AWS AmazonS3 medium security documentation change
Summary
Restructured documentation with new section headers, expanded naming rules, clarified access requirements (e.g., TLS 1.2 enforcement, IPv6 unsupported), added service quotas, and detailed region support including opt-in regions.
Security assessment
Added explicit requirement for TLS 1.2 and SigV4A signing, which are security controls for data integrity and authentication. The note stating 'Multi-Region Access Points don't support anonymous requests' directly addresses access control security. These changes enforce secure communication and authentication practices.
Diff
diff --git a/AmazonS3/latest/userguide/MultiRegionAccessPointRestrictions.md b/AmazonS3/latest/userguide/MultiRegionAccessPointRestrictions.md index 240ef2326..7a2c7c8e7 100644 --- a//AmazonS3/latest/userguide/MultiRegionAccessPointRestrictions.md +++ b//AmazonS3/latest/userguide/MultiRegionAccessPointRestrictions.md @@ -4,0 +5,2 @@ +Names and aliasesAccessing a Multi-Region Access PointSigning AWS API requestsAmazon S3 API operationsAWS SDKsService quotasCreating, deleting, or modifying a Multi-Region Access PointRegion support + @@ -9 +11,7 @@ Multi-Region Access Points in Amazon S3 have the following restrictions and limi - * Multi-Region Access Point names: +## Names and aliases + +Multi-Region Access Point names must meet the following requirements: + + * Must be unique within a single AWS account. + + * Must begin with a number or lowercase letter. @@ -11 +19 @@ Multi-Region Access Points in Amazon S3 have the following restrictions and limi - * Must be unique within a single AWS account + * Must be between 3 and 50 characters long. @@ -13 +21 @@ Multi-Region Access Points in Amazon S3 have the following restrictions and limi - * Must begin with a number or lowercase letter + * Can't begin or end with a hyphen (`-`). @@ -15 +23 @@ Multi-Region Access Points in Amazon S3 have the following restrictions and limi - * Must be between 3 and 50 characters long + * Can't contain underscores (`_`), uppercase letters, or periods (`.`). @@ -17 +25 @@ Multi-Region Access Points in Amazon S3 have the following restrictions and limi - * Can't begin or end with a hyphen (`-`) + * Can't be edited after they are created. @@ -19 +26,0 @@ Multi-Region Access Points in Amazon S3 have the following restrictions and limi - * Can't contain underscores (`_`), uppercase letters, or periods (`.`) @@ -21 +27,0 @@ Multi-Region Access Points in Amazon S3 have the following restrictions and limi - * Can't be edited after they are created @@ -23 +28,0 @@ Multi-Region Access Points in Amazon S3 have the following restrictions and limi - * Multi-Region Access Point aliases are generated by Amazon S3 and can't be edited or reused. @@ -25 +30 @@ Multi-Region Access Points in Amazon S3 have the following restrictions and limi - * You cannot access data through a Multi-Region Access Point by using gateway endpoints. However, you can access data through a Multi-Region Access Point by using interface endpoints. To use AWS PrivateLink, you must create VPC endpoints. For more information, see [Configuring a Multi-Region Access Point for use with AWS PrivateLink](./MultiRegionAccessPointsPrivateLink.html). +Multi-Region Access Point aliases (which are different from a Multi-Region Access Point name), are automatically generated by Amazon S3 and can't be edited or reused. For more information about the difference between Multi-Region Access Point aliases and Multi-Region Access Point names and their respective naming rules, see [Rules for naming Amazon S3 Multi-Region Access Points](./multi-region-access-point-naming.html). @@ -27 +32 @@ Multi-Region Access Points in Amazon S3 have the following restrictions and limi - * To use Multi-Region Access Points with Amazon CloudFront, you must configure the Multi-Region Access Point as a `Custom Origin` distribution type. For more information about various origin types, see [Using various origins with CloudFront distributions](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DownloadDistS3AndCustomOrigins.html). For more information about using Multi-Region Access Points with Amazon CloudFront, see [ Building an active-active, proximity-based application across multiple Regions](https://aws.amazon.com/blogs/storage/building-an-active-active-latency-based-application-across-multiple-regions/) on