AWS AmazonS3 documentation change
Summary
Expanded enhanced access denied error messages to include same-organization requests via AWS Organizations, added rollout date (June 16, 2025), clarified limitations for VPC endpoint policies and object ownership scenarios, and standardized capitalization/formatting for Object Ownership settings.
Security assessment
The changes improve documentation for troubleshooting access control issues and emphasize security best practices (e.g., recommending 'Bucket owner enforced' mode to disable ACLs). While they enhance clarity for secure configurations, there is no explicit evidence of addressing a specific security vulnerability.
Diff
diff --git a/AmazonS3/latest/userguide/troubleshoot-403-errors.md b/AmazonS3/latest/userguide/troubleshoot-403-errors.md index 25b8f8057..6aee5c50e 100644 --- a//AmazonS3/latest/userguide/troubleshoot-403-errors.md +++ b//AmazonS3/latest/userguide/troubleshoot-403-errors.md @@ -61 +61,5 @@ If you're trying to troubleshoot a permissions issue, start with the Access deni -Amazon S3 now includes additional context in access denied (HTTP `403 Forbidden`) errors for requests made to resources within the same AWS account. This new context includes the type of policy that denied access, the reason for denial, and information about the IAM user or role that requested access to the resource. +###### Important + +In the coming weeks, starting on June 16, 2025, Amazon S3 will begin providing enhanced access denied error messages for requests made to resources in accounts within the same organization in AWS Organizations. These messages will be available in all AWS Regions, including the AWS GovCloud (US) Regions and the China Regions. + +Amazon S3 now includes additional context in access denied (HTTP `403 Forbidden`) errors for requests made to resources within the same AWS account or same organization in AWS Organizations. This new context includes the type of policy that denied access, the reason for denial, and information about the IAM user or role that requested access to the resource. @@ -63 +67 @@ Amazon S3 now includes additional context in access denied (HTTP `403 Forbidden` -This additional context helps you to troubleshoot access issues, identify the root cause of access denied errors, and fix incorrect access controls by updating the relevant policies. This additional context is also available in AWS CloudTrail logs. Enhanced access denied error messages for same-account requests are now available in all AWS Regions, including the AWS GovCloud (US) Regions and the China Regions. +This additional context helps you to troubleshoot access issues, identify the root cause of access denied errors, and fix incorrect access controls by updating the relevant policies. This additional context is also available in AWS CloudTrail logs. Enhanced access denied error messages for same-account or same-organization requests are now available in all AWS Regions, including the AWS GovCloud (US) Regions and the China Regions. @@ -71 +75 @@ When a policy explicitly denies access because the policy contains a `Deny` stat - * Enhanced access denied messages are returned only for same-account requests. Cross-account requests return a generic `Access Denied` message. + * Enhanced access denied messages are returned only for same-account requests or for requests within the same organization in AWS Organizations. Cross-account requests outside of the same organization return a generic `Access Denied` message. @@ -74,0 +79,6 @@ For information about the policy evaluation logic that determines whether a cros + * For requests within the same organization in AWS Organizations: + + * Enhanced access denied messages aren't returned if a denial occurs because of a virtual private cloud (VPC) endpoint policy. + + * For requests made on an object, enhanced access denied messages are returned only if the bucket owner and the object owner are in the same organization. If the S3 Object Ownership setting for a bucket is set to **Bucket owner preferred** or **Object writer** , the bucket owner might not own all objects in the bucket. In that case, enhanced access denied messages might not be returned for some objects. For more information about Object Ownership, see [Controlling ownership of objects and disabling ACLs for your bucket](./about-object-ownership.html). + @@ -423 +433 @@ When checking your ACL settings, first [review your Object Ownership setting](ht -### The Object Ownership setting is set to bucket owner enforced +### The Object Ownership setting is set to Bucket owner enforced @@ -425 +435 @@ When checking your ACL settings, first [review your Object Ownership setting](ht -If the bucket owner enforced setting is enabled, then ACL settings are unlikely to cause an Access Denied (403 Forbidden) error because this setting disables all ACLs that apply to bucket and objects. Bucket owner enforced is the default (and recommended) setting for Amazon S3 buckets. +If the **Bucket owner enforced** setting is enabled, then ACL settings are unlikely to cause an Access Denied (403 Forbidden) error because this setting disables all ACLs that apply to bucket and objects. **Bucket owner enforced** is the default (and recommended) setting for Amazon S3 buckets. @@ -427 +437 @@ If the bucket owner enforced setting is enabled, then ACL settings are unlikely -### The Object Ownership setting is set to bucket owner preferred or object writer +### The Object Ownership setting is set to Bucket owner preferred or Object writer @@ -429 +439 @@ If the bucket owner enforced setting is enabled, then ACL settings are unlikely -ACL permissions are still valid with the bucket owner preferred setting or the object