AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2025-07-18 · Documentation low

File: AmazonS3/latest/userguide/metadata-tables-permissions.md

Summary

Updated permissions documentation for S3 metadata tables, including new actions (e.g., UpdateBucketMetadataJournalTableConfiguration), clarified encryption requirements, and added example policies for KMS integration.

Security assessment

The changes primarily document security-related permissions for encryption (SSE-KMS) and access control (e.g., PutTablePolicy, PutTableEncryption). While these updates clarify security best practices, there is no evidence of addressing a specific vulnerability or incident. The additions explain how to configure security features like KMS key policies and table encryption.

Diff

diff --git a/AmazonS3/latest/userguide/metadata-tables-permissions.md b/AmazonS3/latest/userguide/metadata-tables-permissions.md
index 6b9608a52..4460cfea5 100644
--- a//AmazonS3/latest/userguide/metadata-tables-permissions.md
+++ b//AmazonS3/latest/userguide/metadata-tables-permissions.md
@@ -7 +7 @@
-To create a metadata table configuration, you must have the necessary AWS Identity and Access Management (IAM) permissions to both create and manage your metadata table configuration and to create and manage your metadata table and the table bucket where your metadata table is stored. 
+To create a metadata table configuration, you must have the necessary AWS Identity and Access Management (IAM) permissions to both create and manage your metadata table configuration and to create and manage your metadata tables and the table bucket where your metadata tables are stored. 
@@ -11 +11 @@ To create and manage your metadata table configuration, you must have these perm
-  * `s3:CreateBucketMetadataTableConfiguration` – This permission allows you to create a metadata table configuration for your general purpose bucket.
+  * `s3:CreateBucketMetadataTableConfiguration` – This permission allows you to create a metadata table configuration for your general purpose bucket. To create a metadata table configuration, additional permissions, including S3 Tables permissions, are required, as explained in the following sections. For a summary of the required permissions, see [Bucket operations and permissions](./using-with-s3-policy-actions.html#using-with-s3-policy-actions-related-to-buckets). 
@@ -16,0 +17,8 @@ To create and manage your metadata table configuration, you must have these perm
+  * `s3:UpdateBucketMetadataJournalTableConfiguration` – This permission allows you to update your journal table configuration to expire journal table records.
+
+  * `s3:UpdateBucketMetadataInventoryTableConfiguration` – This permission allows you to update your inventory table configuration to enable or disable the inventory table. To update an inventory table configuration, additional permissions, including S3 Tables permissions, are required. For a list of the required permissions, see [Bucket operations and permissions](./using-with-s3-policy-actions.html#using-with-s3-policy-actions-related-to-buckets).
+
+###### Note
+
+The `s3:CreateBucketMetadataTableConfiguration`, `s3:GetBucketMetadataTableConfiguration`, and `s3:DeleteBucketMetadataTableConfiguration` permissions are used for both V1 and V2 S3 Metadata configurations. For V2, the names of the corresponding API operations are `CreateBucketMetadataConfiguration`, `GetBucketMetadataConfiguration`, and `DeleteBucketMetadataConfiguration`.
+
@@ -22 +30,7 @@ To create and work with tables and table buckets, you must have certain `s3table
-  * `s3tables:CreateNamespace` – This permission allows you to create a namespace in a table bucket. Metadata tables use the default `aws_s3_metadata` namespace.
+  * `s3tables:CreateTableBucket` – This permission allows you to create an AWS managed table bucket. All metadata table configurations in your account and in the same Region are stored in a single AWS managed table bucket named `aws-s3`. For more information, see [How metadata tables work](./metadata-tables-overview.html#metadata-tables-how-they-work) and [Working with AWS managed table buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-aws-managed-buckets.html).
+
+  * `s3tables:CreateNamespace` – This permission allows you to create a namespace in a table bucket. Metadata tables typically use the `b_`general_purpose_bucket_name`` namespace. For more information about metadata table namespaces, see [How metadata tables work](./metadata-tables-overview.html#metadata-tables-how-they-work).
+
+  * `s3tables:CreateTable` – This permission allows you to create your metadata tables.
+
+  * `s3tables:GetTable` – This permission allows you to retrieve information about your metadata tables.
@@ -24 +38 @@ To create and work with tables and table buckets, you must have certain `s3table
-  * `s3tables:GetTable` – This permission allows you to retrieve information about your metadata table.
+  * `s3tables:PutTablePolicy` – This permission allows you to add or update your metadata table policies.
@@ -26 +40 @@ To create and work with tables and table buckets, you must have certain `s3table
-  * `s3tables:CreateTable` – This permission allows you to create your metadata table.
+  * `s3tables:PutTableEncryption` – This permission allows you to set server-side encryption for your metadata tables. Additional permissions are required if you want to encrypt your metadata tables with server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS). For more information, see Permissions for SSE-KMS. 
@@ -28 +42 @@ To create and work with tables and table buckets, you must have certain `s3table
-  * `s3tables:PutTablePolicy` – This permission allows you to add or update your metadata table policy.
+  * `kms:DescribeKey` – This permission allows you to retrieve information about a KMS key. 
@@ -39 +53 @@ If you also want to integrate your table bucket with AWS analytics services so t
-###### Permissions for SSE-KMS
+###### 
@@ -41 +55 @@ If you also want to integrate your table bucket with AWS analytics services so t
-To access S3 table buckets or S3 tables that are using server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS), you need to include additional permissions. 
