AWS audit-manager medium security documentation change
Summary
Updated link from ID-based policy example to resource-based policy examples
Security assessment
Ensures proper resource-based policy configuration for S3 exports, preventing potential data exposure through misconfigured permissions.
Diff
diff --git a/audit-manager/latest/userguide/exporting-search-results-from-evidence-finder.md b/audit-manager/latest/userguide/exporting-search-results-from-evidence-finder.md index 302c1e60f..59080eb78 100644 --- a//audit-manager/latest/userguide/exporting-search-results-from-evidence-finder.md +++ b//audit-manager/latest/userguide/exporting-search-results-from-evidence-finder.md @@ -78 +78 @@ Follow these steps to export your search results for the first time. This proced -Before you start, make sure that you have an S3 bucket available to use as your export destination. You can use one of your existing S3 buckets, or you can [create a new bucket in Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html). In addition, your S3 bucket must have the required permissions policy to allow CloudTrail to write the export files to it. More specifically, the bucket policy must include an `s3:PutObject` action and the bucket ARN, and list CloudTrail as the service principal. We provide an [example permission policy](https://docs.aws.amazon.com/audit-manager/latest/userguide/security_iam_id-based-policy-examples.html#full-administrator-access-export-destination) that you can use. For instructions on how to attach this policy to your S3 bucket, see [Adding a bucket policy by using the Amazon S3 console](https://docs.aws.amazon.com/AmazonS3/latest/userguide/add-bucket-policy.html). +Before you start, make sure that you have an S3 bucket available to use as your export destination. You can use one of your existing S3 buckets, or you can [create a new bucket in Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html). In addition, your S3 bucket must have the required permissions policy to allow CloudTrail to write the export files to it. More specifically, the bucket policy must include an `s3:PutObject` action and the bucket ARN, and list CloudTrail as the service principal. We provide an [example permission policy](https://docs.aws.amazon.com/audit-manager/latest/userguide/security_iam_resource-based-policy-examples.html) that you can use. For instructions on how to attach this policy to your S3 bucket, see [Adding a bucket policy by using the Amazon S3 console](https://docs.aws.amazon.com/AmazonS3/latest/userguide/add-bucket-policy.html).