AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2025-04-28 · Documentation low

File: AmazonS3/latest/userguide/opt-in-directory-bucket-lz.md

Summary

Added documentation about account enablement requirements and default security configurations (S3 Block Public Access, Object Ownership) for Dedicated Local Zones

Security assessment

Documents security best practices (default public access restrictions) and references the security-focused condition key, but does not resolve a specific vulnerability. The changes emphasize existing security posture rather than addressing new risks.

Diff

diff --git a/AmazonS3/latest/userguide/opt-in-directory-bucket-lz.md b/AmazonS3/latest/userguide/opt-in-directory-bucket-lz.md
index 58861bfb0..55bf0c222 100644
--- a//AmazonS3/latest/userguide/opt-in-directory-bucket-lz.md
+++ b//AmazonS3/latest/userguide/opt-in-directory-bucket-lz.md
@@ -6,0 +7,6 @@
+The following topic describes how accounts are enabled for Dedicated Local Zones.
+
+For all the services in AWS Dedicated Local Zones (Dedicated Local Zones), including Amazon S3, your administrator must enable your AWS account before you can create or access any resource in the Dedicated Local Zone. You can use the [DescribeAvailabilityZones](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html) API operation to confirm your account ID access to a Local Zone.
+
+To further protect your data in Amazon S3, by default, you only have access to the S3 resources that you create. Buckets in Local Zones have all S3 Block Public Access settings enabled by default and S3 Object Ownership is set to bucket owner enforced. These settings can't be modified. Optionally, to restrict access to only within the Local Zone network border groups, you can use the condition key `s3express:AllAccessRestrictedToLocalZoneGroup` in your IAM policies. For more information, see [Authenticating and authorizing for directory buckets in Local Zones](./iam-directory-bucket-LZ.html).
+