AWS elasticbeanstalk documentation change
Summary
Updated documentation to clarify S3 bucket ownership and ACL requirements. Added section explaining why Elastic Beanstalk requires enabled ACLs for service-managed buckets despite S3 defaults, and emphasized customer account ownership.
Security assessment
The changes explain security configurations (bucket ownership enforcement and ACL requirements) but do not indicate a specific security vulnerability being addressed. The ACL discussion provides security documentation about service requirements but doesn't reference a patched issue.
Diff
diff --git a/elasticbeanstalk/latest/dg/AWSHowTo.S3.md index 1239a8feb..e4c91d429 100644 --- a/elasticbeanstalk/latest/dg/AWSHowTo.S3.md +++ b/elasticbeanstalk/latest/dg/AWSHowTo.S3.md @@ -5 +5 @@ -Contents of the Elastic Beanstalk Amazon S3 bucketDeleting objects in the Elastic Beanstalk Amazon S3 bucketDeleting the Elastic Beanstalk Amazon S3 bucket +The Elastic Beanstalk Amazon S3 customer account bucketContents of the Elastic Beanstalk Amazon S3 customer account bucketDeleting objects in the Elastic Beanstalk Amazon S3 bucketDeleting the Elastic Beanstalk Amazon S3 bucket @@ -11 +11 @@ This topic explains how Elastic Beanstalk utilizes Amazon Simple Storage Service -Elastic Beanstalk creates an encrypted Amazon S3 bucket named `elasticbeanstalk-`region`-`account-id`` for each region in which you create environments. Elastic Beanstalk uses this bucket to store objects, for example temporary configuration files, that are required for the proper operation of your application. Elastic Beanstalk deployments enforce that this bucket is owned by the account running the application. +## The Elastic Beanstalk Amazon S3 customer account bucket @@ -13 +13 @@ Elastic Beanstalk creates an encrypted Amazon S3 bucket named `elasticbeanstalk- -As a result of the default Amazon S3 bucket configuration, the bucket that Elastic Beanstalk creates is encrypted. For more information, see [Amazon S3 default encryption](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html) in the _Amazon Simple Storage Service User Guide_. +Elastic Beanstalk creates an encrypted Amazon S3 bucket named `elasticbeanstalk-`region`-`account-id`` for each region in which you create environments. Your AWS account owns this bucket. Elastic Beanstalk stores temporary configuration files and other objects for the proper operation of your application in this bucket. Elastic Beanstalk requires enabled ACLs for service-managed buckets and therefore enables this bucket's Access Control List (ACL). @@ -15 +15 @@ As a result of the default Amazon S3 bucket configuration, the bucket that Elast -## Contents of the Elastic Beanstalk Amazon S3 bucket +Be aware that Amazon S3 disables bucket Access Control Lists (ACLs) by default. Furthermore, the [ACL overview](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html) topic in the _Amazon S3 User Guide_ recommends that you keep ACLs disabled, except for specific use cases. The Elastic Beanstalk service-managed buckets fall into a use case that requires enabled ACLs. To maintain security Elastic Beanstalk deployments enforce that this bucket is owned by the account running the application. @@ -17 +17,5 @@ As a result of the default Amazon S3 bucket configuration, the bucket that Elast -The following table lists some objects that Elastic Beanstalk stores in your `elasticbeanstalk-`*`` Amazon S3 bucket. The table also shows which objects have to be deleted manually. To avoid unnecessary storage costs, and to ensure that personal information isn't retained, be sure to manually delete these objects when you no longer need them. +Elastic Beanstalk retains the default encryption provided by Amazon S3 buckets. For more information about bucket encryption, see [Amazon S3 default encryption](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html) in the _Amazon Simple Storage Service User Guide_. + +## Contents of the Elastic Beanstalk Amazon S3 customer account bucket + +The following table lists some objects that Elastic Beanstalk stores in your customer account bucket. The table also shows which objects have to be deleted manually. To avoid unnecessary storage costs, and to ensure that personal information isn't retained, be sure to manually delete these objects when you no longer need them. @@ -29 +33 @@ The following table lists some objects that Elastic Beanstalk stores in your `el -When you terminate an environment or delete an application, Elastic Beanstalk deletes most related objects from Amazon S3. To minimize storage costs of a running application, routinely delete objects that your application doesn't need. In addition, pay attention to objects that you have to delete manually, as listed in Contents of the Elastic Beanstalk Amazon S3 bucket. To ensure that private information isn't unnecessarily retained, delete these objects when you don't need them anymore. +When you terminate an environment or delete an application, Elastic Beanstalk deletes most related objects from Amazon S3. To minimize storage costs of a running application, routinely delete objects that your application doesn't need. In addition, pay attention to objects that you have to delete manually, as listed in Contents of the Elastic Beanstalk Amazon S3 customer account bucket. To ensure that private information isn't unnecessarily retained, delete these objects when you don't need them anymore.