AWS Security ChangesHomeSearch

AWS securityhub medium security documentation change

Service: securityhub · 2025-06-04 · Security-related medium

File: securityhub/latest/userguide/s3-controls.md

Summary

Added notes about S3 bucket policy condition restrictions for public access controls

Security assessment

The additions emphasize security requirements for S3 bucket policies, specifically that wildcards/variables in conditions will fail security checks. This helps prevent accidental public exposure of S3 data through overly permissive policies.

Diff

diff --git a/securityhub/latest/userguide/s3-controls.md b/securityhub/latest/userguide/s3-controls.md
index b6f5cb968..1ac06693a 100644
--- a//securityhub/latest/userguide/s3-controls.md
+++ b//securityhub/latest/userguide/s3-controls.md
@@ -69,0 +70,4 @@ This control checks whether an Amazon S3 general purpose bucket permits public r
+###### Note
+
+If an S3 bucket has a bucket policy, this control doesn't evaluate policy conditions that use wildcard characters or variables. To produce a `PASSED` finding, conditions in the bucket policy must only use fixed values, which are values that don't contain wildcard characters or policy variables. For information about policy variables, see [Variables and tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html) in the _AWS Identity and Access Management User Guide_.
+
@@ -93,0 +98,4 @@ This control checks whether an Amazon S3 general purpose bucket permits public w
+###### Note
+
+If an S3 bucket has a bucket policy, this control doesn't evaluate policy conditions that use wildcard characters or variables. To produce a `PASSED` finding, conditions in the bucket policy must only use fixed values, which are values that don't contain wildcard characters or policy variables. For information about policy variables, see [Variables and tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html) in the _AWS Identity and Access Management User Guide_.
+