AWS AmazonS3 documentation change
Summary
Removed references to 'Condition keys for directory buckets' section, updated IAM scope description to focus on directory buckets, restructured actions/ARN documentation, removed detailed condition keys table, and added access point ARN format
Security assessment
The changes restructure documentation about IAM permissions and access controls but do not indicate a security vulnerability fix. The addition of access point ARN formats adds documentation about security-related resource identifiers. Removal of detailed condition keys reduces documentation depth but doesn't indicate a resolved security flaw.
Diff
diff --git a/AmazonS3/latest/userguide/s3-express-security-iam.md b/AmazonS3/latest/userguide/s3-express-security-iam.md index a6000e38e..ff7087140 100644 --- a//AmazonS3/latest/userguide/s3-express-security-iam.md +++ b//AmazonS3/latest/userguide/s3-express-security-iam.md @@ -5 +5 @@ -PrincipalsResourcesActions for directory bucketsCondition keys for directory buckets +PrincipalsResourcesActions for directory buckets @@ -9 +9 @@ PrincipalsResourcesActions for directory bucketsCondition keys for directory buc -AWS Identity and Access Management (IAM) is an AWS service that helps administrators securely control access to AWS resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use Amazon S3 resources in S3 Express One Zone. You can use IAM for no additional charge. +AWS Identity and Access Management (IAM) is an AWS service that helps administrators securely control access to AWS resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use Amazon S3 resources in directory buckets and S3 Express One Zone operations. You can use IAM for no additional charge. @@ -11 +11 @@ AWS Identity and Access Management (IAM) is an AWS service that helps administra -By default, users don't have permissions for directory buckets and S3 Express One Zone operations. To grant access permissions for directory buckets, you can use IAM to create users, groups, or roles and attach permissions to those identities. For more information about IAM, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the _IAM User Guide_. +By default, users don't have permissions for directory buckets. To grant access permissions for directory buckets, you can use IAM to create users, groups, or roles and attach permissions to those identities. For more information about IAM, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the _IAM User Guide_. @@ -34,2 +33,0 @@ For more information about IAM for S3 Express One Zone, see the following topics - * Condition keys for directory buckets - @@ -62,10 +60 @@ For more information, see [Principal](https://docs.aws.amazon.com/IAM/latest/Use -Amazon Resource Names (ARNs) for directory buckets contain the `s3express` namespace, the AWS Region, the AWS account ID, and the directory bucket name, which includes the Availability Zone ID. To access and perform actions on your directory bucket, you must use the following ARN format: - - - arn:aws:s3express:region:account-id:bucket/base-bucket-name--zone-id--x-s3 - -For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html) in the _IAM User Guide_. For more information about resources, see [IAM JSON Policy Elements: Resource](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html) in the _IAM User Guide_. - -## Actions for directory buckets - -In an IAM identity-based policy or resource-based policy, you define which S3 actions are allowed or denied. Actions correspond to specific API operations. When using directory buckets, you can use the S3 Express One Zone namespace to grant permissions. This namespace is `s3express`. +Amazon Resource Names (ARNs) for directory buckets contain the `s3express` namespace, the AWS Region, the AWS account ID, and the directory bucket name, which includes the AWS Zone ID. (an Availability Zone or Local Zone ID). @@ -73 +62 @@ In an IAM identity-based policy or resource-based policy, you define which S3 ac -When you allow the `s3express:CreateSession` permission, this enables the `CreateSession` API operation to retrieve session tokens when accessing Zonal endpoint API (or object level) operations. These session tokens return credentials that are used to grant access to all of the other Zonal endpoint API operations. As a result, you don't have to grant access permissions to Zonal API operations by using IAM policies. Instead, the session token enables access. For the list of Zonal endpoint API operations and permissions, see [Authenticating and authorizing requests](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-authenticating-authorizing.html). +To access and perform actions on your directory bucket, you must use the following ARN format: @@ -75 +63,0 @@ When you allow the `s3express:CreateSession` permission, this enables the `Creat -For more information about Zonal and Regional endpoint API operations, see [Networking for directory buckets](./s3-express-networking.html). To learn more about the `CreateSession` API operation, see [CreateSession](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html) in the _Amazon Simple Storage Service API Reference_. @@ -77,9 +65 @@ For more information about Zonal and Regional endpoint API operations, see [Netw -You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation