AWS AmazonS3 documentation change
Summary
Added documentation for configuring encryption during table bucket creation, including SSE-S3 and SSE-KMS options. Added prerequisites for IAM permissions and KMS key requirements for encryption operations.
Security assessment
The changes document encryption configuration and required permissions but do not address a specific security vulnerability. They enhance security documentation by explaining encryption options and access controls.
Diff
diff --git a/AmazonS3/latest/userguide/s3-tables-buckets-create.md b/AmazonS3/latest/userguide/s3-tables-buckets-create.md index 3b04bf0b7..ee3855fa4 100644 --- a//AmazonS3/latest/userguide/s3-tables-buckets-create.md +++ b//AmazonS3/latest/userguide/s3-tables-buckets-create.md @@ -15,0 +16,15 @@ By default, you can create up to 10 table buckets per Region in an AWS account. +When you create a table bucket you can specify the encryption type for that will be used to encrypt the tables you create in that bucket. For more information about bucket encryption options, see [Protecting S3 table data with encryption](./s3-tables-encryption.html). + +###### Prerequisites for creating table buckets + +To create a table bucket, you must first do the following: + + * Make sure that you have AWS Identity and Access Management (IAM) permissions for `s3tables:CreateTableBucket`. + + + + +###### Note + +If you choose SSE-KMS as the default encryption type, you must have permissions for `s3tables:PutTableBucketEncryption`, and have `DescribeKey` permission on the chosen AWS KMS key. Additionally the AWS KMS key you use needs to grant S3 Tables permission to perform automatic table maintenance. For more information, see [Permission requirements for S3 Tables SSE-KMS encryption](./s3-tables-kms-permissions.html) + @@ -46 +61,9 @@ When you create your first table bucket by using the console with the **Enable i - 7. Choose **Create bucket**. + 7. To configure default encryption, under **Encryption type** , choose one of the following: + + * **Server-side encryption with Amazon S3 managed key (SSE-S3)** + + * **Server-side encryption with AWS Key Management Service key (SSE-KMS)** + +For more information about encryption options for table data, see [Protecting S3 table data with encryption](./s3-tables-encryption.html). + + 8. Choose **Create bucket**. @@ -57,0 +81,12 @@ This example shows how to create a table bucket by using the AWS CLI. To use thi + +By default S3 table buckets use SSE-S3 as their default encryption setting, however, you can use the optional `--encryption-configuration` parameter to specify a different encryption type. The following examples shows how to create a bucket that uses SSE-KMS encryption. For more information on encryption settings for table buckets, see [Protecting S3 table data with encryption](./s3-tables-encryption.html). + + + aws s3tables create-table-bucket \ + --region us-east-2 \ + --name amzn-s3-demo-bucket1 + --encryption-configuration '{ + "sseAlgorithm": "aws:kms", + "kmsKeyArn": "arn:aws:kms:Region:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }' + +