AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2025-04-14 · Documentation low

File: AmazonS3/latest/userguide/access-points-directory-buckets-restrictions-limitations-naming-rules.md

Summary

Updated access point naming rules and restrictions for directory buckets, including changes to required suffixes, scope prefix size limits, cross-account access policies, and API operation requirements.

Security assessment

Changes primarily clarify technical requirements (e.g., suffix format, size limits) and access control policies without explicit evidence of addressing a specific security vulnerability. Security-related aspects like HTTPS enforcement and AWS SigV4 were already documented.

Diff

diff --git a/AmazonS3/latest/userguide/access-points-directory-buckets-restrictions-limitations-naming-rules.md b/AmazonS3/latest/userguide/access-points-directory-buckets-restrictions-limitations-naming-rules.md
index 8fd66a589..1045afa07 100644
--- a//AmazonS3/latest/userguide/access-points-directory-buckets-restrictions-limitations-naming-rules.md
+++ b//AmazonS3/latest/userguide/access-points-directory-buckets-restrictions-limitations-naming-rules.md
@@ -22,5 +22 @@ Access points simplify managing data access at scale for shared datasets in Amaz
-When you create an access point for a directory bucket, you choose its name and the AWS Region to create it in. The access point must be created in the same AWS Region that the bucket is in. An access point name must be unique within the Availability Zone.
-
-###### Note
-
-If you choose to publicize your access point name, avoid including sensitive information in the access point name. Access point names are published in a publicly accessible database known as the Domain Name System (DNS).
+The access point must be created in the same Dedicated Local Zone that the bucket is in. An access point name must be unique within the Dedicated Local Zone.
@@ -32 +28 @@ Access point names must be DNS-compliant and must meet the following conditions:
-  * Must be between 3 and 50 characters long
+  * The base name you provide must be between 3 and 50 characters long
@@ -38 +34 @@ Access point names must be DNS-compliant and must meet the following conditions:
-  * Can't end with the suffix `zoneID--xa`. This suffix is reserved for access point alias names. For more information, see [Access points for directory buckets aliases](./access-points-directory-buckets-naming.html#access-points-directory-buckets-alias).
+  * Must end with the suffix ``zoneid`--xa-s3`.
@@ -47 +43 @@ Access points for directory buckets have the following restrictions and limitati
-  * Access points for directory buckets are supported in AWS Dedicated Local Zones. For more information on Local Zones and directory buckets, see [Concepts for directory buckets in Local Zones](./s3-lzs-for-directory-buckets.html).
+  * Access points for directory buckets are supported only in AWS Dedicated Local Zones.
@@ -55 +51 @@ Access points for directory buckets have the following restrictions and limitati
-  * Access point scope prefixes are limit to 256 KB in total size.
+  * Access point scope prefixes are limited to 256 bytes in total size.
@@ -59 +55 @@ Access points for directory buckets have the following restrictions and limitati
-  * You can only use access points to perform operations on objects. You can't use access points to perform other Amazon S3 operations, such as modifying or deleting buckets. For a complete list of S3 operations that support access points, see [Access point for general purpose buckets compatibility](./access-points-service-api-support.html).
+  * You can only use access points to perform operations on objects. You can't use access points to perform Amazon S3 bucket operations, such as modifying or deleting buckets. For a complete list of supported operations, see [Object operations for access points for directory buckets](./access-points-directory-buckets-service-api-support.html).
@@ -61 +57 @@ Access points for directory buckets have the following restrictions and limitati
-  * You can address access points only by using virtual-host-style URLs. For more information about virtual-host-style addressing, see [Accessing an Amazon S3 bucket](./access-bucket-intro.html).
+  * You can refer to access points by name, access point alias, or virtual-hosted-style URI. You cannot address access points by ARN. For more information, see [Referencing access points for directory buckets](./access-points-directory-buckets-naming.html).
@@ -63 +59 @@ Access points for directory buckets have the following restrictions and limitati
-  * API operations that control access point functionality (for example, `PutAccessPoint` and `GetAccessPointPolicy`) don't support cross-account calls.
+  * API operations that control access point functionality (for example, `PutAccessPointPolicy` and `GetAccessPointPolicy`) must specify the AWS account that owns the access point.
@@ -65 +61 @@ Access points for directory buckets have the following restrictions and limitati
-  * You must use AWS Signature Version 4 when making requests to an access point by using the REST APIs. For more information about authenticating requests, see [Authenticating Requests (AWS Signature Version 4)](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html) in the _Amazon Simple Storage Service API Reference_.
+  * You must use AWS Signature Version 4 when making requests to an access point by using the REST API. For more information about authenticating requests, see [Authenticating Requests (AWS Signature Version 4)](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html) in the _Amazon Simple Storage Service API Reference_.
@@ -67 +63 @@ Access points for directory buckets have the following restrictions and limitati
-  * Access points only support requests over HTTPS. Amazon S3 will automatically respond with an HTTP redirect for any requests made via HTTP, to upgrade the request to HTTPS.
+  * Access points only support requests over HTTPS. Amazon S3 will automatically respond with an HTTP redirect for any requests made through HTTP, to upgrade the request to HTTPS.
@@ -71 +67 @@ Access points for directory buckets have the following restrictions and limitati
-  * Cross-account access points don’t grant you access to data until you are granted permissions from the bucket owner. The bucket owner always retains ultimate control over access to the data and must update the bucket policy to authorize requests from the cross-account access point. To view a bucket policy example, see [Configuring IAM policies for using access points for general purpose buckets](./access-points-policies.html).
+  * If you create an access point to a bucket that's owned by another account (a cross-account access point), the cross-account access point doesn't grant you access to data until the bucket owner grants you permission to access the bucket. The bucket owner always retains ultimate control over access to the data and must update the bucket policy to authorize requests from the cross-account access point. To view a bucket policy example, see [Configuring IAM policies for using access points for directory buckets](./access-points-directory-buckets-policies.html).