AWS Security ChangesHomeSearch

AWS datasync high security documentation change

Service: datasync · 2025-04-11 · Security-related high

File: datasync/latest/userguide/s3-cross-account-transfer.md

Summary

Added IAM policy conditions requiring aws:ResourceAccount validation for cross-account S3 transfers

Security assessment

Introduces account ID validation to prevent cross-account access vulnerabilities in IAM policies

Diff

diff --git a/datasync/latest/userguide/s3-cross-account-transfer.md b/datasync/latest/userguide/s3-cross-account-transfer.md
index f7287203b..fe77cc956 100644
--- a//datasync/latest/userguide/s3-cross-account-transfer.md
+++ b//datasync/latest/userguide/s3-cross-account-transfer.md
@@ -197,0 +198,4 @@ The IAM role that you just created needs the permissions that allow DataSync to
+###### Note
+
+The value for `aws:ResourceAccount` should be the account ID that owns the Amazon S3 bucket specified in the policy.
+        
@@ -208,0 +213,5 @@ The IAM role that you just created needs the permissions that allow DataSync to
+                 "Condition": {
+                     "StringEquals": {
+                      "aws:ResourceAccount": "123456789012"
+                     }
+                 }
@@ -214,0 +224,3 @@ The IAM role that you just created needs the permissions that allow DataSync to
+                     "s3:GetObjectTagging",
+                     "s3:GetObjectVersion",
+                     "s3:GetObjectVersionTagging",
@@ -217 +228,0 @@ The IAM role that you just created needs the permissions that allow DataSync to
-                "s3:GetObjectTagging",
@@ -221,0 +233,5 @@ The IAM role that you just created needs the permissions that allow DataSync to
+                 "Condition": {
+                     "StringEquals": {
+                         "aws:ResourceAccount": "123456789012"
+                     }
+                 }