AWS AmazonS3 medium security documentation change
Summary
Clarified required service principal permissions and consequences of misconfiguration for metadata tables
Security assessment
Explicitly specifies required service principals (metadata.s3.amazonaws.com and maintenance.s3tables.amazonaws.com) to prevent accidental denial of service. Highlights security risks of improper IAM policies that could disrupt S3 operations, requiring configuration rebuilds. Adds guidance about access control best practices.
Diff
diff --git a/AmazonS3/latest/userguide/metadata-tables-access-control.md b/AmazonS3/latest/userguide/metadata-tables-access-control.md index 88a10f774..abd6a0c09 100644 --- a//AmazonS3/latest/userguide/metadata-tables-access-control.md +++ b//AmazonS3/latest/userguide/metadata-tables-access-control.md @@ -7 +7 @@ -To control access to your Amazon S3 metadata tables, you can use AWS Identity and Access Management (IAM) resource-based policies that are attached to your table bucket and to your metadata table. In other words, you can control access to your metadata tables at both the table bucket level and the table level. +To control access to your Amazon S3 metadata tables, you can use AWS Identity and Access Management (IAM) resource-based policies that are attached to your table bucket and to your metadata tables. In other words, you can control access to your metadata tables at both the table bucket level and the table level. @@ -13 +13 @@ For more information about controlling access to your table buckets and tables, -Make sure that you don't restrict Amazon S3 from writing to your table bucket or your metadata table. If Amazon S3 is unable to write to your table bucket or your metadata table, you must create a new metadata table by deleting your metadata table configuration and then creating a new configuration. +When you're creating or updating table bucket or table policies, make sure that you don't restrict the Amazon S3 service principals `metadata.s3.amazonaws.com` and `maintenance.s3tables.amazonaws.com` from writing to your table bucket or your metadata tables. @@ -15 +15,3 @@ Make sure that you don't restrict Amazon S3 from writing to your table bucket or -You can also control access to the rows and columns in your metadata table through AWS Lake Formation. For more information, see [Managing Lake Formation permissions](https://docs.aws.amazon.com/lake-formation/latest/dg/managing-permissions.html) and [Data filtering and cell-level security in Lake Formation](https://docs.aws.amazon.com/lake-formation/latest/dg/data-filtering.html) in the _AWS Lake Formation Developer Guide_. +If Amazon S3 is unable to write to your table bucket or your metadata tables, you must delete your metadata configuration, delete your metadata tables, and then create a new configuration. If you had an inventory table in your configuration, a new inventory table has to be created, and you will be charged again for backfilling the new inventory table. + +You can also control access to the rows and columns in your metadata tables through AWS Lake Formation. For more information, see [Managing Lake Formation permissions](https://docs.aws.amazon.com/lake-formation/latest/dg/managing-permissions.html) and [Data filtering and cell-level security in Lake Formation](https://docs.aws.amazon.com/lake-formation/latest/dg/data-filtering.html) in the _AWS Lake Formation Developer Guide_. @@ -25 +27 @@ Creating metadata tables -Deleting metadata table configurations +Expiring journal table records