the _AWS Storage Blog_. +## Accessing a Multi-Region Access Point @@ -29 +34 @@ Multi-Region Access Points in Amazon S3 have the following restrictions and limi - * Multi-Region Access Point minimum requirements: +You can't access data through a Multi-Region Access Point by using gateway endpoints. However, you can access data through a Multi-Region Access Point by using interface endpoints. To use AWS PrivateLink, you must create VPC endpoints. For more information, see [Configuring a Multi-Region Access Point for use with AWS PrivateLink](./MultiRegionAccessPointsPrivateLink.html). However, be aware that IPv6 isn't supported. @@ -31 +36 @@ Multi-Region Access Points in Amazon S3 have the following restrictions and limi - * Transport Layer Security (TLS) v1.2 +To use Multi-Region Access Points with Amazon CloudFront, you must configure the Multi-Region Access Point as a `Custom Origin` distribution type. For more information about various origin types, see [Using various origins with CloudFront distributions](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DownloadDistS3AndCustomOrigins.html). For more information about using Multi-Region Access Points with Amazon CloudFront, see [ Building an active-active, proximity-based application across multiple Regions](https://aws.amazon.com/blogs/storage/building-an-active-active-latency-based-application-across-multiple-regions/) on the _AWS Storage Blog_. @@ -35 +40 @@ Multi-Region Access Points in Amazon S3 have the following restrictions and limi -Transport Layer Security (TLS) v1.3 isn’t supported. +S3 on Outposts buckets aren't supported. @@ -37 +42 @@ Transport Layer Security (TLS) v1.3 isn’t supported. - * Signature Version 4 (SigV4A) +## Signing AWS API requests @@ -39 +44,9 @@ Transport Layer Security (TLS) v1.3 isn’t supported. -Multi-Region Access Points support Signature Version 4A. This version of SigV4 allows requests to be signed for multiple AWS Regions. This feature is useful in API operations that might result in data access from one of several Regions. When using an AWS SDK, you supply your credentials, and the requests to Multi-Region Access Points will use Signature Version 4A without additional configuration. Make sure to check your [AWS SDK compatibility](https://docs.aws.amazon.com/sdkref/latest/guide/feature-s3-mrap.html) with the SigV4A algorithm. For more information about SigV4A, see [Signing AWS API requests](https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) in the _AWS General Reference_. +To sign an AWS API request, your Multi-Region Access Point must meet the following minimum requirements: + +###### Note + +Multi-Region Access Points don't support anonymous requests. + + * Support for Transport Layer Security (TLS) version 1.2. + + * Support for Signature Version 4 (SigV4A)–This version of SigV4 allows requests to be signed for multiple AWS Regions. This feature is useful in API operations that might result in data access from one of several Regions. When using an AWS SDK, you supply your credentials, and the requests to Multi-Region Access Points will use Signature Version 4A without additional configuration. Make sure to check your [AWS SDK compatibility](https://docs.aws.amazon.com/sdkref/latest/guide/feature-s3-mrap.html) with the SigV4A algorithm. For more information about SigV4A, see [Signing AWS API requests](https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) in the _AWS General Reference_. @@ -45 +57,0 @@ To use SigV4A with temporary security credentials—for example, when using AWS - * Multi-Region Access Points don't support anonymous requests. @@ -47 +58,0 @@ To use SigV4A with temporary security credentials—for example, when using AWS - * Multi-Region Access Point limitations: @@ -49 +59,0 @@ To use SigV4A with temporary security credentials—for example, when using AWS - * IPv6 is not supported. @@ -51 +61,7 @@ To use SigV4A with temporary security credentials—for example, when using AWS - * Amazon S3 on Outposts buckets are not supported. +## Amazon S3 API operations + + * `CopyObject` is supported as a destination only when using the Multi-Region Access Point ARN. + + * The S3 Batch Operations feature isn't supported. + + @@ -53 +68,0 @@ To use SigV4A with temporary security credentials—for example, when using