with the same name. However, in some cases, a single action controls access to more than one API operation. Access to bucket-level actions can be granted in only IAM identity-based policies (user or role) and not bucket policies. - -###### Note - -If you want to use access points for directory buckets to control access to bucket or object operations, note the following: - - * For using access points to control access to bucket operations, see [Bucket operations in policies for access points for directory buckets](./security_iam_service-with-iam.html#bucket-operations-ap-directory-buckets). - - * For using access points to control access to object operations, see [Object operations in policies for access points for directory buckets](./security_iam_service-with-iam.html#object-operations-ap-directory-buckets). + arn:aws:s3express:region:account-id:bucket/base-bucket-name--zone-id--x-s3 @@ -87 +67 @@ If you want to use access points for directory buckets to control access to buck - * For more information about how to configure access point policies, see [Configuring IAM policies for using access points for directory buckets](./access-points-directory-buckets-policies.html). +To access and perform actions on your access point for a directory bucket, you must use the following ARN format: @@ -89,0 +70 @@ If you want to use access points for directory buckets to control access to buck + arn:aws::s3express:region:account-id:accesspoint/accesspoint-basename--zone-id--xa-s3 @@ -90,0 +72 @@ If you want to use access points for directory buckets to control access to buck +For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html) in the _IAM User Guide_. For more information about resources, see [IAM JSON Policy Elements: Resource](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html) in the _IAM User Guide_. @@ -92 +74 @@ If you want to use access points for directory buckets to control access to buck -The following table shows actions and condition keys. +## Actions for directory buckets @@ -94,22 +76 @@ The following table shows actions and condition keys. -Action | API | Description | Access level | Condition keys ----|---|---|---|--- -`s3express:CreateBucket` | `CreateBucket` | Grants permission to create a new bucket. | Write | `s3express:authType` `s3express:LocationName` `s3express:ResourceAccount` `s3express:signatureversion` `s3express:TlsVersion` `s3express:x-amz-content-sha256` -`s3express:CreateSession` | [Zonal endpoint API operations](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-APIs.html) | Grants permission to create a session token, which is used for granting access to all Zonal (object-level) API operations, such as `CopyObject`,`PutObject`, `GetObject`, `HeadBucket` and so on. | Write | `s3express:authType` `s3express:SessionMode` `s3express:ResourceAccount` `s3express:signatureversion` `s3express:signatureAge` `s3express:TlsVersion` `s3express:x-amz-content-sha256` `s3express:x-amz-server-side-encryption` `s3express:x-amz-server-side-encryption-aws-kms-key-id` -`s3express:DeleteBucket` | `DeleteBucket` | Grants permission to delete the bucket named in the URI. | Write | `s3express:authType` `s3express:ResourceAccount` `s3express:signatureversion` `s3express:TlsVersion` `s3express:x-amz-content-sha256` -`s3express:DeleteBucketPolicy` | `DeleteBucketPolicy` | Grants permission to delete the policy on a specified bucket. | Permissions management | `s3express:authType` `s3express:ResourceAccount` `s3express:signatureversion` `s3express:TlsVersion` `s3express:x-amz-content-sha256` -`s3express:GetBucketPolicy` | `GetBucketPolicy` | Grants permission to return the policy of the specified bucket. | Read | `s3express:authType` `s3express:ResourceAccount` `s3express:signatureversion` `s3express:TlsVersion` `s3express:x-amz-content-sha256` -`s3express:GetEncryptionConfiguration` | `GetBucketEncryption` | Grants permission to return the default encryption configuration of a directory bucket. | Read | `s3express:authType` `s3express:ResourceAccount` `s3express:signatureversion` `s3express:TlsVersion` `s3express:x-amz-content-sha256` -`s3express:ListAllMyDirectoryBuckets` | `ListDirectoryBuckets` | Grants permission to list all directory buckets owned by the authenticated sender of the request. | List | `s3express:authType` `s3express:ResourceAccount` `s3express:signatureversion` `s3express:TlsVersion` `s3express:x-amz-content-sha256` -`s3express:PutBucketPolicy` | `PutBucketPolicy` | Grants permission to add or replace a bucket policy on a bucket. | Permissions management | `s3express:authType` `s3express:ResourceAccount` `s3express:signatureversion` `s3express:TlsVersion` `s3express:x-amz-content-sha256` -`s3express:PutBucketPolicy` | `PutBucketPolicy` | Grants permission to add or replace a bucket policy on a bucket. | Permissions management | `s3express:authType` `s3express:ResourceAccount` `s3express:signatureversion` `s3express:TlsVersion` `s3express:x-amz-content-sha256` -`s3express:PutEncryptionConfiguration` | `PutBucketEncryption` or `DeleteBucketEncryption` | Grants permission to set the encryption configuration for a directory bucket | Write | `s3express:authType` `s3express:ResourceAccount` `s3express:signatureversion` `s3express:TlsVersion` `s3express:x-amz-content-sha256` -`s3express:CreateAccessPoint` | `CreateAccessPoint` | Grants