AWS AmazonS3 high security documentation change
Summary
Added documentation about service-to-service call context redaction and policy configuration guidance to avoid blocking AWS service principals
Security assessment
Addresses a potential security misconfiguration where Deny policies using network condition keys could block AWS service-to-service communications. Provides explicit guidance to prevent service disruption while maintaining security controls (HTTPS enforcement). This directly mitigates a security risk of unintended access denial to AWS services.
Diff
diff --git a/AmazonS3/latest/userguide/amazon-s3-policy-keys.md b/AmazonS3/latest/userguide/amazon-s3-policy-keys.md index 753bcd298..cba42be7c 100644 --- a//AmazonS3/latest/userguide/amazon-s3-policy-keys.md +++ b//AmazonS3/latest/userguide/amazon-s3-policy-keys.md @@ -190,0 +191,19 @@ You can use the `s3:TlsVersion` condition key to write IAM, virtual private clou +###### Note + +When AWS services make calls to other AWS services on your behalf (service-to-service calls), certain network-specific authorization context is redacted, including `s3:TlsVersion`, `aws:SecureTransport`, `aws:SourceIp`, and `aws:VpcSourceIp`. If your policy uses these condition keys with `Deny` statements, AWS service principals might be unintentionally blocked. To allow AWS services to work properly while maintaining your security requirements, exclude service principals from your `Deny` statements by adding the `aws:PrincipalIsAWSService` condition key with a value of `false`. For example: + + + { + "Effect": "Deny", + "Action": "s3:*", + "Resource": "*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false", + "aws:PrincipalIsAWSService": "false" + } + } + } + +This policy denies access to S3 operations when HTTPS is not used (`aws:SecureTransport` is false), but only for non-AWS service principals. This ensures your conditional restrictions apply to all principals except AWS service principals. +