AWS IAM documentation change
Summary
Added documentation about S3 directory bucket access points and IAM Access Analyzer's handling of cross-account access point policies.
Security assessment
Expands security documentation around access control analysis but does not indicate resolution of a specific security issue. The changes clarify security best practices for access point configurations.
Diff
diff --git a/IAM/latest/UserGuide/access-analyzer-resources.md b/IAM/latest/UserGuide/access-analyzer-resources.md index df27f7bdb..44bcc40c9 100644 --- a//IAM/latest/UserGuide/access-analyzer-resources.md +++ b//IAM/latest/UserGuide/access-analyzer-resources.md @@ -65,0 +66,6 @@ Amazon S3 directory buckets organize data hierarchically into directories as opp +Amazon S3 directory buckets also support access points, which enforce distinct permissions and network controls for all requests made to the directory bucket through the access point. Each access point can have an access point policy that works in conjunction with the bucket policy that is attached to the underlying directory bucket. With access points for directory buckets, you can restrict access to specific prefixes, API actions, or a virtual private cloud (VPC). + +###### Note + +IAM Access Analyzer doesn’t analyze the access point policy attached to cross-account access points because the access point and its policy are outside the analyzer account. IAM Access Analyzer generates a public finding when a bucket delegates access to a cross-account access point and Block Public Access is not enabled on the bucket or account. When you enable Block Public Access, the public finding is resolved and IAM Access Analyzer generates a cross-account finding for the cross-account access point. +