually owns

Not IAM statements. Not DNS records. You own intent, guardrails, and the paved road that makes the secure path the easy path.

• Intent: We don’t put managed service data planes on the public internet.

• Guardrails: Public exposure is a time‑boxed exception with compensating controls and a named owner.

• Paved road: One motion that gives teams storage (or any managed service) with private access, stable names, and logging—no extra tickets required.

When those three are true, “private‑first” stops being a slogan and becomes a habit.

Make private‑first the paved road

Day 1 decisions you publish and enforce:

1. Connectivity posture: Private by default across clouds. Public requires an expiry date and a plan to retire it.

2. Front door rule: Third‑party ingress lands at the enterprise front door (API gateway + WAF + token exchange), never straight to storage or queues.

3. Identity posture: Service‑to‑service calls use workload identity or federated roles. No shared keys.

4. Proof controls: Flow logs at the private boundary and data access audit trails are mandatory.

5. Exception hygiene: Quarterly review of waivers; anything without a date or owner expires automatically.

What the platform team needs from you:
A two‑page standard and pre‑approved patterns—“in‑cloud private access to object storage,” “on‑prem to cloud over a private path,” “external webhook → front door → internal service.” Each pattern has a diagram, constraints, SLO notes, and cost flags. No speeds and feeds.

What application teams need from you:
A drop‑in module or template that stands up the service with private connectivity and DNS the same way, in every environment. If using the paved road is as easy as clicking “public,” they’ll use it.

Run the ARB like a product, not a police stop

In review, you’re checking pattern conformance and blast radius, not line‑by‑line configs. Ask:

• Does the workload use an approved private pattern for its data class?

• If a credential is compromised, what stops lateral movement?

• Are we using the cheapest private primitive that meets the need, or over‑engineering the path?

• If someone is asking for public, what’s the business reason, what are the compensating controls, and when does it end?

Leave the resource‑level wiring to platform. Keep the board focused on risk, cost, and speed.

Edge cases—decide them before they decide you

• Payments/logistics webhooks: Must land at the front door. No direct writes to storage or queues.

• Vendor SaaS that needs to read your data: Use brokered, time‑limited access with full logging.

• Cross‑org partners: Treat partners as the internet; give them a dedicated ingress pattern.

• Regions without private endpoints: Either block the region or grant a dated exception with a migration plan.

What “good” looks like in 90 days

• Week 2: Standard and pattern catalog are published. Preventive org policies start in “report‑only” to surface drift.

• Week 6: Paved‑road modules ship. One greenfield and one brownfield team are piloting.

• Week 9: Preventive policies move to enforce for new resources. A risk‑ordered migration plan exists for anything public today. ARB is reviewing exceptions with real expiry dates.

Metrics you share with leadership:

• Coverage: percent of services on approved private patterns (by environment and LOB).

• Exposure trend: number of internet‑reachable services (trending down).

• Time to approve: median ARB turnaround for paved‑road workloads (target: <3 business days).

• Incident correlation: security findings tied to public endpoints (declining).

• Cost transparency: added private connectivity cost vs. avoided incidents/audit effort (told in plain English).

Bottom line

Private‑first isn’t a networking preference. It’s basic hygiene that keeps your company out of the headlines and your teams out of rework. If the paved road makes “private by default” the quickest way to ship, your application teams won’t reach for the internet in the first place. That’s how you protect the brand and keep velocity.

You want help establishing your governance model for paved roads. Reach out by replying to this email or email me at keith@advbench.com. I offer an asynchronous annual subscription, allowing you to validate your thinking or help flesh out the ideas.