diff --git a/packages/@aws-cdk/aws-codepipeline/lib/private/cross-region-support-stack.ts b/packages/@aws-cdk/aws-codepipeline/lib/private/cross-region-support-stack.ts
index 8072bf422dbc4..9ab45f8942436 100644
--- a/packages/@aws-cdk/aws-codepipeline/lib/private/cross-region-support-stack.ts
+++ b/packages/@aws-cdk/aws-codepipeline/lib/private/cross-region-support-stack.ts
@@ -77,6 +77,7 @@ export class CrossRegionSupportConstruct extends Construct {
       bucketName: cdk.PhysicalName.GENERATE_IF_NEEDED,
       encryption: encryptionAlias ? s3.BucketEncryption.KMS : s3.BucketEncryption.KMS_MANAGED,
       encryptionKey: encryptionAlias,
+      blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
     });
   }
 }
diff --git a/packages/@aws-cdk/aws-codepipeline/test/cross-env.test.ts b/packages/@aws-cdk/aws-codepipeline/test/cross-env.test.ts
index 337a110a35b0f..f26de209ecaf9 100644
--- a/packages/@aws-cdk/aws-codepipeline/test/cross-env.test.ts
+++ b/packages/@aws-cdk/aws-codepipeline/test/cross-env.test.ts
@@ -129,7 +129,14 @@ describe.each([
 
         // THEN
         expect(supportStack).not.toHaveResource('AWS::KMS::Key');
-        expect(supportStack).toHaveResource('AWS::S3::Bucket');
+        expect(supportStack).toHaveResourceLike('AWS::S3::Bucket', {
+          PublicAccessBlockConfiguration: {
+            BlockPublicAcls: true,
+            BlockPublicPolicy: true,
+            IgnorePublicAcls: true,
+            RestrictPublicBuckets: true,
+          },
+        });
       });
 
       test('when twiddling another stack', () => {