AWS IAM medium security documentation change
Summary
Added documentation about S3 directory bucket access points and clarified IAM Access Analyzer's behavior regarding cross-account access point policies and public/cross-account findings
Security assessment
Explicitly addresses security analysis of cross-account access points and public exposure risks when Block Public Access is disabled
Diff
diff --git a/IAM/latest/UserGuide/access-analyzer-resources.md b/IAM/latest/UserGuide/access-analyzer-resources.md index d9aaa20ea..44bcc40c9 100644 --- a/IAM/latest/UserGuide/access-analyzer-resources.md +++ b/IAM/latest/UserGuide/access-analyzer-resources.md @@ -64 +64,9 @@ For a multi-Region access point, IAM Access Analyzer uses an established policy -Amazon S3 directory buckets use the Amazon S3 Express One storage class, which is recommended for performance-critical workloads or applications. For Amazon S3 directory buckets, IAM Access Analyzer analyzes the directory bucket policy, including condition statements in a policy, that allow an external entity to access a directory bucket. For more information about Amazon S3 directory buckets, see [Directory buckets](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/directory-buckets-overview.html) in the Amazon Simple Storage Service User Guide. +Amazon S3 directory buckets organize data hierarchically into directories as opposed to the flat storage structure of general purpose buckets, which is recommended for performance-critical workloads or applications. For Amazon S3 directory buckets, IAM Access Analyzer analyzes the directory bucket policy, including condition statements in a policy, that allow an external entity to access a directory bucket. + +Amazon S3 directory buckets also support access points, which enforce distinct permissions and network controls for all requests made to the directory bucket through the access point. Each access point can have an access point policy that works in conjunction with the bucket policy that is attached to the underlying directory bucket. With access points for directory buckets, you can restrict access to specific prefixes, API actions, or a virtual private cloud (VPC). + +###### Note + +IAM Access Analyzer doesn’t analyze the access point policy attached to cross-account access points because the access point and its policy are outside the analyzer account. IAM Access Analyzer generates a public finding when a bucket delegates access to a cross-account access point and Block Public Access is not enabled on the bucket or account. When you enable Block Public Access, the public finding is resolved and IAM Access Analyzer generates a cross-account finding for the cross-account access point. + +For more information about Amazon S3 directory buckets, see [Working with directory buckets](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/directory-buckets-overview.html) in the Amazon Simple Storage Service User Guide.