AWS Security ChangesHomeSearch

AWS AWSCloudFormation documentation change

Service: AWSCloudFormation · 2025-07-25 · Documentation medium

File: AWSCloudFormation/latest/TemplateReference/aws-properties-s3-bucket-metadataconfiguration.md

Summary

Added detailed examples for S3 metadata configuration with KMS encryption, including IAM role and KMS key policy configurations

Security assessment

The change adds documentation about encrypting S3 metadata using KMS, which is a security feature. However, there's no indication this addresses a specific security vulnerability - it appears to be routine documentation of security best practices.

Diff

diff --git a/AWSCloudFormation/latest/TemplateReference/aws-properties-s3-bucket-metadataconfiguration.md b/AWSCloudFormation/latest/TemplateReference/aws-properties-s3-bucket-metadataconfiguration.md
index 394d4560b..0243deaf3 100644
--- a//AWSCloudFormation/latest/TemplateReference/aws-properties-s3-bucket-metadataconfiguration.md
+++ b//AWSCloudFormation/latest/TemplateReference/aws-properties-s3-bucket-metadataconfiguration.md
@@ -3 +3 @@
-SyntaxProperties
+SyntaxPropertiesExamples
@@ -70,0 +71,151 @@ _Required_ : Yes
+## Examples
+
+### Create a metadata configuration
+
+The following example creates an S3 Metadata configuration for the specified general purpose bucket. To use this example, replace ` `amzn-s3-demo-bucket` ` with the name of your general purpose bucket. Also make sure to update the AWS Identity and Access Management (IAM) Amazon Resource Name (ARN) with the name of the IAM role that you want to use.
+
+#### JSON
+    
+    
+    {
+      "Resources": {
+        "S3MetadataKMSKey": {
+          "Type": "AWS::KMS::Key",
+          "Properties": {
+            "Description": "KMS key for S3 metadata encryption",
+            "EnableKeyRotation": true,
+            "KeyPolicy": {
+              "Version": "2012-10-17",
+              "Statement": [
+                {
+                  "Sid": "Enable IAM User Permissions",
+                  "Effect": "Allow",
+                  "Principal": {
+                    "AWS": {
+                      "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/SpecificRoleName"
+                    }
+                  },
+                  "Action": "kms:*",
+                  "Resource": "*"
+                },
+                {
+                  "Sid": "Allow S3 Metadata Service",
+                  "Effect": "Allow",
+                  "Principal": {
+                    "Service": [
+                      "maintenance.s3tables.amazonaws.com",
+                      "metadata.s3.amazonaws.com"
+                    ]
+                  },
+                  "Action": [
+                    "kms:Decrypt",
+                    "kms:GenerateDataKey"
+                  ],
+                  "Resource": "*"
+                }
+              ]
+            }
+          }
+        },
+        "S3MetadataKMSKeyAlias": {
+          "Type": "AWS::KMS::Alias",
+          "Properties": {
+            "AliasName": "alias/s3-metadata-key",
+            "TargetKeyId": {
+              "Ref": "S3MetadataKMSKey"
+            }
+          }
+        },
+        "TestMetadataBucket": {
+          "Type": "AWS::S3::Bucket",
+          "Properties": {
+            "BucketName": "amzn-s3-demo-bucket",
+            "MetadataConfiguration": {
+              "JournalTableConfiguration": {
+                "RecordExpiration": {
+                  "Expiration": "ENABLED",
+                  "Days": 10
+                },
+                "EncryptionConfiguration": {
+                  "SseAlgorithm": "aws:kms",
+                  "KmsKeyArn": {
+                    "Fn::GetAtt": [
+                      "S3MetadataKMSKey",
+                      "Arn"
+                    ]
+                  }
+                }
+              },
+              "InventoryTableConfiguration": {
+                "ConfigurationState": "ENABLED",
+                "EncryptionConfiguration": {
+                  "SseAlgorithm": "aws:kms",
+                  "KmsKeyArn": {
+                    "Fn::GetAtt": [
+                      "S3MetadataKMSKey",
+                      "Arn"
+                    ]
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+          
+
+#### YAML
+    
+    
+    Resources:
+      S3MetadataKMSKey:
+        Type: 'AWS::KMS::Key'
+        Properties:
+          Description: 'KMS key for S3 metadata encryption'
+          EnableKeyRotation: true
+          KeyPolicy:
+            Version: '2012-10-17'
+            Statement:
+              - Sid: 'Enable IAM User Permissions'
+                Effect: Allow
+                Principal:
+                  AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:role/SpecificRoleName'
+                Action: 'kms:*'
+                Resource: '*'
+              - Sid: 'Allow S3 Metadata Service'
+                Effect: Allow
+                Principal:
+                  Service: 
+                    - 'maintenance.s3tables.amazonaws.com'
+                    - 'metadata.s3.amazonaws.com'
+                Action:
+                  - 'kms:Decrypt'
+                  - 'kms:GenerateDataKey'
+                Resource: '*'
+    
+      S3MetadataKMSKeyAlias:
+        Type: 'AWS::KMS::Alias'
+        Properties:
+          AliasName: 'alias/s3-metadata-key'
+          TargetKeyId: !Ref S3MetadataKMSKey
+    
+      TestMetadataBucket:
+        Type: 'AWS::S3::Bucket'
+        Properties:
+          BucketName: amzn-s3-demo-bucket
+          MetadataConfiguration:
+            JournalTableConfiguration:
+              RecordExpiration:
+                Expiration: ENABLED
+                Days: 10
+              EncryptionConfiguration:
+                SseAlgorithm: aws:kms
+                KmsKeyArn: !GetAtt S3MetadataKMSKey.Arn
+            InventoryTableConfiguration:
+              ConfigurationState: ENABLED
+              EncryptionConfiguration:
+                SseAlgorithm: aws:kms
+                KmsKeyArn: !GetAtt S3MetadataKMSKey.Arn
+          
+