AWS Security ChangesHomeSearch

AWS AmazonS3 high security documentation change

Service: AmazonS3 · 2025-05-31 · Security-related high

File: AmazonS3/latest/userguide/amazon-s3-policy-keys.md

Summary

Added documentation about service-to-service call context redaction and policy configuration guidance to avoid blocking AWS service principals

Security assessment

Addresses a potential security misconfiguration where Deny policies using network condition keys could block AWS service-to-service communications. Provides explicit guidance to prevent service disruption while maintaining security controls (HTTPS enforcement). This directly mitigates a security risk of unintended access denial to AWS services.

Diff

diff --git a/AmazonS3/latest/userguide/amazon-s3-policy-keys.md b/AmazonS3/latest/userguide/amazon-s3-policy-keys.md
index 753bcd298..cba42be7c 100644
--- a//AmazonS3/latest/userguide/amazon-s3-policy-keys.md
+++ b//AmazonS3/latest/userguide/amazon-s3-policy-keys.md
@@ -190,0 +191,19 @@ You can use the `s3:TlsVersion` condition key to write IAM, virtual private clou
+###### Note
+
+When AWS services make calls to other AWS services on your behalf (service-to-service calls), certain network-specific authorization context is redacted, including `s3:TlsVersion`, `aws:SecureTransport`, `aws:SourceIp`, and `aws:VpcSourceIp`. If your policy uses these condition keys with `Deny` statements, AWS service principals might be unintentionally blocked. To allow AWS services to work properly while maintaining your security requirements, exclude service principals from your `Deny` statements by adding the `aws:PrincipalIsAWSService` condition key with a value of `false`. For example:
+    
+    
+    {
+      "Effect": "Deny",
+      "Action": "s3:*",
+      "Resource": "*",
+      "Condition": {
+        "Bool": {
+          "aws:SecureTransport": "false",
+          "aws:PrincipalIsAWSService": "false"
+        }
+      }
+    }
+
+This policy denies access to S3 operations when HTTPS is not used (`aws:SecureTransport` is false), but only for non-AWS service principals. This ensures your conditional restrictions apply to all principals except AWS service principals.
+