diff --git a/main.tf b/main.tf
index 4a538cb..594d018 100644
--- a/main.tf
+++ b/main.tf
@@ -37,6 +37,11 @@ variable "force_destroy" {
   default = true
 }
 
+# ensure bucket access is "Bucket and objects not public"
+variable "block_public_access" {
+  default = true
+}
+
 # bucket for storing tf state
 resource "aws_s3_bucket" "bucket" {
   bucket        = "tf-state-${var.application}"
@@ -64,6 +69,17 @@ resource "aws_s3_bucket" "bucket" {
   }
 }
 
+# explicitly block public access
+resource "aws_s3_bucket_public_access_block" "bucket" {
+  count = var.block_public_access ? 1 : 0
+
+  bucket                  = aws_s3_bucket.bucket.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
 # lookup the role arn
 data "aws_iam_role" "role" {
   name = var.role
diff --git a/readme.md b/readme.md
index e6c4bf0..aa21db9 100644
--- a/readme.md
+++ b/readme.md
@@ -10,6 +10,7 @@ Useful for creating a common bucket naming convention and attaching a bucket pol
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | application | the application that will be using this remote state | string | - | yes |
+| block\_public\_access | ensure bucket access is "Bucket and objects not public" | bool | `true` | no |
 | multipart\_days |  | string | `3` | no |
 | multipart\_delete | incomplete multipart upload deletion | string | `true` | no |
 | role | the primary role that will be used to access the tf remote state | string | - | yes |
@@ -34,7 +35,7 @@ provider "aws" {
 }
 
 module "tf_remote_state" {
-  source = "github.com/turnerlabs/terraform-remote-state?ref=v3.1.0"
+  source = "github.com/turnerlabs/terraform-remote-state?ref=v4.0.0"
 
   role          = "aws-ent-prod-devops"
   application   = "my-test-app"