AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2025-04-16 · Documentation low

File: AmazonS3/latest/userguide/Welcome.md

Summary

Expanded bucket type documentation with details about general purpose, directory, and table buckets. Added security notes about default access controls and public access restrictions for different bucket types.

Security assessment

The changes add documentation about security features including default private access settings for directory/table buckets and access control mechanisms. However, there is no evidence this addresses a specific security vulnerability.

Diff

diff --git a/AmazonS3/latest/userguide/Welcome.md b/AmazonS3/latest/userguide/Welcome.md
index 66557c59f..b3cab9c24 100644
--- a//AmazonS3/latest/userguide/Welcome.md
+++ b//AmazonS3/latest/userguide/Welcome.md
@@ -134 +134 @@ Amazon S3 provides strong read-after-write consistency for PUT and DELETE reques
-Amazon S3 is an object storage service that stores data as objects within buckets. An _object_ is a file and any metadata that describes the file. A _bucket_ is a container for objects. 
+Amazon S3 is an object storage service that stores data as objects, hierarchical data, or tabular data within buckets. An _object_ is a file and any metadata that describes the file. A _bucket_ is a container for objects.
@@ -167 +167,37 @@ Buckets and the objects in them are private and can be accessed only if you expl
-A general purpose bucket is a container for objects stored in Amazon S3. You can store any number of objects in a bucket and all accounts have a default bucket quota of 10,000 general purpose buckets. To see your bucket utilization, bucket quota, or request an increase to this quota, visit the [Service Quotas console](https://console.aws.amazon.com/servicequotas/home/services/s3/quotas/).
+Amazon S3 supports three types of buckets—general purpose buckets, directory buckets, and table buckets. Each type of bucket provides a unique set of features for different use cases.
+
+**General purpose buckets** – General purpose buckets are recommended for most use cases and access patterns and are the original S3 bucket type. A general purpose bucket is a container for objects stored in Amazon S3, and you can store any number of objects in a bucket and across all storage classes (except for S3 Express One Zone), so you can redundantly store objects across multiple Availability Zones. For more information, see [Creating, configuring, and working with Amazon S3 general purpose buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-buckets-s3.html).
+
+###### Note
+
+By default, all general purpose buckets are private. However, you can grant public access to general purpose buckets. You can control access to general purpose buckets at the bucket, prefix (folder), or object tag level. For more information, see [Access control in Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-management.html).
+
+**Directory buckets** – Recommended for low-latency use cases and data-residency use cases. By default, you can create up to 100 directory buckets in your AWS account, with no limit on the number of objects that you can store in a directory bucket. Directory buckets organize objects into hierarchical directories (prefixes) instead of the flat storage structure of general purpose buckets. This bucket type has no prefix limits and individual directories can scale horizontally. For more information, see [Working with directory buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-overview.html).
+
+  * For low-latency use cases, you can create a directory bucket in a single AWS Availability Zone to store data. Directory buckets in Availability Zones support the S3 Express One Zone storage class. With S3 Express One Zone, your data is redundantly stored on multiple devices within a single Availability Zone. The S3 Express One Zone storage class is recommended if your application is performance sensitive and benefits from single-digit millisecond `PUT` and `GET` latencies. To learn more about creating directory buckets in Availability Zones, see [High performance workloads](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-high-performance.html).
+
+  * For data-residency use cases, you can create a directory bucket in a single AWS Dedicated Local Zone (DLZ) to store data. In Dedicated Local Zones, you can create S3 directory buckets to store data in a specific data perimeter, which helps support your data residency and isolation use cases. Directory buckets in Local Zones support the S3 One Zone-Infrequent Access (S3 One Zone-IA; Z-IA) storage class. To learn more about creating directory buckets in Local Zones, see [Data residency workloads](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-data-residency.html).
+
+
+
+
+###### Note
+
+Directory buckets have all public access disabled by default. This behavior can't be changed. You can't grant access to objects stored in directory buckets. You can grant access only to your directory buckets. For more information, see [Authenticating and authorizing requests](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-authenticating-authorizing.html).
+
+**Table buckets** – Recommended for storing tabular data, such as daily purchase transactions, streaming sensor data, or ad impressions. Tabular data represents data in columns and rows, like in a database table. Table buckets provide S3 storage that's optimized for analytics and machine learning workloads, with features designed to continuously improve query performance and reduce storage costs for tables. S3 Tables are purpose-built for storing tabular data in the Apache Iceberg format. You can query tabular data in S3 Tables with popular query engines, including Amazon Athena, Amazon Redshift, and Apache Spark. By default, you can create up to 10 table buckets per AWS account per AWS Region and up to 10,000 tables per table bucket. For more information, see [Working with S3 Tables and table buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables.html).
