AWS securityhub medium security documentation change
Summary
Added notes about S3 bucket policy condition restrictions for public access controls
Security assessment
The additions emphasize security requirements for S3 bucket policies, specifically that wildcards/variables in conditions will fail security checks. This helps prevent accidental public exposure of S3 data through overly permissive policies.
Diff
diff --git a/securityhub/latest/userguide/s3-controls.md b/securityhub/latest/userguide/s3-controls.md index b6f5cb968..1ac06693a 100644 --- a//securityhub/latest/userguide/s3-controls.md +++ b//securityhub/latest/userguide/s3-controls.md @@ -69,0 +70,4 @@ This control checks whether an Amazon S3 general purpose bucket permits public r +###### Note + +If an S3 bucket has a bucket policy, this control doesn't evaluate policy conditions that use wildcard characters or variables. To produce a `PASSED` finding, conditions in the bucket policy must only use fixed values, which are values that don't contain wildcard characters or policy variables. For information about policy variables, see [Variables and tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html) in the _AWS Identity and Access Management User Guide_. + @@ -93,0 +98,4 @@ This control checks whether an Amazon S3 general purpose bucket permits public w +###### Note + +If an S3 bucket has a bucket policy, this control doesn't evaluate policy conditions that use wildcard characters or variables. To produce a `PASSED` finding, conditions in the bucket policy must only use fixed values, which are values that don't contain wildcard characters or policy variables. For information about policy variables, see [Variables and tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html) in the _AWS Identity and Access Management User Guide_. +