AWS AmazonS3 documentation change
Summary
Restructured documentation sections, removed detailed ACL migration instructions and policy examples, simplified prerequisites for disabling ACLs, and renamed 'Example use cases' to 'Example walkthroughs'
Security assessment
The changes focus on migrating ACL permissions to bucket policies as a security best practice, but there's no evidence of addressing a specific security vulnerability. The updates emphasize proper configuration to prevent errors when disabling ACLs, which improves security documentation but doesn't reference a concrete security incident.
Diff
diff --git a/AmazonS3/latest/userguide/object-ownership-migrating-acls-prerequisites.md b/Users/docs/2025-03-10_15-36-52/AmazonS3/latest/userguide/object-ownership-migrating-acls-prerequisites.md index 93925df80..644a6aeca 100644 --- a/AmazonS3/latest/userguide/object-ownership-migrating-acls-prerequisites.md +++ b/AmazonS3/latest/userguide/object-ownership-migrating-acls-prerequisites.md @@ -5 +5 @@ -Review bucket and object ACLs and migrate ACL permissionsIdentify requests that required an ACL for authorizationReview and update bucket policies that use ACL-related condition keysExample use cases +Bucket policies examplesUsing the S3 console to review and migrate ACL permissionsUsing the AWS CLI to review and migrate ACL permissionsExample walkthroughs @@ -9,20 +9 @@ Review bucket and object ACLs and migrate ACL permissionsIdentify requests that -A bucket access control list (ACL) in Amazon S3 is a mechanism that allows you to define granular permissions for individual objects within an S3 bucket, specifying which AWS accounts or groups can access and modify those objects. A majority of modern use cases in Amazon S3 no longer require the use of ACLs. We recommend that you use AWS Identity and Access Management (IAM) and bucket policies to manage access, and to keep ACLs disabled, except in unusual circumstances where you need to control access for each object individually. - -If you have ACLs enabled on your bucket, before you disable ACLs, complete the following prerequisites: - -###### Topics - - * Review bucket and object ACLs and migrate ACL permissions - - * Identify requests that required an ACL for authorization - - * Review and update bucket policies that use ACL-related condition keys - - * Example use cases - - - - -## Review bucket and object ACLs and migrate ACL permissions - -When you disable ACLs, permissions granted by bucket and object ACLs no longer affect access. Before you disable ACLs, review your bucket and object ACLs. +If your bucket ACL grants access outside of your AWS account, before you disable ACLs, you must migrate your bucket ACL permissions to your bucket policy and reset your bucket ACL to the default private ACL. If you don't migrate these bucket ACLs, your request to apply the Bucket owner enforced setting to disable ACLs fails and returns the [InvalidBucketAclWithObjectOwnership](./object-ownership-error-responses.html#object-ownership-error-responses-invalid-acl) error code. We also recommend that you review your object ACL permissions and migrate them to your bucket policy. For more information about other suggested prerequisites, see [Prerequisites for disabling ACLs](./about-object-ownership.html#object-ownership-considerations). @@ -32,15 +12,0 @@ Each of your existing bucket and object ACLs has an equivalent in an IAM policy. -Before you disable ACLs: - - * If your bucket ACL grants access outside of your AWS account, first, you must migrate your bucket ACL permissions to your bucket policy. - - * Next, reset your bucket ACL to the default private ACL. - - * We also recommend that you review your object-level ACL permissions and migrate them to your bucket policy. - - - - -If your bucket ACLs grant read or write permissions to others outside of your account, before you can disable ACLs, you must migrate these permissions to your bucket policy. After you migrate these permissions, you can set **Object Ownership** to the _Bucket owner enforced_ setting. If you don't migrate bucket ACLs that grant read or write access outside of your account, your request to apply the Bucket owner enforced setting fails and returns the [InvalidBucketAclWithObjectOwnership](./object-ownership-error-responses.html#object-ownership-error-responses-invalid-acl) error code. - -If your bucket ACL grants access outside of your AWS account, before you disable ACLs, you must migrate your bucket ACL permissions to your bucket policy and reset your bucket ACL to the default private ACL. If you don't migrate and reset, your request to apply the Bucket owner enforced setting to disable ACLs fails and returns the [InvalidBucketAclWithObjectOwnership](./object-ownership-error-responses.html#object-ownership-error-responses-invalid-acl) error code. We also recommend that you review your object ACL permissions and migrate them to your bucket policy. - @@ -56,0 +23 @@ To review and migrate ACL permissions to bucket policies, see the following topi + * Example walkthroughs @@ -60 +27,2 @@ To review and migrate ACL permissions