AWS omics medium security documentation change
Summary
Added detailed S3 access policy requirements and security controls for sequence store data
Security assessment
Introduces explicit security controls for S3 bucket policies including supported condition keys and policy elements. Restricts policy updates to prevent over-permissive access, directly addressing potential misconfiguration vulnerabilities.
Diff
diff --git a/omics/latest/dev/s3-sharing.md b/omics/latest/dev/s3-sharing.md index e00d127d9..59622e727 100644 --- a//omics/latest/dev/s3-sharing.md +++ b//omics/latest/dev/s3-sharing.md @@ -23,0 +24,9 @@ There are three ways to share the capability of reading objects using the Amazon +###### Topics + + * Policy based sharing + + * Example Restriction + + + + @@ -25,0 +35,32 @@ There are three ways to share the capability of reading objects using the Amazon +If you access sequence store data using a direct S3 URI, HealthOmics provides enhanced security measures for the associated S3 bucket access policy. + +The following rules apply to new S3 access policies. For existing policies, the rules apply when you next update the policy: + + * The S3 access policies support the following [ policy elements](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) + + * Version, Id, Statement, Sid, Effect, Principal, Action, Resource, Condition + + * The S3 access policies support the following [condition keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-policy-keys): + + * s3:ExistingObjectTag/`key`, s3:TlsVersion, s3:prefix, s3:signatureversion + + + + +If you try to add or update a policy to include an unsupported element or condition, the system rejects the request. + +###### Topics + + * Default S3 access policy + + * Customizing the access policy + + * IAM policy + + * Tag-based access control + + + + +### Default S3 access policy + @@ -57,0 +99,2 @@ When you create a sequence store, HealthOmics creates a default S3 access policy +### Customizing the access policy + @@ -60 +103,3 @@ If the S3 access policy is blank, no S3 access is allowed. If there is an existi -If a customer wants to add restrictions on the sharing or grant access to other accounts, you can update the policy using the `PutS3AccessPolicy` API. Updates to the policy can't go beyond the prefix for the sequence store or the actions specified. +To add restrictions on the sharing or to grant access to other accounts, you can update the policy using the `PutS3AccessPolicy` API. Updates to the policy can't go beyond the prefix for the sequence store or the actions specified. + +### IAM policy @@ -83 +128 @@ The following example gives a user access to a sequence store. You can fine-tune - "s3:DataAccessPointArn": "arn:aws:s3:us-west-2:555555555555:accesspoint/592761533288-4891675750" + "s3:prefix": "111111111111/sequenceStore/1234567890/*" @@ -89,0 +135,2 @@ The following example gives a user access to a sequence store. You can fine-tune +### Tag-based access control +