AWS config high security documentation change
Summary
Added note requiring fixed values in S3 bucket policies
Security assessment
Addresses risk of public write access through policy variables that could lead to data modification risks
Diff
diff --git a/config/latest/developerguide/s3-bucket-public-write-prohibited.md b/config/latest/developerguide/s3-bucket-public-write-prohibited.md index 093ec58b0..96124b7c6 100644 --- a//config/latest/developerguide/s3-bucket-public-write-prohibited.md +++ b//config/latest/developerguide/s3-bucket-public-write-prohibited.md @@ -32,0 +33,4 @@ This rule does not evaluate changes to account level public block access. To che +###### Note + +To be considered non-public, an S3 bucket policy must grant access only to fixed values. This means values that don't contain a wildcard or the following IAM policy element: [Variables](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-using-variables). +