diff --git a/util/org-multi-account/ProwlerS3.yaml b/util/org-multi-account/ProwlerS3.yaml
index c9d39c02..17b9f8b3 100644
--- a/util/org-multi-account/ProwlerS3.yaml
+++ b/util/org-multi-account/ProwlerS3.yaml
@@ -9,13 +9,16 @@ Parameters:
       This is used to restrict permissions to least privilege.
     AllowedPattern: ^o-[a-z0-9]{10,32}$
     ConstraintDescription: The Org Id must be a 12 character string starting with o- and followed by 10 lower case alphanumeric characters.
-    Default: o-nbfb46ay7u
-    # Default: o-abcde12345
+    Default: o-abcde12345
   S3Prefix:
     Type: String
     Description: >
       Enter S3 Bucket Name Prefix (in lowercase).
-      Bucket will be named: prefix-accountid-region
+      Bucket will be named: prefix-awsaccount-awsregion (i.e., prowler-123456789012-us-east-1)
+    AllowedPattern: ^[a-z0-9][a-z0-9-]{1,33}[a-z0-9]$
+    ConstraintDescription: >
+      Max 35 characters, as "-awsaccount-awsregion" will be added, and max name is 63 characters.
+      Can't start or end with dash.  Can use numbers and lowercase letters.
     Default: prowler
 
 Resources:
@@ -35,6 +38,9 @@ Resources:
         RestrictPublicBuckets: True
       VersioningConfiguration:
         Status: Enabled
+      Tags:
+        - Key: App
+          Value: Prowler
     Metadata:
       cfn_nag:
         rules_to_suppress:
@@ -60,12 +66,36 @@ Resources:
             Condition:
               StringEquals:
                 aws:PrincipalOrgId: !Ref AwsOrgId
+          - Sid: DenyNonSSLRequests
+            Effect: Deny
+            Action: s3:*
+            Resource:
+              - !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}
+              - !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}/*
+            Principal: "*"
+            Condition:
+              Bool:
+                aws:SecureTransport: false
+          - Sid: DenyIncorrectEncryptionHeader
+            Effect: Deny
+            Principal: "*"
+            Action: s3:PutObject
+            Resource:
+              - !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}/*
+            # Allow uploads with No Encryption, as S3 Default Encryption still applies.
+            # If Encryption is set, only allow uploads with AES256.
+            Condition:
+              "Null":
+                s3:x-amz-server-side-encryption: false
+              StringNotEquals:
+                s3:x-amz-server-side-encryption: AES256
     Metadata:
       cfn_nag:
         rules_to_suppress:
           - id: F16
             reason: "This S3 Bucket Policy has a condition that only allows access to the AWS Organization."
 
+
 Outputs:
   ProwlerS3:
     Description: S3 Bucket for Prowler Reports