AWS config documentation change
Summary
Added clarification about why the IAM role needs s3:ListBucket permission, specifically mentioning the HeadBucket API call
Security assessment
The change provides additional technical detail about API usage but does not address any specific security vulnerability or weakness
Diff
diff --git a/config/latest/developerguide/s3-bucket-policy.md index 39d9979f4..cc04ca451 100644 --- a/config/latest/developerguide/s3-bucket-policy.md +++ b/config/latest/developerguide/s3-bucket-policy.md @@ -140 +140 @@ When AWS Config is configured to deliver configuration history and snapshots to - * The IAM role you assign to the configuration recorder needs explicit permission to perform the `s3:ListBucket` operation + * The IAM role you assign to the configuration recorder needs explicit permission to perform the `s3:ListBucket` operation. This is because AWS Config calls the Amazon S3 [HeadBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_RESTBucketHEAD.html) API with this IAM role to determine the bucket location.