AWS AmazonS3 high security documentation change
Summary
Added new IAM condition key 's3express:AllAccessRestrictedToLocalZoneGroup' and example policies to restrict access to Local Zone network border groups
Security assessment
Introduces a security control mechanism to enforce network perimeter restrictions via IAM policies, explicitly preventing access from outside specified Local Zones. The condition key and example policies directly address potential data exfiltration risks by limiting request origins.
Diff
diff --git a/AmazonS3/latest/userguide/iam-directory-bucket-LZ.md b/AmazonS3/latest/userguide/iam-directory-bucket-LZ.md index 3739e5e40..17c64b16b 100644 --- a//AmazonS3/latest/userguide/iam-directory-bucket-LZ.md +++ b//AmazonS3/latest/userguide/iam-directory-bucket-LZ.md @@ -5 +5 @@ -Resources +ResourcesCondition keys for directory buckets in Local ZonesExample policies @@ -19,0 +20,126 @@ For directory buckets in a Local Zone, the Zone ID is the ID of the Local Zone. +## Condition keys for directory buckets in Local Zones + +In Local Zones, you can use all the [Condition keys for directory buckets](./s3-express-security-iam.html#s3-express-security-iam-condition-keys) in your IAM policies. Additionally, to create a data perimeter around your Local Zone network border groups, you can use the condition key `s3express:AllAccessRestrictedToLocalZoneGroup` to deny all requests from outside the groups. + +The following condition key can be used to further refine the conditions under which an IAM policy statement applies. For a complete list of API operations, policy actions, and condition keys that are supported by directory buckets, see [Policy actions for directory buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html#s3-express-security-iam-actions). + +###### Note + +The following condition key only applies to Local Zones and isn't supported in Availability Zones and AWS Regions. + +API operations | Policy actions | Description | Condition key | Description | Type +---|---|---|---|---|--- +[Zonal endpoint API operations](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-APIs.html) | `s3express:CreateSession` | Grants permission to create a session token, which is used for granting access to all Zonal endpoint API operations, such as `CreateSession`, `HeadBucket`, `CopyObject`, `PutObject`, and `GetObject`. | `s3express:AllAccessRestrictedToLocalZoneGroup` | Filters all access to the bucket unless the request originates from the AWS Local Zone network border groups provided in this condition key. **Values:** Local Zone network border group value | `String` + +## Example policies + +To restrict object access to requests from within a data residency boundary that you define (specifically, a Local Zone Group which is a set of Local Zones parented to the same AWS Region), you can set any of the following policies: + + * The service control policy (SCP). For information about SCPs, see [Service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the _AWS Organizations User Guide_. + + * The IAM identity-based policy for the IAM role. + + * The VPC endpoint policy. For more information about the VPC endpoint policies, see [Control access to VPC endpoints using endpoint policies](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html) in the _AWS PrivateLink Guide_. + + * The S3 bucket policy. + + + + +###### Note + +The condition key `s3express:AllAccessRestrictedToLocalZoneGroup` doesn't support access from an on-premises environment. To support the access from an on-premises environment, you must add the source IP to the policies. For more information, see [aws:SourceIp](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceip) in the IAM User Guide. + +###### Example – SCP policy + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "Access-to-specific-LocalZones-only", + "Effect": "Deny", + "Action": [ + "s3express:*", + ], + "Resource": "*", + "Condition": { + "StringNotEqualsIfExists": { + "s3express:AllAccessRestrictedToLocalZoneGroup": [ + "local-zone-network-border-group-value" + ] + } + } + } + ] + } + + +###### Example – IAM identity-based policy (attached to IAM role) + + + { + "Version": "2012-10-17", + "Statement": { + "Effect": "Deny", + "Action": "s3express:CreateSession", + "Resource": "*", + "Condition": { + "StringNotEqualsIfExists": { + "s3express:AllAccessRestrictedToLocalZoneGroup": [ + "local-zone-network-border-group-value" + ] + } + } + } + } + + +###### Example – VPC endpoint policy + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "Access-to-specific-LocalZones-only", + "Principal": "*", + "Action": "s3express:CreateSession", + "Effect": "Deny", + "Resource": "*", + "Condition": { + "StringNotEqualsIfExists": { + "s3express:AllAccessRestrictedToLocalZoneGroup": [ + "local-zone-network-border-group-value" + ] + } + } + } + ] + } + + +###### Example – bucket policy + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "Access-to-specific-LocalZones-only", + "Principal": "*", + "Action": "s3express:CreateSession", + "Effect": "Deny", + "Resource": "*", + "Condition": { + "StringNotEqualsIfExists": { + "s3express:AllAccessRestrictedToLocalZoneGroup": [ + "local-zone-network-border-group-value" + ] + } + } + } + ] + } + +