AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2025-06-19 · Documentation low

File: AmazonS3/latest/userguide/access-grants-location-register.md

Summary

Updated IAM role policy examples for Access Grants and added an IAM Identity Center-specific policy configuration

Security assessment

The changes clarify required IAM policies for secure role assumption and access grants configuration, but there is no evidence of addressing an active security vulnerability. The updates improve documentation around security best practices for service principals and cross-account conditions.

Diff

diff --git a/AmazonS3/latest/userguide/access-grants-location-register.md b/AmazonS3/latest/userguide/access-grants-location-register.md
index 4dac60987..817b45b75 100644
--- a//AmazonS3/latest/userguide/access-grants-location-register.md
+++ b//AmazonS3/latest/userguide/access-grants-location-register.md
@@ -50 +50,27 @@ _TestRolePolicy.json_
-          "Sid": "Stmt1234567891011",
+          "Sid": "TestRolePolicy",
+          "Effect": "Allow",
+          "Principal": {
+            "Service":"access-grants.s3.amazonaws.com"
+          },
+          "Action": [
+            "sts:AssumeRole", 
+            "sts:SetSourceIdentity"
+          ],
+          "Condition": {
+            "StringEquals": {
+              "aws:SourceAccount":"accountId",
+              "aws:SourceArn":"arn:aws:s3:region:accountId:access-grants/default"
+            }
+          }
+        }
+      ]
+    }
+    
+
+Alternatively, for an IAM Identity Center use case, use the following policy which includes a second statement:
+    
+        {
+      "Version": "2012-10-17",
+        "Statement": [
+        {
+          "Sid": "TestRolePolicyIdentityCenter",
@@ -66 +91,0 @@ _TestRolePolicy.json_
-        //Optionally, for an IAM Identity Center use case, add: