AWS config documentation change
Summary
Added new section detailing required permissions for cross-account S3 bucket delivery in AWS Config
Security assessment
Adds documentation about secure configuration for cross-account access patterns but does not reference a specific security vulnerability or incident.
Diff
diff --git a/config/latest/developerguide/s3-bucket-policy.md index e597a0df5..39d9979f4 100644 --- a/config/latest/developerguide/s3-bucket-policy.md +++ b/config/latest/developerguide/s3-bucket-policy.md @@ -5 +5 @@ -When Using IAM RolesWhen Using Service-Linked RolesGranting AWS Config access +When Using IAM RolesWhen Using Service-Linked RolesGranting AWS Config accessCross-Account Delivery @@ -22,0 +25,3 @@ When AWS Config automatically creates an S3 bucket for you, it adds the required + * Cross-Account Delivery + + @@ -130,0 +136,30 @@ For example, to restrict S3 bucket access to a delivery channel in the US East ( +## Required Permissions for the Amazon S3 Bucket When Delivering Cross-Account + +When AWS Config is configured to deliver configuration history and snapshots to an Amazon S3 bucket in a different account (cross-account setup), where the configuration recorder and the S3 bucket specified for delivery channel are in different AWS accounts, the following permissions are required: + + * The IAM role you assign to the configuration recorder needs explicit permission to perform the `s3:ListBucket` operation + + * The S3 bucket policy must include permissions for both the AWS Config service principal and the IAM role assigned to the configuration recorder. + + + + +The following is an example bucket policy configuration: + + + { + "Sid": "AWSConfigBucketExistenceCheck", + "Effect": "Allow", + "Principal": { + "Service": "config.amazonaws.com", + "AWS": "IAM Role-Arn assigned to the configuartion recorder" + }, + "Action": "s3:ListBucket", + "Resource": "arn:aws:s3:::amzn-s3-demo-bucket", + "Condition": { + "StringEquals": { + "AWS:SourceAccount": "sourceAccountID" + } + } + } +