AWS Security ChangesHomeSearch

AWS AmazonS3 medium security documentation change

Service: AmazonS3 · 2025-04-14 · Security-related medium

File: AmazonS3/latest/userguide/access-points-directory-buckets-policies.md

Summary

Updated Example 2 bucket policy to restrict operations through access points to VPC origins

Security assessment

Adds network origin restrictions for S3 operations via access points

Diff

diff --git a/AmazonS3/latest/userguide/access-points-directory-buckets-policies.md b/AmazonS3/latest/userguide/access-points-directory-buckets-policies.md
index 9e7d89427..8c3a171cc 100644
--- a//AmazonS3/latest/userguide/access-points-directory-buckets-policies.md
+++ b//AmazonS3/latest/userguide/access-points-directory-buckets-policies.md
@@ -9 +9 @@ Access points for directory buckets policy examplesCondition keysDelegating acce
-Directory buckets support AWS Identity and Access Management (IAM) resource policies that allow you to control the use of the access point by resource, user, or other conditions. For an application or user to access objects through an access point, both the access point and the underlying bucket policy must permit the request.
+Access points support AWS Identity and Access Management (IAM) resource policies that allow you to control the use of the access point by resource, user, or other conditions. For an application or user to access objects through an access point, both the access point and the underlying bucket policy must permit the request.
@@ -34 +34 @@ Permissions granted in an access point policy are effective only if the underlyi
-###### Example 1 – Service control policy
+###### Example 1 – Service control policy to limit access points to VPC network origins
@@ -36 +36 @@ Permissions granted in an access point policy are effective only if the underlyi
-The following service control policy requires all new access points are created with a virtual private cloud (VPC) network origin. With this policy in place, users in your organization can't create any access point that is accessible from the internet.
+The following service control policy requires all new access points are to be created with a virtual private cloud (VPC) network origin. With this policy in place, users in your organization can't create any access point that is accessible from the internet.
@@ -55 +55 @@ The following service control policy requires all new access points are created
-###### Example 2 – Bucket policy to limit S3 operations to VPC network origins
+###### Example 2 – Bucket policy to limit S3 operations through access points to VPC network origins
@@ -84 +84 @@ Access points for directory buckets have condition keys that you can use in IAM
-This example shows a string that you can use to match on an access point ARN. The following example matches all access points for AWS account `111122223333` in Region `us-west-2`:
+AWS SDK operations require you to use the ARN for object requests. This example shows a string that you can use to match on an access point ARN. The following example matches all access points for AWS account `111122223333` in Region `us-west-2`:
@@ -89 +89 @@ This example shows a string that you can use to match on an access point ARN. Th
-            "s3express:DataAccessPointArn": "arn:aws:s3:us-west-2:111122223333:accesspoint/*"
+            "s3express:DataAccessPointArn": "arn:aws:s3express:us-west-2:111122223333:accesspoint/*"
@@ -120 +120 @@ This example shows a string operator that you can use to match on the network or
-You can use permissions as part of access point scope to restrict access to access points. Only the API operations included as permissions can be used to access the access point. Valid values are as follows:
+You can use `s3express:Permissions` in bucket policies and access point policies. access point policies don't support `SessionMode`. These values are the S3 GP permission names used in IAM policies. They map to API operations. Valid values are as follows:
@@ -122 +122 @@ You can use permissions as part of access point scope to restrict access to acce
-  * `PutObjet`
+  * `PutObject`
@@ -134 +134 @@ You can use permissions as part of access point scope to restrict access to acce
-  * `ListBucketMultipartUpload`
+  * `ListBucketMultipartUploads`
@@ -136 +136 @@ You can use permissions as part of access point scope to restrict access to acce
-  * `ListMultiPartUploadParts`
+  * `ListMultipartUploadParts`
@@ -151 +151 @@ For bucket policies that use `SesssionMode`, the values of `s3express:Permission
-    * `ListBucketMultiPartUpload`
+    * `ListBucketMultipartUploads`
@@ -153 +153 @@ For bucket policies that use `SesssionMode`, the values of `s3express:Permission
-    * `ListMultiPartUploadParts`
+    * `ListMultipartUploadParts`
@@ -169 +169 @@ For bucket policies that use `SesssionMode`, the values of `s3express:Permission
-    * `ListBucketMultiPartUpload`
+    * `ListBucketMultipartUploads`
@@ -171 +171 @@ For bucket policies that use `SesssionMode`, the values of `s3express:Permission
-    * `ListMultiPartUploadParts`
+    * `ListMultipartUploadParts`
@@ -178 +178 @@ For bucket policies that use `SesssionMode`, the values of `s3express:Permission
-When using multi-value condition keys, use `ForAllValues` with `Allow` statements and `ForAnyValue` with `Deny` statements. For more information, see [Multivalued context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html#reference_policies_condition-multi-valued-context-keys) in the IAM User Guide.
+When using multi-value condition keys, we recommend you use `ForAllValues` with `Allow` statements and `ForAnyValue` with `Deny` statements. For more information, see [Multivalued context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html#reference_policies_condition-multi-valued-context-keys) in the IAM User Guide.
@@ -182 +182 @@ For more information about using condition keys with Amazon S3, see [ Actions, r
-For more information about the permissions to S3 API operations by S3 resource types, see [Required permissions for Amazon S3 API operations](./using-with-s3-policy-actions.html).
+For more information about the required permissions to S3 API operations by S3 resource types, see [Required permissions for Amazon S3 API operations](./using-with-s3-policy-actions.html).
@@ -188 +188 @@ You can delegate access control for a bucket to the bucket's access points. The
-###### Example of bucket policy that delegates access control to access points
+###### Example bucket policy that delegates access control to access points
@@ -220,2 +220,2 @@ Replace `Bucket ARN` with the ARN of the bucket.
-            "Action" : ["s3:GetObject","s3:ListBucket"],
-            "Resource" : [ "Bucket ARN", "Bucket ARN/*"],
+            "Action" : "s3express:CreateSession",
+            "Resource" : [ "Bucket ARN" ],
@@ -223 +223,9 @@ Replace `Bucket ARN` with the ARN of the bucket.
-                "StringEquals" : { "s3:DataAccessPointAccount" : "Access point owner's account ID" }
+                "StringEquals" : { 
+                    "s3express:DataAccessPointAccount": "Access point owner's account ID" 
+                },
+                "ForAllValues:StringEquals": {
+                    "s3express:Permissions": [
+                        "GetObject",
+                        "ListBucket"
+                    ]
+                }
@@ -234 +243 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Access point compatibility
+Access points object operations