AWS AmazonS3 medium security documentation change
Summary
Restructured SSE-KMS permissions section with detailed requirements for KMS key policies and IAM permissions
Security assessment
The changes explicitly document required KMS permissions for service principals (metadata.s3.amazonaws.com and maintenance.s3tables.amazonaws.com) to prevent encryption/decryption failures. Missing these permissions could lead to data access issues, making this a security-related documentation improvement to prevent misconfigurations.
Diff
diff --git a/AmazonS3/latest/userguide/metadata-tables-permissions.md b/AmazonS3/latest/userguide/metadata-tables-permissions.md index 7b5e275d7..6b9608a52 100644 --- a//AmazonS3/latest/userguide/metadata-tables-permissions.md +++ b//AmazonS3/latest/userguide/metadata-tables-permissions.md @@ -37 +37 @@ For detailed information about all table and table bucket permissions, see [Acce - * If you also want to integrate your table bucket with AWS analytics services so that you can query your metadata table, you need additional permissions. For more information, see [ Integrating Amazon S3 Tables with AWS analytics services](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-integrating-aws.html). +If you also want to integrate your table bucket with AWS analytics services so that you can query your metadata table, you need additional permissions. For more information, see [Integrating Amazon S3 Tables with AWS analytics services](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-integrating-aws.html). @@ -39 +39 @@ For detailed information about all table and table bucket permissions, see [Acce - * If your table bucket is using server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS) you also need `kms:GenerateDataKey` and `kms:Decrypt` permissions. Additionally you need to grant permission for the `metadata.s3.amazonaws.com` and `maintenance.s3tables.amazonaws.com` service principals to access your KMS key. For more information, see [ Granting the S3 Metadata service principal permissions to use your KMS key ](./s3-tables-kms-permissions.html#tables-kms-metadata-permissions). +###### Permissions for SSE-KMS @@ -40,0 +41 @@ For detailed information about all table and table bucket permissions, see [Acce +To access S3 table buckets or S3 tables that are using server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS), you need to include additional permissions. @@ -41,0 +43 @@ For detailed information about all table and table bucket permissions, see [Acce + 1. The user or IAM role needs the following permissions. You can grant these permissions by using the IAM console - [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). @@ -42,0 +45,20 @@ For detailed information about all table and table bucket permissions, see [Acce + 1. `s3tables:PutTableEncryption` to configure table encryption + + 2. `s3tables:PutTableBucketEncryption` to configure table bucket encryption + + 3. `kms:DescribeKey` on the AWS KMS key used + + 2. On the resource policy for the KMS key, you need the following permissions. You can grant these permissions by using the KMS console - [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms). + + 1. `kms:GenerateDataKey` permission to `metadata.s3.amazonaws.com` and `maintenance.s3tables.amazonaws.com` + + 2. `kms:Decrypt` permission to `metadata.s3.amazonaws.com` and `maintenance.s3tables.amazonaws.com` + + 3. `kms:DescribeKey` permission to the invoking AWS principal + + + + +For more information on granting the necessary permissions to the S3 Metadata service, see the documentation on [Granting the S3 Metadata service principal permissions to use your KMS key](https://docs.aws.amazon.com/AmazonS3/latest/userguide/metadata-tables-permissions.html#metadata-tables-permissions-kms). + +###### Example policy