AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2025-04-18 · Documentation medium

File: AmazonS3/latest/userguide/s3-tables-setting-up.md

Summary

Added new encryption-related IAM actions (Put/Get/DeleteTableBucketEncryption, Get/PutTableEncryption) and SSE/KMS condition keys. Updated permission descriptions from 'return' to 'retrieve'.

Security assessment

Introduces documentation for new encryption management capabilities and granular access controls using KMS keys. While security-related, there's no evidence these changes address existing vulnerabilities - they appear to document new security features.

Diff

diff --git a/AmazonS3/latest/userguide/s3-tables-setting-up.md b/AmazonS3/latest/userguide/s3-tables-setting-up.md
index 90c26182a..c3fe06b4c 100644
--- a//AmazonS3/latest/userguide/s3-tables-setting-up.md
+++ b//AmazonS3/latest/userguide/s3-tables-setting-up.md
@@ -69 +69 @@ Action | Description | Access level | Cross-account access
-`s3tables:GetTableBucketPolicy` | Grants permission to return the bucket policy | `Read` | No  
+`s3tables:GetTableBucketPolicy` | Grants permission to retrieve the bucket policy | `Read` | No  
@@ -71 +71 @@ Action | Description | Access level | Cross-account access
-`s3tables:GetTableBucketMaintenanceConfiguration` | Grants permission to return the maintenance configuration for a table bucket | `Read` | Yes   
+`s3tables:GetTableBucketMaintenanceConfiguration` | Grants permission to retrieve the maintenance configuration for a table bucket | `Read` | Yes   
@@ -72,0 +73,3 @@ Action | Description | Access level | Cross-account access
+`s3tables:PutTableBucketEncryption` | Grants permission to add or replace the encryption configuration for a table bucket | `Write` | No  
+`s3tables:GetTableBucketEncryption` | Grants permission to retrieve the encryption configuration for a table bucket | `Read` | No  
+`s3tables:DeleteTableBucketEncryption` | Grants permission to delete the encryption configuration for a table bucket | `Write` | No  
@@ -78 +81 @@ Action | Description | Access level | Cross-account access
-`s3tables:GetTableMaintenanceConfiguration` | Grants permission to return the maintenance configuration for a table | `Read` | Yes  
+`s3tables:GetTableMaintenanceConfiguration` | Grants permission to retrieve the maintenance configuration for a table | `Read` | Yes  
@@ -81 +84 @@ Action | Description | Access level | Cross-account access
-`s3tables:GetTablePolicy` | Grants permission to return the table policy | `Read` | No  
+`s3tables:GetTablePolicy` | Grants permission to retrieve the table policy | `Read` | No  
@@ -90,0 +94,2 @@ Action | Description | Access level | Cross-account access
+`s3tables:GetTableEncryption ` | Grants permission to retrieve the encryption settings for a table | `Write` | No  
+`s3tables:PutTableEncryption ` | Grants permission to add encryption to a table | `Write` | No  
@@ -109 +114 @@ Condition key | Description | Type
-` s3tables:tableName` |  Filters access by the name of the tables in the table bucket. You can use the `s3tables:tableName` condition key to write IAM, or table bucket policies that restrict user or application access only the tables that meet this name condition.  It's important to note that if you use the `s3tables:tableName` condition key to control access then changes in tables’ name could impact these policies. **Example value:** `"s3tables:tableName":"department*"` | `String`  
+` s3tables:tableName` |  Filters access by the name of the tables in the table bucket. You can use the `s3tables:tableName` condition key to write IAM, or table bucket policies that restrict user or application access to only the tables that meet this name condition.  It's important to note that if you use the `s3tables:tableName` condition key to control access then changes in tables’ name could impact these policies. **Example value:** `"s3tables:tableName":"department*"` | `String`  
@@ -110,0 +116,2 @@ Condition key | Description | Type
+` s3tables:SSEAlgorithm` |  Filters access by the server-side encryption algorithm used to encrypt a table.  You can use the `s3tables:SSEAlgorithm` condition key to write IAM, table, or table bucket policies that restrict user or application access to tables that are encrypted with a certain encryption type. _Example value:_ `"s3tables:SSEAlgorithm":"aws:kms" ` It's important to note that if you use the `s3tables:SSEAlgorithm` condition key to control access, then changes in encryption could impact these policies. | `String`  
+` s3tables:KMSKeyArn` |  Filters access by the AWS KMS key ARN for the key used to encrypt a table You can use the `s3tables:KMSKeyArn` condition key to write IAM, table, or table bucket policies that restrict user or application access to tables that are encrypted with a specific KMS key.  It's important to note that if you use the `s3tables:KMSKeyArn` condition key to control access, then changing your KMS key could impact these policies. | `String`  
@@ -118 +125 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Security for S3 Tables
+Specifying SSE-KMS