permission to create an access point associated with an directory bucket. | Write | s3express:DataAccessPointAccount s3express:DataAccessPointArn s3express:AccessPointNetworkOrigin s3express:authType s3express:LocationName s3express:ResourceAccount s3express:signatureversion s3express:TlsVersion s3express:x-amz-content-sha256 -`s3express:ListAccessPointsForDirectoryBuckets` | `ListAccessPointsForDirectoryBuckets` | Grants permission to list access points. | List | s3express:authType s3express:ResourceAccount s3express:signatureversion s3express:TlsVersion s3express:x-amz-content-sha256 -`s3express:GetAccessPoint` | `GetAccessPoint` | Grants permission to return configuration information about the specified access point. | Read | s3express:DataAccessPointAccount s3express:DataAccessPointAccount s3express:DataAccessPointArn s3express:AccessPointNetworkOrigin s3express:authType s3express:ResourceAccount s3express:signatureversion s3express:TlsVersion s3express:x-amz-content-sha256 -`s3express:DeleteAccessPoint` | `DeleteAccessPoint` | Grants permission to delete the access point named in the URI. | Write | s3express:DataAccessPointAccount s3express:DataAccessPointAccount s3express:DataAccessPointArn s3express:AccessPointNetworkOrigin s3express:authType s3express:ResourceAccount s3express:signatureversion s3express:TlsVersion s3express:x-amz-content-sha256 -`s3express:DeleteAccessPointPolicy` | `DeleteAccessPointPolicy` | Grants access to delete the policy on a specified access point. | Permissions management | s3express:DataAccessPointAccount s3express:DataAccessPointArn s3express:AccessPointNetworkOrigin s3express:authType s3express:ResourceAccount s3express:signatureversion s3express:TlsVersion s3express:x-amz-content-sha256 -`s3express:GetAccessPointPolicy` | `GetAccessPointPolicy` | Grants permission to return the access point policy associated with the specified access point. | Read | s3express:DataAccessPointAccount s3express:DataAccessPointAccount s3express:DataAccessPointArn s3express:AccessPointNetworkOrigin s3express:authType s3express:ResourceAccount s3express:signatureversion s3express:TlsVersion s3express:x-amz-content-sha256 -`s3express:PutAccessPointPolicy` | `PutAccessPointPolicy` | Grants permission to associate an access point policy with a specified access point. | Permissions management | s3express:DataAccessPointAccount s3express:DataAccessPointArn s3express:AccessPointNetworkOrigin s3express:authType s3express:ResourceAccount s3express:signatureversion s3express:TlsVersion s3express:x-amz-content-sha256 -`s3express:DeleteAccessPointScope` | `DeleteAccessPointScope` | Grants permission to delete the scope configuration on a specified access point. | Permissions management | s3express:DataAccessPointAccount s3express:DataAccessPointArn s3express:AccessPointNetworkOrigin s3express:authType s3express:ResourceAccount s3express:signatureversion s3express:TlsVersion s3express:x-amz-content-sha256 -`s3express:GetAccessPointScope` | `GetAccessPointScope` | Grants permission to return the scope configuration associated with the specified access point. | Read | s3express:DataAccessPointAccount s3express:DataAccessPointArn s3express:AccessPointNetworkOrigin s3express:authType s3express:ResourceAccount s3express:signatureversion s3express:TlsVersion s3express:x-amz-content-sha256 -`s3express:PutAccessPointScope` | `PutAccessPointScope` | Grants permission to associate an access point with a specified access point scope configuration. | Permissions management | s3express:DataAccessPointAccount s3express:DataAccessPointArn s3express:AccessPointNetworkOrigin s3express:authType s3express:ResourceAccount s3express:signatureversion s3express:TlsVersion s3express:x-amz-content-sha256 +In an IAM identity-based policy or resource-based policy, you define which S3 actions are allowed or denied. Actions correspond to specific API operations. With directory buckets, you must use the S3 Express One Zone namespace to grant permissions, called `s3express`. @@ -117 +78 @@ Action | API | Description | Access level | Condition keys -## Condition keys for directory buckets +When you allow the `s3express:CreateSession` permission, the `CreateSession` API operation retrieves a temporary session token for all Zonal endpoint API (object level) operations. The session token returns credentials that are used for all other Zonal endpoint API operations. As a result, you don't grant access permissions to Zonal API operations with IAM policies. Instead, `CreateSession` enables access for all object level operations. For the list of Zonal API operations and permissions, see [Authenticating and authorizing requests](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-authenticating-authorizing.html). @@ -119 +80 @@ Action | API | Description | Access level | Condition keys -The following are condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. +To learn more about the `CreateSession` API operation, see [CreateSession](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html) in the _Amazon Simple Storage Service API Reference_. @@ -121,10 +82 @@ The following are condition keys that can be used in the `Condition` element of -Condition key | Description | Typs ----|---|--- -`s3express:authType` | Filters