AWS Security ChangesHomeSearch

AWS datasync high security documentation change

Service: datasync · 2025-04-11 · Security-related high

File: datasync/latest/userguide/using-identity-based-policies.md

Summary

Enhanced example IAM policies with aws:ResourceAccount conditions for S3 access

Security assessment

Adds critical account ownership validation to prevent cross-account privilege escalation risks

Diff

diff --git a/datasync/latest/userguide/using-identity-based-policies.md b/datasync/latest/userguide/using-identity-based-policies.md
index 4e40409c6..36309b14b 100644
--- a//datasync/latest/userguide/using-identity-based-policies.md
+++ b//datasync/latest/userguide/using-identity-based-policies.md
@@ -93,0 +94,4 @@ The following example policy grants DataSync the minimum permissions to read and
+###### Note
+
+The value for `aws:ResourceAccount` should be the account ID that owns the Amazon S3 bucket specified in the policy.
+    
@@ -105,0 +110,5 @@ The following example policy grants DataSync the minimum permissions to read and
+             "Condition": {
+                 "StringEquals": {
+                     "aws:ResourceAccount": "123456789012"
+                 }
+             }
@@ -120,0 +130,5 @@ The following example policy grants DataSync the minimum permissions to read and
+             "Condition": {
+                 "StringEquals": {
+                     "aws:ResourceAccount": "123456789012"
+                 }
+             }