AWS Security ChangesHomeSearch

AWS config documentation change

Service: config · 2025-02-27 · Documentation low

File: config/latest/developerguide/s3-bucket-policy.md

Summary

Added clarification about why the IAM role needs s3:ListBucket permission, specifically mentioning the HeadBucket API call

Security assessment

The change provides additional technical detail about API usage but does not address any specific security vulnerability or weakness

Diff

diff --git a/config/latest/developerguide/s3-bucket-policy.md
index 39d9979f4..cc04ca451 100644
--- a/config/latest/developerguide/s3-bucket-policy.md
+++ b/config/latest/developerguide/s3-bucket-policy.md
@@ -140 +140 @@ When AWS Config is configured to deliver configuration history and snapshots to
-  * The IAM role you assign to the configuration recorder needs explicit permission to perform the `s3:ListBucket` operation
+  * The IAM role you assign to the configuration recorder needs explicit permission to perform the `s3:ListBucket` operation. This is because AWS Config calls the Amazon S3 [HeadBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_RESTBucketHEAD.html) API with this IAM role to determine the bucket location.