AWS Security ChangesHomeSearch

AWS audit-manager medium security documentation change

Service: audit-manager · 2025-07-04 · Security-related medium

File: audit-manager/latest/userguide/exporting-search-results-from-evidence-finder.md

Summary

Updated link from ID-based policy example to resource-based policy examples

Security assessment

Ensures proper resource-based policy configuration for S3 exports, preventing potential data exposure through misconfigured permissions.

Diff

diff --git a/audit-manager/latest/userguide/exporting-search-results-from-evidence-finder.md b/audit-manager/latest/userguide/exporting-search-results-from-evidence-finder.md
index 302c1e60f..59080eb78 100644
--- a//audit-manager/latest/userguide/exporting-search-results-from-evidence-finder.md
+++ b//audit-manager/latest/userguide/exporting-search-results-from-evidence-finder.md
@@ -78 +78 @@ Follow these steps to export your search results for the first time. This proced
-Before you start, make sure that you have an S3 bucket available to use as your export destination. You can use one of your existing S3 buckets, or you can [create a new bucket in Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html). In addition, your S3 bucket must have the required permissions policy to allow CloudTrail to write the export files to it. More specifically, the bucket policy must include an `s3:PutObject` action and the bucket ARN, and list CloudTrail as the service principal. We provide an [example permission policy](https://docs.aws.amazon.com/audit-manager/latest/userguide/security_iam_id-based-policy-examples.html#full-administrator-access-export-destination) that you can use. For instructions on how to attach this policy to your S3 bucket, see [Adding a bucket policy by using the Amazon S3 console](https://docs.aws.amazon.com/AmazonS3/latest/userguide/add-bucket-policy.html). 
+Before you start, make sure that you have an S3 bucket available to use as your export destination. You can use one of your existing S3 buckets, or you can [create a new bucket in Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html). In addition, your S3 bucket must have the required permissions policy to allow CloudTrail to write the export files to it. More specifically, the bucket policy must include an `s3:PutObject` action and the bucket ARN, and list CloudTrail as the service principal. We provide an [example permission policy](https://docs.aws.amazon.com/audit-manager/latest/userguide/security_iam_resource-based-policy-examples.html) that you can use. For instructions on how to attach this policy to your S3 bucket, see [Adding a bucket policy by using the Amazon S3 console](https://docs.aws.amazon.com/AmazonS3/latest/userguide/add-bucket-policy.html).