to bucket policies, see the following topi -### Bucket policies examples + +## Bucket policies examples @@ -145 +113 @@ If your bucket has a `WRITE` ACL that grants AWS account ``111122223333`` permis -### Using the S3 console to review and migrate ACL permissions +## Using the S3 console to review and migrate ACL permissions @@ -185 +153 @@ If your bucket has a `WRITE` ACL that grants AWS account ``111122223333`` permis -For example bucket policies, see Bucket policies examples and Example use cases. +For example bucket policies, see Bucket policies examples and Example walkthroughs. @@ -196 +164 @@ For example bucket policies, see Bucket policies examples and Example use cases. -### Using the AWS CLI to review and migrate ACL permissions +## Using the AWS CLI to review and migrate ACL permissions @@ -237 +205 @@ For example, this bucket ACL grants `WRITE` and `READ` access to a third-party a -For other example ACLs, see Example use cases. +For other example ACLs, see Example walkthroughs. @@ -268 +236 @@ This example bucket policy grants `s3:PutObject` and `s3:ListBucket` permissions -For more example bucket policies, see Bucket policies examples and Example use cases. +For more example bucket policies, see Bucket policies examples and Example walkthroughs. @@ -289,72 +257 @@ This example resource element grants access to a specific object in a bucket pol -## Identify requests that required an ACL for authorization - -To identify Amazon S3 requests that required ACLs for authorization, you can use the `aclRequired` value in Amazon S3 server access logs or AWS CloudTrail. If the request required an ACL for authorization or if you have `PUT` requests that specify an ACL, the string is `Yes`. If no ACLs were required, or if you are setting a `bucket-owner-full-control` canned ACL, or if the requests are allowed by your bucket policy, the `aclRequired` value string is "`-`" in Amazon S3 server access logs and is absent in CloudTrail. For more information about the expected `aclRequired` values, see [aclRequired values for common Amazon S3 requests](./acl-overview.html#aclrequired-s3). - -If you have `PutBucketAcl` or `PutObjectAcl` requests with headers that grant ACL-based permissions, with the exception of the `bucket-owner-full-control` canned ACL, you must remove those headers before you can disable ACLs. Otherwise, your requests will fail. - -For all other requests that required an ACL for authorization, migrate those ACL permissions to bucket policies. Then, remove any bucket ACLs before you enable the bucket owner enforced setting. - -###### Note - -Do not remove object ACLs. Otherwise, applications that rely on object ACLs for permissions will lose access. - -If you see that no requests required an ACL for authorization, you can proceed to disable ACLs. For more information about identifying requests, see [Using Amazon S3 server access logs to identify requests](./using-s3-access-logs-to-identify-requests.html) and [Identifying Amazon S3 requests using CloudTrail](./cloudtrail-request-identification.html). - -## Review and update bucket policies that use ACL-related condition keys - -After you apply the Bucket owner enforced setting to disable ACLs, new objects can be uploaded to your bucket only if the request uses bucket owner full control ACLs or doesn't specify an ACL. Before disabling ACLs, review your bucket policy for ACL-related condition keys. - -If your bucket policy uses an ACL-related condition key to require the `bucket-owner-full-control` canned ACL (for example, `s3:x-amz-acl`), you don't need to update your bucket policy. The following bucket policy uses the `s3:x-amz-acl` to require the `bucket-owner-full-control` canned ACL for S3 `PutObject` requests. This policy _still_ requires the object writer to specify the `bucket-owner-full-control` canned ACL. However, buckets with ACLs disabled still accept this ACL, so requests continue to succeed with no client-side changes required. - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "Only allow writes to my bucket with bucket owner full control", - "Effect": "Allow", - "Principal": { - "AWS": [ - "arn:aws:iam::111122223333:user/ExampleUser" - ] - }, - "Action": [ - "s3:PutObject" - ], - "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*", - "Condition": { - "StringEquals": { - "s3:x-amz-acl": "bucket-owner-full-control" - } - } - } - ] - } - -However, if your bucket policy uses an ACL-related condition key that requires a different ACL, you must remove this condition key. This example bucket policy requires the `public-read` ACL for S3 `PutObject` requests and therefore must be updated before disabling ACLs. - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "Only allow writes to my bucket with public read access", - "Effect": "Allow", - "Principal": { - "AWS": [ - "arn:aws:iam::111122223333:user/ExampleUser" ] - }, - "Action": [ - "s3:PutObject" - ], - "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*", - "Condition": { - "StringEquals": { - "s3:x-amz-acl": "public-read" - } - } - } - ] - } - -## Example use cases +## Example walkthroughs