AWS vpc high security documentation change
Summary
Modified S3 bucket policy handling for flow logs: appends policies instead of overwriting, updated policy examples with concrete values, and reduced required permissions
Security assessment
Changing from overwriting to appending policies prevents accidental removal of existing security policies. Removing 's3:ListBucket' permission reduces attack surface. Hardcoded example ARNs improve policy specificity. These changes directly address potential misconfiguration risks.
Diff
diff --git a/vpc/latest/tgw/flow-logs-s3.md b/vpc/latest/tgw/flow-logs-s3.md index c69416db6..48b92d1b8 100644 --- a//vpc/latest/tgw/flow-logs-s3.md +++ b//vpc/latest/tgw/flow-logs-s3.md @@ -133 +133 @@ By default, Amazon S3 buckets and the objects they contain are private. Only the -If the user creating the flow log owns the bucket and has `PutBucketPolicy` and `GetBucketPolicy` permissions for the bucket, we automatically attach the following policy to the bucket. This policy overwrites any existing policy attached to the bucket. +If the user creating the flow log owns the bucket and has `PutBucketPolicy` and `GetBucketPolicy` permissions for the bucket, we automatically attach the following policy to the bucket. This new auto-generated policy is appended to the original policy. @@ -146 +146 @@ Otherwise, the bucket owner must add this policy to the bucket, specifying the A - "Resource": "my-s3-arn", + "Resource": "arn:aws:s3:::bucket_name/*", @@ -150 +150 @@ Otherwise, the bucket owner must add this policy to the bucket, specifying the A - "aws:SourceAccount": account_id + "aws:SourceAccount": "123456789012" @@ -153 +153 @@ Otherwise, the bucket owner must add this policy to the bucket, specifying the A - "aws:SourceArn": "arn:aws:logs:region:account_id:*" + "aws:SourceArn": "arn:aws:logs:region:123456789012:*" @@ -161 +161 @@ Otherwise, the bucket owner must add this policy to the bucket, specifying the A - "Action": ["s3:GetBucketAcl", "s3:ListBucket"], + "Action": ["s3:GetBucketAcl"], @@ -165 +165 @@ Otherwise, the bucket owner must add this policy to the bucket, specifying the A - "aws:SourceAccount": account_id + "aws:SourceAccount": "123456789012" @@ -168 +168 @@ Otherwise, the bucket owner must add this policy to the bucket, specifying the A - "aws:SourceArn": "arn:aws:logs:region:account_id:*" + "aws:SourceArn": "arn:aws:logs:region:123456789012:*"