access by authentication method. To restrict incoming requests to use a specific authentication method, you can use this optional condition key. For example, you can use this condition key to allow only the HTTP `Authorization` header to be used in request authentication. **Valid values:** `REST-HEADER`, `REST-QUERY-STRING` | String -`s3express:LocationName` | Filters access to the `CreateBucket` API operation by a specific Availability Zone ID (AZ ID), for example, `usw2-az1`. **Example value:** `usw2-az1` | String -`s3express:ResourceAccount` | Filters access by the resource owner's AWS account ID. To restrict user, role, or application access to the directory buckets that are owned by a specific AWS account ID, you can use either the `aws:ResourceAccount` or `s3express:ResourceAccount` condition key. You can use this condition key in either AWS Identity and Access Management (IAM) identity policies or virtual private cloud (VPC) endpoint policies. For example, you can use this condition key to restrict clients within your VPC from accessing buckets that you don't own. **Example value:** `111122223333` | String -`s3express:SessionMode` | Filters access by the permission requested by the `CreateSession` API operation. By default, the session is `ReadWrite`. You can use this condition key to limit access to `ReadOnly` or to explicitly deny `ReadWrite` access. For more information, see [Example bucket policies for directory buckets](./s3-express-security-iam-example-bucket-policies.html) and [CreateSession](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html) in the _Amazon Simple Storage Service API Reference_. **Valid values:** `ReadWrite`, `ReadOnly` | String -`s3express:signatureAge` | Filters access by the age in milliseconds of the request signature. This condition works only for [presigned URLs](./using-presigned-url.html). In AWS Signature Version 4, the signing key is valid for up to seven days. Therefore, the signatures are also valid for up to seven days. For more information, see [Introduction to signing requests](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html#signing-request-intro) in the _Amazon Simple Storage Service API Reference_. You can use this condition to further limit the signature age. **Example value:** `600000` | Numeric -`s3express:signatureversion` | Identifies the version of AWS Signature that you want to support for authenticated requests. For authenticated requests, Signature Version 4 is supported. **Valid value:** `"AWS4-HMAC-SHA256"` (identifies Signature Version 4) | String -`s3express:TlsVersion` | Filters access by the TLS version that's used by the client. You can use the `s3:TlsVersion` condition key to write IAM, virtual private cloud endpoint (VPCE), or bucket policies that restrict user or application access to directory buckets based on the TLS version that's used by the client. You can also use this condition key to write policies that require a minimum TLS version. **Example value:** `1.3` | Numeric -`s3express:x-amz-content-sha256` | Filters access by unsigned content in your bucket. You can use this condition key to disallow unsigned content in your bucket. When you use Signature Version 4 for requests that use the `Authorization` header, you add the `x-amz-content-sha256` header in the signature calculation and then set its value to the hash payload. You can use this condition key in your bucket policy to deny any uploads where the payloads aren't signed. For example: +You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation with the same name. However, in some cases, a single action controls access to more than one API operation. Access to bucket-level actions can be granted in only IAM identity-based policies (user or role) and not bucket policies. @@ -132,2 +84 @@ Condition key | Description | Typs - * Deny uploads that use the `Authorization` header to authenticate requests but don't sign the payload. For more information, see [Transferring payload in a single chunk](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html) in the _Amazon Simple Storage Service API Reference_. - * Deny uploads that use [presigned URLs](./using-presigned-url.html). Presigned URLs always have an `UNSIGNED_PAYLOAD`. For more information, see [Authenticating requests](https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html#query-string-auth-v4-signing) and [Authentication methods](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html) in the _Amazon Simple Storage Service API Reference_. +For more information about how to configure access point policies, see [Configuring IAM policies for using access points for directory buckets](./access-points-directory-buckets-policies.html). @@ -135,3 +86 @@ Condition key | Description | Typs -**Valid value:** `UNSIGNED-PAYLOAD` | String -`s3express:x-amz-server-side-encryption` | Filters access by server-side encryption **Valid values:** `"AES256"`, `aws:kms` | String -`s3express:x-amz-server-side-encryption-aws-kms-key-id` | Filters access by AWS KMS customer managed key for server-side encryption **Example value:** `"arn:aws:kms:`region`:`acct-id`:key/`key-id`"` | ARN +For more information, see [Actions, resources, and condition keys for Amazon S3 Express](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3express.html).