AWS - * Multi-Region Access Points supports copy operations using Multi-Region Access Points only as a destination when using the Multi-Region Access Point ARN. @@ -55 +70 @@ To use SigV4A with temporary security credentials—for example, when using AWS - * The S3 Batch Operations feature is not supported. +## AWS SDKs @@ -57 +72 @@ To use SigV4A with temporary security credentials—for example, when using AWS - * Certain AWS SDKs are not supported. To confirm which AWS SDKs are supported for Multi-Region Access Points, see [Compatibility with AWS SDKs](https://docs.aws.amazon.com/sdkref/latest/guide/feature-s3-mrap.html#s3-mrap-sdk-compat). +Certain AWS SDKs aren't supported. To confirm which AWS SDKs are supported for Multi-Region Access Points, see [Compatibility with AWS SDKs](https://docs.aws.amazon.com/sdkref/latest/guide/feature-s3-mrap.html#s3-mrap-sdk-compat). @@ -59 +74,3 @@ To use SigV4A with temporary security credentials—for example, when using AWS - * The service quotas for Multi-Region Access Points are as follows: +## Service quotas + +Be aware of the following service quota limitations: @@ -64,0 +82,7 @@ To use SigV4A with temporary security credentials—for example, when using AWS + + + +## Creating, deleting, or modifying a Multi-Region Access Point + +When you create, delete, or modify an Multi-Region Access Point, be aware of the following rules and restrictions: + @@ -69 +92,0 @@ To use SigV4A with temporary security credentials—for example, when using AWS - * All control plane requests to create or maintain Multi-Region Access Points must be routed to the `US West (Oregon)` Region. For Multi-Region Access Point data plane requests, Regions don't need to be specified. For a list of control plane operations, see [S3 API Reference](https://docs.aws.amazon.com/AmazonS3/latest/API/Type_API_Reference.html) in the _Amazon Simple Storage Service API Reference_. @@ -71 +94,9 @@ To use SigV4A with temporary security credentials—for example, when using AWS - * For the Multi-Region Access Point failover control plane, requests must be routed to one of these five supported Regions: + + +## Region support + +**Control plane requests** + +All control plane requests to create or maintain Multi-Region Access Points must be routed to the `US West (Oregon)` Region. For Multi-Region Access Point data plane requests, Regions don't need to be specified. + +For the Multi-Region Access Point failover control plane, requests must be routed to one of these five supported Regions: @@ -83 +114,6 @@ To use SigV4A with temporary security credentials—for example, when using AWS - * Your Multi-Region Access Point only supports buckets in the following AWS Regions: + + + +**Regions enabled by default** + +Your Multi-Region Access Point supports buckets in the following default AWS Regions (which are [enabled by default](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html) in your AWS account): @@ -121,0 +158,37 @@ To use SigV4A with temporary security credentials—for example, when using AWS +**AWS opt-in Regions** + +Your Multi-Region Access Point also supports buckets in the following opt-in AWS Regions (which are [disabled by default](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html) in your AWS account): + + * `Africa (Cape Town)` + + * `Asia Pacific (Hong Kong)` + + * `Asia Pacific (Jakarta)` + + * `Asia Pacific (Melbourne)` + + * `Asia Pacific (Hyderabad)` + + * `Canada West (Calgary)` + + * `Europe (Zurich)` + + * `Europe (Milan)` + + * `Europe (Spain)` + + * `Israel (Tel Aviv)` + + * `Middle East (Bahrain)` + + * `Middle East (UAE)` + + + + +###### Note + +There are no additional costs for enabling an opt-in Region. However, creating or using a resource in a Multi-Region Access Point results in billing charges. + +An opt-in Region must be manually enabled when configuring or creating your Multi-Region Access Point. For more information about opt-in Region behaviors for Multi-Region Access Points, see [Configuring Multi-Region Access Point opt-in Regions](./ConfiguringMrapOptInRegions.html). For information about how to enable an opt-in Region in your AWS account, see [Enable or disable a Region for standalone accounts](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html#manage-acct-regions-enable-standalone) in the _AWS Account Management Reference Guide_. +