+
+###### Note
+
+All table buckets and tables are private and can't be made public. These resources can only be accessed by users who are explicitly granted access. To grant access, you can use IAM resource-based policies for table buckets and tables, and IAM identity-based policies for users and roles. For more information, see [Security for S3 Tables](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-security-overview.html).
+
+#### Additional information about all bucket types
+
+When you create a bucket, you enter a bucket name and choose the AWS Region where the bucket will reside. After you create a bucket, you cannot change the name of the bucket or its Region. Bucket names must follow the following bucket naming rules:
+
+  * [General purpose bucket naming rules](./bucketnamingrules.html)
+
+  * [Directory bucket naming rules](./directory-bucket-naming-rules.html)
+
+  * [Table bucket naming rules](./s3-tables-buckets-naming.html#table-buckets-naming-rules)
+
@@ -169 +204,0 @@ A general purpose bucket is a container for objects stored in Amazon S3. You can
-Every object is contained in a bucket. For example, if the object named `photos/puppy.jpg` is stored in the `amzn-s3-demo-bucket` bucket in the US West (Oregon) Region, then it is addressable by using the URL `https://amzn-s3-demo-bucket.s3.us-west-2.amazonaws.com/photos/puppy.jpg`. For more information, see [Accessing a Bucket](./access-bucket-intro.html). 
@@ -171 +205,0 @@ Every object is contained in a bucket. For example, if the object named `photos/
-When you create a bucket, you enter a bucket name and choose the AWS Region where the bucket will reside. After you create a bucket, you cannot change the name of the bucket or its Region. Bucket names must follow the [bucket naming rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html). You can also configure a bucket to use [S3 Versioning](./Versioning.html) or other [storage management](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-storage.html) features.
@@ -175 +209 @@ Buckets also:
-  * Organize the Amazon S3 namespace at the highest level.
+  * Organize the Amazon S3 namespace at the highest level. For general purpose buckets, this namespace is `S3`. For directory buckets, this nameapace is `s3express`. For table buckets, this namespace is `s3tables`.
@@ -179,2 +212,0 @@ Buckets also:
-  * Provide access control options, such as bucket policies, access control lists (ACLs), and S3 Access Points, that you can use to manage access to your Amazon S3 resources.
-
@@ -186,2 +217,0 @@ Buckets also:
-For more information about buckets, see [Buckets overview](./UsingBucket.html). 
-
@@ -191,0 +222,2 @@ Objects are the fundamental entities stored in Amazon S3. Objects consist of obj
+Every object is contained in a bucket. For example, if the object named `photos/puppy.jpg` is stored in the `amzn-s3-demo-bucket` general purpose bucket in the US West (Oregon) Region, then it is addressable by using the URL `https://amzn-s3-demo-bucket.s3.us-west-2.amazonaws.com/photos/puppy.jpg`. For more information, see [Accessing a Bucket](./access-bucket-intro.html). 
+
@@ -224 +256 @@ In your bucket policy, you can use wildcard characters on Amazon Resource Names
-Amazon S3 Access Points are named network endpoints with dedicated access policies that describe how data can be accessed using that endpoint. Access Points are attached to buckets that you can use to perform S3 object operations, such as GetObject and PutObject. Access Points simplify managing data access at scale for shared datasets in Amazon S3. 
+Amazon S3 Access Points are named network endpoints with dedicated access policies that describe how data can be accessed using that endpoint. Access Points are attached to general purpose buckets or directory buckets that you can use to perform S3 object operations, such as GetObject and PutObject. Access Points simplify managing data access at scale for shared datasets in Amazon S3. 
@@ -228 +260 @@ Each access point has its own access point policy. You can configure [Block Publ
-For more information, see [Managing access to shared datasets in general purpose buckets with access points](./access-points.html). 
+For more information about access points for general purpose buckets, see [Managing access to shared datasets in general purpose buckets with access points](./access-points.html). For more information about access points for directory buckets, see [Managing access to shared datasets in directory buckets with access points](./access-points-directory-buckets.html). 
@@ -232 +264 @@ For more information, see [Managing access to shared datasets in general purpose
-You can use ACLs to grant read and write permissions to authorized users for individual buckets and objects. Each bucket and object has an ACL attached to it as a subresource. The ACL defines which AWS accounts or groups are granted access and the type of access. ACLs are an access control mechanism that predates IAM. For more information about ACLs, see [Access control list (ACL) overview](./acl-overview.html).
+You can use ACLs to grant read and write permissions to authorized users for individual general purpose buckets and objects. Each general purpose bucket and object has an ACL attached to it as a subresource. The ACL defines which AWS accounts or groups are granted access and the type of access. ACLs are an access control mechanism that predates IAM. For more information about ACLs, see [Access control list (ACL) overview](./acl-overview.html).