diff --git a/secrets-provider/aws/README.md b/secrets-provider/aws/README.md
index 1878dde9b..dc0310e01 100644
--- a/secrets-provider/aws/README.md
+++ b/secrets-provider/aws/README.md
@@ -64,7 +64,7 @@ pulumi up --yes
 Previewing update (aws-kms):
      Type                    Name                    Plan
  +   pulumi:pulumi:Stack     pulumi-aws-kms-aws-kms  create
- +   ├─ aws:s3:Bucket        bucket                  create
+ +   ├─ aws:s3:BucketV2      bucket                  create
  +   └─ aws:s3:BucketObject  secret                  create
 
 Resources:
@@ -73,7 +73,7 @@ Resources:
 Updating (aws-kms):
      Type                    Name                    Status
  +   pulumi:pulumi:Stack     pulumi-aws-kms-aws-kms  created
- +   ├─ aws:s3:Bucket        bucket                  created
+ +   ├─ aws:s3:BucketV2      bucket                  created
  +   └─ aws:s3:BucketObject  secret                  created
 
 Outputs:
@@ -100,9 +100,3 @@ pulumi up --yes
 error: getting secrets manager: secrets (code=Unknown): InvalidSignatureException: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
 	status code: 400, request id: 35ff51c6-ef88-4c06-9146-361231b8fd4a
 ```
-
-
-
-
-
-
diff --git a/secrets-provider/aws/index.ts b/secrets-provider/aws/index.ts
index cd5132008..abb887ec2 100644
--- a/secrets-provider/aws/index.ts
+++ b/secrets-provider/aws/index.ts
@@ -10,12 +10,36 @@ const config = new pulumi.Config();
 const bucketName = config.require('bucketName');
 const secretValue = config.requireSecret('secretValue');
 
+export function configureACL(bucketName: string, bucket: aws.s3.BucketV2, acl: string): aws.s3.BucketAclV2 {
+    const ownership = new aws.s3.BucketOwnershipControls(bucketName, {
+        bucket: bucket.bucket,
+        rule: {
+            objectOwnership: "BucketOwnerPreferred",
+        }
+    });
+    const publicAccessBlock = new aws.s3.BucketPublicAccessBlock(bucketName, {
+        bucket: bucket.bucket,
+        blockPublicAcls: false,
+        blockPublicPolicy: false,
+        ignorePublicAcls: false,
+        restrictPublicBuckets: false,
+    });
+    const bucketACL = new aws.s3.BucketAclV2(bucketName, {
+        bucket: bucket.bucket,
+        acl: acl,
+    }, {
+        dependsOn: [ownership, publicAccessBlock]
+    });
+    return bucketACL;
+}
+
 // Create a private bucket
-const bucket = new aws.s3.Bucket("bucket", {
+const bucket = new aws.s3.BucketV2("bucket", {
     bucket: bucketName,
-    acl: "private",
 });
 
+configureACL("bucket", bucket, "private");
+
 // Create an object from the secret value
 const superSecretObject = new aws.s3.BucketObject("secret", {
     bucket: bucket.id,
diff --git a/secrets-provider/vault/README.md b/secrets-provider/vault/README.md
index e6c5ee086..38c64af0c 100644
--- a/secrets-provider/vault/README.md
+++ b/secrets-provider/vault/README.md
@@ -68,7 +68,7 @@ pulumi up --yes
 Previewing update (vault-kms):
      Type                    Name                    Plan
  +   pulumi:pulumi:Stack     pulumi-vault-kms-vault-kms  create
- +   ├─ aws:s3:Bucket        bucket                  create
+ +   ├─ aws:s3:BucketV2      bucket                  create
  +   └─ aws:s3:BucketObject  secret                  create
 
 Resources:
@@ -77,7 +77,7 @@ Resources:
 Updating (aws-kms):
      Type                    Name                    Status
  +   pulumi:pulumi:Stack     pulumi-vault-kms-vault-kms  created
- +   ├─ aws:s3:Bucket        bucket                  created
+ +   ├─ aws:s3:BucketV2      bucket                  created
  +   └─ aws:s3:BucketObject  secret                  created
 
 Outputs:
@@ -99,7 +99,7 @@ You'll notice the secret value is also omitted from the output!
 A quick way to verify if the encryption is using the Vault key is to remove your `VAULT_SERVER_TOKEN` environment variable setting:
 
 ```bash
-unset 
+unset
 pulumi up --yes
 error: getting secrets manager: secrets (code=Unknown): Error making API request.
 
@@ -108,8 +108,3 @@ Code: 400. Errors:
 
 * missing client token
 ```
-
-
-
-
-
diff --git a/secrets-provider/vault/index.ts b/secrets-provider/vault/index.ts
index cd5132008..121481353 100644
--- a/secrets-provider/vault/index.ts
+++ b/secrets-provider/vault/index.ts
@@ -10,12 +10,36 @@ const config = new pulumi.Config();
 const bucketName = config.require('bucketName');
 const secretValue = config.requireSecret('secretValue');
 
+function configureACL(bucketName: string, bucket: aws.s3.BucketV2, acl: string): aws.s3.BucketAclV2 {
+    const ownership = new aws.s3.BucketOwnershipControls(bucketName, {
+        bucket: bucket.bucket,
+        rule: {
+            objectOwnership: "BucketOwnerPreferred",
+        }
+    });
+    const publicAccessBlock = new aws.s3.BucketPublicAccessBlock(bucketName, {
+        bucket: bucket.bucket,
+        blockPublicAcls: false,
+        blockPublicPolicy: false,
+        ignorePublicAcls: false,
+        restrictPublicBuckets: false,
+    });
+    const bucketACL = new aws.s3.BucketAclV2(bucketName, {
+        bucket: bucket.bucket,
+        acl: acl,
+    }, {
+        dependsOn: [ownership, publicAccessBlock]
+    });
+    return bucketACL;
+}
+
 // Create a private bucket
-const bucket = new aws.s3.Bucket("bucket", {
+const bucket = new aws.s3.BucketV2("bucket", {
     bucket: bucketName,
-    acl: "private",
 });
 
+configureACL("bucket", bucket, "private");
+
 // Create an object from the secret value
 const superSecretObject = new aws.s3.BucketObject("secret", {
     bucket: bucket.id,