AWS Security ChangesHomeSearch

AWS AmazonS3 high security documentation change

Service: AmazonS3 · 2025-07-25 · Security-related high

File: AmazonS3/latest/userguide/example-bucket-policies.md

Summary

Added JSON formatting, updated account IDs, modified resource ARNs, and introduced invalid Referer patterns (e.g., 'http://www./*') in examples. Changed a bucket-specific resource ARN to a broader scope ('arn:aws:s3:::/*').

Security assessment

The Referer condition change introduces invalid patterns ('http://www./*'), which could lead to misconfigured policies allowing unintended access if users copy the example. The resource ARN change from 'amzn-s3-demo-bucket/*' to '/*' creates an overly broad policy example, potentially enabling accidental exposure of all buckets. Both changes risk security misconfigurations.

Diff

diff --git a/AmazonS3/latest/userguide/example-bucket-policies.md b/AmazonS3/latest/userguide/example-bucket-policies.md
index c1b912164..a50bb2b84 100644
--- a//AmazonS3/latest/userguide/example-bucket-policies.md
+++ b//AmazonS3/latest/userguide/example-bucket-policies.md
@@ -103,0 +104,6 @@ The following example policy requires every object that is written to the bucket
+JSON
+    
+
+****
+    
+    
@@ -125,0 +133,6 @@ The following example policy denies any objects from being written to the bucket
+JSON
+    
+
+****
+    
+    
@@ -153,0 +168,6 @@ The `public-read` canned ACL allows anyone in the world to view the objects in y
+JSON
+    
+
+****
+    
+    
@@ -186,0 +208,6 @@ The following example shows how to allow another AWS account to upload objects t
+JSON
+    
+
+****
+    
+    
@@ -209,0 +238,6 @@ The following permissions policy limits a user to only reading objects that have
+JSON
+    
+
+****
+    
+    
@@ -238,0 +274,6 @@ The policy ensures that every tag key specified in the request is an authorized
+JSON
+    
+
+****
+    
+    
@@ -267,0 +310,6 @@ The following example policy grants a user permission to perform the `s3:PutObje
+JSON
+    
+
+****
+    
+    
@@ -293,0 +343,6 @@ The following example policy grants a user permission to perform the `s3:PutObje
+JSON
+    
+
+****
+    
+    
@@ -327,0 +384,6 @@ This example bucket policy grants `s3:PutObject` permissions to only the logging
+JSON
+    
+
+****
+    
+    
@@ -371,0 +435,6 @@ Here’s an example of a resource-based bucket policy that you can use to grant
+JSON
+    
+
+****
+    
+    
@@ -400,0 +471,6 @@ In the following example, the bucket policy explicitly denies HTTP requests.
+JSON
+    
+
+****
+    
+    
@@ -410 +486 @@ In the following example, the bucket policy explicitly denies HTTP requests.
-                "arn:aws:s3:::amzn-s3-demo-bucket/*"
+                "arn:aws:s3:::/*"
@@ -426,0 +504,6 @@ To allow read access to these objects from your website, you can add a bucket po
+JSON
+    
+
+****
+    
+    
@@ -433 +516 @@ To allow read access to these objects from your website, you can add a bucket po
-          "Sid":"Allow only GET requests originating from www.example.com and example.com.",
+          "Sid":"Allow only GET requests originating from www. and .",
@@ -439 +522 @@ To allow read access to these objects from your website, you can add a bucket po
-            "StringLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}
+            "StringLike":{"aws:Referer":["http://www./*","http:///*"]}
@@ -471,0 +556,6 @@ The following example bucket policy grants ``JohnDoe`` full console access to on
+JSON
+    
+
+****
+    
+    
@@ -530,0 +622,6 @@ In the following example, the bucket policy grants Elastic Load Balancing (ELB)
+JSON
+    
+
+****
+    
+    
@@ -537 +634 @@ In the following example, the bucket policy grants Elastic Load Balancing (ELB)
-            "AWS": "arn:aws:iam::elb-account-id:root"
+                    "AWS": "arn:aws:iam::111122223333:root"
@@ -551,0 +650,6 @@ If your AWS Region does not appear in the supported Elastic Load Balancing Regio
+JSON
+    
+
+****
+    
+    
@@ -585,0 +691,6 @@ To use this example:
+JSON
+    
+
+****
+    
+    
@@ -611,0 +724,6 @@ The following example bucket policy grants Amazon S3 permission to write objects
+JSON
+    
+
+****
+    
+    
@@ -650,0 +770,6 @@ The following example bucket policy grants Amazon S3 permission to write objects
+JSON
+    
+
+****
+    
+    
@@ -689,0 +816,6 @@ The following example policy grants a user (``Ana``) permission to create an inv
+JSON
+    
+
+****
+    
+    
@@ -775,0 +909,6 @@ This example policy denies any Amazon S3 operation on the ``/taxdocuments`` fold
+JSON
+    
+
+****
+    
+    
@@ -795,0 +936,6 @@ The following bucket policy is an extension of the preceding bucket policy. The
+JSON
+    
+
+****
+    
+    
@@ -822,0 +970,6 @@ For example, the following bucket policy, in addition to requiring MFA authentic
+JSON
+    
+
+****
+    
+    
@@ -861,0 +1016,6 @@ In the following policy example, you explicitly deny `DELETE Object` permissions
+JSON
+    
+
+****
+    
+