AWS transform high security documentation change
Summary
Added Important note about S3 bucket created during discovery account connection lacking SecureTransport by default, requiring manual policy update for TLS enforcement.
Security assessment
The change highlights a security-relevant configuration gap where S3 buckets created automatically do not enforce HTTPS by default. This directly addresses a potential data-in-transit security risk by informing users to enable SecureTransport.
Diff
diff --git a/transform/latest/userguide/data-encryption.md b/transform/latest/userguide/data-encryption.md index 9804e94be..c14350e46 100644 --- a//transform/latest/userguide/data-encryption.md +++ b//transform/latest/userguide/data-encryption.md @@ -108 +108,5 @@ This allows AWS Transform to do the following: -All communication between customers and AWS Transform and between AWS Transform and its downstream dependencies is protected using TLS 1.2 or higher connections. +Communication between customers and AWS Transform and between AWS Transform and its downstream dependencies is protected using TLS 1.2 or higher connections. + +###### Important + +When you [Connect a discovery account](https://docs.aws.amazon.com/transform-vmware-connect-discovery-account.html), AWS Transform creates an Amazon S3 bucket on your behalf in that account. That bucket does not have `SecureTransport` enabled by default. If you want the bucket policy to include secure transport you must update the policy. For more information, see [Security best practices for Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html).