writer setting. There are two kinds of ACLs: bucket ACLs and object ACLs. For the differences between these two types of ACLs, see [Mapping of ACL permissions and access policy permissions](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#acl-access-policy-permission-mapping). +ACL permissions are still valid with the **Bucket owner preferred** setting or the **Object writer** setting. There are two kinds of ACLs: bucket ACLs and object ACLs. For the differences between these two types of ACLs, see [Mapping of ACL permissions and access policy permissions](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#acl-access-policy-permission-mapping). @@ -454 +464 @@ After you've confirmed that the object owner is different from the bucket owner, - * **Disable ACLs (recommended)** – This method will apply to all objects and can be performed by the bucket owner. This method automatically gives the bucket owner ownership and full control over every object in the bucket. Before you implement this method, check the [prerequisites for disabling ACLs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-ownership-migrating-acls-prerequisites.html). For information about how to set your bucket to bucket owner enforced (recommended) mode, see [Setting Object Ownership on an existing bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-ownership-existing-bucket.html). + * **Disable ACLs (recommended)** – This method will apply to all objects and can be performed by the bucket owner. This method automatically gives the bucket owner ownership and full control over every object in the bucket. Before you implement this method, check the [prerequisites for disabling ACLs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-ownership-migrating-acls-prerequisites.html). For information about how to set your bucket to **Bucket owner enforced** (recommended) mode, see [Setting Object Ownership on an existing bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-ownership-existing-bucket.html). @@ -466 +476 @@ To change the object's ownership, do one of the following: - * You can change the Object Ownership setting of the bucket to bucket owner preferred. If versioning is disabled, the objects in the bucket are overwritten. If versioning is enabled, duplicate versions of the same object will appear in the bucket, which the bucket owner can [set a lifecycle rule to expire](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-expire-general-considerations.html). For instructions on how to change your Object Ownership setting, see [Setting Object Ownership on an existing bucket](./object-ownership-existing-bucket.html). + * You can change the Object Ownership setting of the bucket to **Bucket owner preferred**. If versioning is disabled, the objects in the bucket are overwritten. If versioning is enabled, duplicate versions of the same object will appear in the bucket, which the bucket owner can [set a lifecycle rule to expire](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-expire-general-considerations.html). For instructions on how to change your Object Ownership setting, see [Setting Object Ownership on an existing bucket](./object-ownership-existing-bucket.html). @@ -470 +480 @@ To change the object's ownership, do one of the following: -When you update your Object Ownership setting to bucket owner preferred, the setting is only applied to new objects that are uploaded to the bucket. +When you update your Object Ownership setting to **Bucket owner preferred** , the setting is applied only to new objects that are uploaded to the bucket. @@ -604 +614 @@ If you're accessing Amazon S3 by using a virtual private cloud (VPC) endpoint, m -If your AWS account belongs to an organization, AWS Organizations policies can block you from accessing Amazon S3 resources. By default, AWS Organizations policies don't block any requests to Amazon S3. However, make sure that your AWS Organizations policies haven’t been configured to block access to S3 buckets. For instructions on how to check your AWS Organizations policies, see the following resources: +If your AWS account belongs to an organization, AWS Organizations policies can block you from accessing Amazon S3 resources. By default, AWS Organizations policies don't block any requests to Amazon S3. However, make sure that your AWS Organizations policies haven't been configured to block access to S3 buckets. For instructions on how to check your AWS Organizations policies, see the following resources: @@ -617 +627 @@ If your AWS account belongs to an organization, AWS Organizations policies can b -Additionally, if you incorrectly configured your bucket policy for a member account to deny all users access to your S3 bucket, you can unlock the bucket by launching a privileged session for the member account in IAM. Once you launch a privileged session, you can delete the misconfigured bucket policy to regain access to the bucket. For more information, see [Perform a privileged task on an AWS Organizations member account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user-privileged-task.html) in the _AWS Identity and Access Management User Guide_. +Additionally, if you incorrectly configured your bucket policy for a member account to deny all users access to your S3 bucket, you can unlock the bucket by launching a privileged session for the member account in IAM. After you launch a privileged session, you can delete the misconfigured bucket policy to regain access to the bucket. For more information, see [Perform a privileged task on an AWS Organizations member account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user-privileged-task.html) in the _AWS Identity and Access Management User Guide_.