+Permissions for SSE-KMS
@@ -43 +57 @@ To access S3 table buckets or S3 tables that are using server-side encryption wi
-  1. The user or IAM role needs the following permissions. You can grant these permissions by using the IAM console - [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 
+To encrypt your metadata tables with server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS), you must have additional permissions. 
@@ -45 +59 @@ To access S3 table buckets or S3 tables that are using server-side encryption wi
-    1. `s3tables:PutTableEncryption` to configure table encryption
+  1. The user or AWS Identity and Access Management (IAM) role needs the following permissions. You can grant these permissions by using the IAM console: [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
@@ -47 +61 @@ To access S3 table buckets or S3 tables that are using server-side encryption wi
-    2. `s3tables:PutTableBucketEncryption` to configure table bucket encryption
+    1. `s3tables:PutTableEncryption` to configure table encryption
@@ -49 +63 @@ To access S3 table buckets or S3 tables that are using server-side encryption wi
-    3. `kms:DescribeKey` on the AWS KMS key used
+    2. `kms:DescribeKey` on the AWS KMS key used
@@ -51 +65 @@ To access S3 table buckets or S3 tables that are using server-side encryption wi
-  2. On the resource policy for the KMS key, you need the following permissions. You can grant these permissions by using the KMS console - [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms). 
+  2. On the resource policy for the KMS key, you need the following permissions. You can grant these permissions by using the AWS KMS console: [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms).
@@ -53 +67 @@ To access S3 table buckets or S3 tables that are using server-side encryption wi
-    1. `kms:GenerateDataKey` permission to `metadata.s3.amazonaws.com` and `maintenance.s3tables.amazonaws.com`
+    1. Grant `kms:GenerateDataKey` permission to `metadata.s3.amazonaws.com` and `maintenance.s3tables.amazonaws.com`.
@@ -55 +69 @@ To access S3 table buckets or S3 tables that are using server-side encryption wi
-    2. `kms:Decrypt` permission to `metadata.s3.amazonaws.com` and `maintenance.s3tables.amazonaws.com`
+    2. Grant `kms:Decrypt` permission to `metadata.s3.amazonaws.com` and `maintenance.s3tables.amazonaws.com`.
@@ -57 +71 @@ To access S3 table buckets or S3 tables that are using server-side encryption wi
-    3. `kms:DescribeKey` permission to the invoking AWS principal
+    3. Grant `kms:DescribeKey` permission to the invoking AWS principal.
@@ -62 +76 @@ To access S3 table buckets or S3 tables that are using server-side encryption wi
-For more information on granting the necessary permissions to the S3 Metadata service, see the documentation on [Granting the S3 Metadata service principal permissions to use your KMS key](https://docs.aws.amazon.com/AmazonS3/latest/userguide/metadata-tables-permissions.html#metadata-tables-permissions-kms). 
+In addition to these permissions, make sure that the customer managed KMS key used to encrypt the tables still exists, is active, is in the same Region as your general purpose bucket.
@@ -66 +80,3 @@ For more information on granting the necessary permissions to the S3 Metadata se
-To create and work with metadata tables and table buckets, you can use the following example policy. In this policy, the general purpose bucket that you're applying the metadata table configuration to is referred to as ``amzn-s3-demo-source-bucket``. The table bucket where you're storing your metadata table is referred to as ``amzn-s3-demo-bucket``. To use this policy, replace these bucket names and the ``user input placeholders`` with your own information: 
+To create and work with metadata tables and table buckets, you can use the following example policy. In this policy, the general purpose bucket that you're applying the metadata table configuration to is referred to as ``amzn-s3-demo-bucket``. To use this policy, replace the ``user input placeholders`` with your own information. 
+
+When you create your metadata table configuration, your metadata tables are stored in an AWS managed table bucket. All metadata table configurations in your account and in the same Region are stored in a single AWS managed table bucket named `aws-s3`. 
@@ -79 +95,28 @@ To create and work with metadata tables and table buckets, you can use the follo
-                "s3tables:*" 
+                "s3:UpdateBucketMetadataJournalTableConfiguration",
+                "s3:UpdateBucketMetadataInventoryTableConfiguration",
+                "s3tables:*",
+                "kms:DescribeKey" 
+             ],
+             "Resource":[
+                "arn:aws:s3:::bucket/amzn-s3-demo-bucket",
+                "arn:aws:s3tables:region:account_id:bucket/aws-s3",
+                "arn:aws:s3tables:region:account_id:bucket/aws-s3/table/*"
+             ]
+           }
+        ]
+    }
+
+To query metadata tables, you can use the following example policy. If your metadata tables have been encrypted with SSE-KMS, you will need the `kms:Decrypt` permission as shown. To use this policy, replace the ``user input placeholders`` with your own information.
+    
+    
+    {
+       "Version":"2012-10-17",
+       "Statement":[
+          {
+             "Sid":"PermissionsToQueryMetadataTables",
+             "Effect":"Allow",
+             "Action":[
+                 "s3tables:GetTable",
+                 "s3tables:GetTableData",
+                 "s3tables:GetTableMetadataLocation",
+                 "kms:Decrypt"
@@ -82,3 +125,2 @@ To create and work with metadata tables and table buckets, you can use the follo
-                "arn:aws:s3:::bucket/amzn-s3-demo-source-bucket",
-                "arn:aws:s3tables:region:account_id:bucket/amzn-s3-demo-bucket",
-                "arn:aws:s3tables:region:account_id:bucket/amzn-s3-demo-bucket/table/*"
+                "arn:aws:s3tables:region:account_id:bucket/aws-s3",
+                "arn:aws:s3tables:region:account_id:bucket/aws-s3/table/*"