AWS Security ChangesHomeSearch

AWS AmazonS3 medium security documentation change

Service: AmazonS3 · 2025-04-28 · Security-related medium

File: AmazonS3/latest/userguide/access-points-directory-buckets-policies.md

Summary

Updated access point policy examples and documentation, including ARN format clarification, policy condition operator changes, simplified permissions list, and delegation best practices.

Security assessment

The change from 'StringNotEquals' to 'StringNotEqualsIfExists' in Example 2's policy condition prevents unintended access when the 'aws:SourceVpc' context key is absent, addressing a potential misconfiguration risk. The delegation guidance promotes security best practices by shifting access control to access point policies.

Diff

diff --git a/AmazonS3/latest/userguide/access-points-directory-buckets-policies.md b/AmazonS3/latest/userguide/access-points-directory-buckets-policies.md
index 8c3a171cc..5c39b46fd 100644
--- a//AmazonS3/latest/userguide/access-points-directory-buckets-policies.md
+++ b//AmazonS3/latest/userguide/access-points-directory-buckets-policies.md
@@ -21 +21,7 @@ To learn more about validating policies by using IAM Access Analyzer, see [IAM A
-The following examples demonstrate how to create access point policies to control requests made through an access point for directory buckets.
+The following access point policies demonstrate how to control requests to a directory bucket. Access point policies require bucket ARNs or access point ARNs. Access point aliases are not supported in policies. Following is an example of an access point ARN:
+    
+    
+      arn:aws:s3express:region:account-id:accesspoint/myaccesspoint--zoneID--xa-s3
+            
+
+You can view the access point ARN in the details of an access point. For more information, see [View details for your access points for directory buckets](./access-points-directory-buckets-details.html).
@@ -55 +61 @@ The following service control policy requires all new access points are to be cr
-###### Example 2 – Bucket policy to limit S3 operations through access points to VPC network origins
+###### Example 2 – Access point policy to limit bucket access to access points with VPC network origin
@@ -57 +63 @@ The following service control policy requires all new access points are to be cr
-The following bucket policy limits access to all S3 object operations for the bucket ``amzn-s3-demo-bucket`` from an access point with a VPC networking origin.
+The following access point policy limits all access to the bucket `amzn-s3-demo-bucket--zoneID--x-s3` to an access point with a VPC networking origin.
@@ -67 +73 @@ The following bucket policy limits access to all S3 object operations for the bu
-             "Resource": "arn:aws:s3express:us-west-2:123456789012:bucket/amzn-s3-demo-bucket--usw2-az1--x-s3",
+                "Resource": "arn:aws:s3express:region:111122223333:bucket/amzn-s3-demo-bucket--zoneID--x-s3",
@@ -69 +75 @@ The following bucket policy limits access to all S3 object operations for the bu
-                "StringNotEquals": {
+                    "StringNotEqualsIfExists": {
@@ -74,0 +81 @@ The following bucket policy limits access to all S3 object operations for the bu
+    }                
@@ -79 +86 @@ The following bucket policy limits access to all S3 object operations for the bu
-Access points for directory buckets have condition keys that you can use in IAM policies to control access to your resources. The following condition keys represent only part of an IAM policy. For full policy examples, see [Policy examples for access points for general purpose buckets](./access-points-policies.html#access-points-policy-examples), [Delegating access control to access points](./access-points-policies.html#access-points-delegating-control), and [Granting permissions for cross-account access points](./access-points-policies.html#access-points-cross-account). 
+Access points for directory buckets have condition keys that you can use in IAM policies to control access to your resources. The following condition keys represent only part of an IAM policy. For full policy examples, see Access points for directory buckets policy examples, Delegating access control to access points, and Granting permissions for cross-account access points. 
@@ -84 +91 @@ Access points for directory buckets have condition keys that you can use in IAM
-AWS SDK operations require you to use the ARN for object requests. This example shows a string that you can use to match on an access point ARN. The following example matches all access points for AWS account `111122223333` in Region `us-west-2`:
+This example shows how to filter access by the Amazon resource name (ARN) of an access point and matches all access points for AWS account `111122223333` in Region `region`:
@@ -89 +96 @@ AWS SDK operations require you to use the ARN for object requests. This example
-            "s3express:DataAccessPointArn": "arn:aws:s3express:us-west-2:111122223333:accesspoint/*"
+            "s3express:DataAccessPointArn": "arn:aws:s3express:region:111122223333:accesspoint/*"
@@ -120,36 +127 @@ This example shows a string operator that you can use to match on the network or
-You can use `s3express:Permissions` in bucket policies and access point policies. access point policies don't support `SessionMode`. These values are the S3 GP permission names used in IAM policies. They map to API operations. Valid values are as follows:
-
-  * `PutObject`
-
-  * `GetObject`
-
-  * `DeleteObject`
-
-  * `ListBucket`
-
-  * `GetObjectAttributes`
-
-  * `AbortMultipartUpload`
-
-  * `ListBucketMultipartUploads`
-
-  * `ListMultipartUploadParts`
-
-
-
-
-For bucket policies that use `SesssionMode`, the values of `s3express:Permissions` map to read-only and read-write actions as follows:
-
-  * `ReadOnly` actions
-
-    * `GetObject`
-
-    * `ListBucket`
-
-    * `GetObjectAttributes`
-
-    * `ListBucketMultipartUploads`
-
-    * `ListMultipartUploadParts`
-
-  * `ReadWrite` actions
+You can use `s3express:Permissions` to restrict access to specific API operations in access point scope. The following API operations are supported:
@@ -163 +135 @@ For bucket policies that use `SesssionMode`, the values of `s3express:Permission
-    * `ListBucket`
+  * `ListBucket` (required for `ListObjectsV2`)
@@ -186 +158 @@ For more information about the required permissions to S3 API operations by S3 r
-You can delegate access control for a bucket to the bucket's access points. The following example bucket policy allows full access to all access points that are owned by the bucket owner's account. After applying the policy, all access to this bucket is controlled by the policies attached to its access points. We recommend configuring your buckets this way for all use cases that don't require direct access to the bucket.
+You can delegate access control from the bucket policy to the access point policy. The following example bucket policy allows full access to all access points that are owned by the bucket owner's account. After applying the policy, all access to this bucket is controlled by access point policies. We recommend configuring your buckets this way for all use cases that don't require direct access to the bucket.