AWS AmazonS3 documentation change
Summary
Added note about IAM policy requirements and expanded SecureTransport policy example
Security assessment
The changes emphasize the need for explicit IAM policies even when using root delegation and provide a concrete example of enforcing HTTPS. While security-related, there is no evidence this addresses an active vulnerability rather than general security guidance.
Diff
diff --git a/AmazonS3/latest/userguide/security_iam_service-with-iam.md b/AmazonS3/latest/userguide/security_iam_service-with-iam.md index 4df64f718..9ae63ef51 100644 --- a//AmazonS3/latest/userguide/security_iam_service-with-iam.md +++ b//AmazonS3/latest/userguide/security_iam_service-with-iam.md @@ -78,0 +79,4 @@ The following are examples. +###### Note + +The examples above grant permissions to the root user, which delegates permissions to the account level. However, IAM policies are still required on the specific roles and users in the account. + @@ -125 +129,6 @@ The following example blocks access if a secure transport protocol isn’t used: - {"Effect": "Deny", + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DenyBucketAccessIfSTPNotUsed", + "Effect": "Deny", @@ -128 +137 @@ The following example blocks access if a secure transport protocol isn’t used: - "Resource": <bucket ARN>, + "Resource": "arn:aws:s3:::amzn-s3-demo-bucket", @@ -130 +139,4 @@ The following example blocks access if a secure transport protocol isn’t used: - "Boolean": { "aws:SecureTransport" : "false"} + "Bool": { + "aws:SecureTransport": "false" + } + } @@ -131,0 +144 @@ The following example blocks access if a secure transport protocol isn’t used: + ]