AWS Security ChangesHomeSearch

AWS datasync high security documentation change

Service: datasync · 2025-04-11 · Security-related high

File: datasync/latest/userguide/tutorial_s3-s3-cross-account-transfer.md

Summary

Added IAM policy conditions with aws:ResourceAccount checks in cross-account transfer tutorial

Security assessment

Implements account-specific resource validation to prevent potential misconfiguration vulnerabilities

Diff

diff --git a/datasync/latest/userguide/tutorial_s3-s3-cross-account-transfer.md b/datasync/latest/userguide/tutorial_s3-s3-cross-account-transfer.md
index 779fe7bf0..33a636132 100644
--- a//datasync/latest/userguide/tutorial_s3-s3-cross-account-transfer.md
+++ b//datasync/latest/userguide/tutorial_s3-s3-cross-account-transfer.md
@@ -174,0 +175,4 @@ The IAM role that you just created needs the permissions that allow DataSync to
+###### Note
+
+The value for `aws:ResourceAccount` should be the account ID that owns the Amazon S3 bucket specified in the policy.
+        
@@ -185,0 +190,5 @@ The IAM role that you just created needs the permissions that allow DataSync to
+                 "Condition": {
+                     "StringEquals": {
+                      "aws:ResourceAccount": "123456789012"
+                     }
+                 }
@@ -191,0 +201,3 @@ The IAM role that you just created needs the permissions that allow DataSync to
+                     "s3:GetObjectTagging",
+                     "s3:GetObjectVersion",
+                     "s3:GetObjectVersionTagging",
@@ -194 +205,0 @@ The IAM role that you just created needs the permissions that allow DataSync to
-                "s3:GetObjectTagging",
@@ -198,0 +210,5 @@ The IAM role that you just created needs the permissions that allow DataSync to
+                 "Condition": {
+                     "StringEquals": {
+                         "aws:ResourceAccount": "123456789012"
+                     }
+                 }