AWS AmazonS3 high security documentation change
Summary
Added JSON formatting, updated account IDs, modified resource ARNs, and introduced invalid Referer patterns (e.g., 'http://www./*') in examples. Changed a bucket-specific resource ARN to a broader scope ('arn:aws:s3:::/*').
Security assessment
The Referer condition change introduces invalid patterns ('http://www./*'), which could lead to misconfigured policies allowing unintended access if users copy the example. The resource ARN change from 'amzn-s3-demo-bucket/*' to '/*' creates an overly broad policy example, potentially enabling accidental exposure of all buckets. Both changes risk security misconfigurations.
Diff
diff --git a/AmazonS3/latest/userguide/example-bucket-policies.md b/AmazonS3/latest/userguide/example-bucket-policies.md index c1b912164..a50bb2b84 100644 --- a//AmazonS3/latest/userguide/example-bucket-policies.md +++ b//AmazonS3/latest/userguide/example-bucket-policies.md @@ -103,0 +104,6 @@ The following example policy requires every object that is written to the bucket +JSON + + +**** + + @@ -125,0 +133,6 @@ The following example policy denies any objects from being written to the bucket +JSON + + +**** + + @@ -153,0 +168,6 @@ The `public-read` canned ACL allows anyone in the world to view the objects in y +JSON + + +**** + + @@ -186,0 +208,6 @@ The following example shows how to allow another AWS account to upload objects t +JSON + + +**** + + @@ -209,0 +238,6 @@ The following permissions policy limits a user to only reading objects that have +JSON + + +**** + + @@ -238,0 +274,6 @@ The policy ensures that every tag key specified in the request is an authorized +JSON + + +**** + + @@ -267,0 +310,6 @@ The following example policy grants a user permission to perform the `s3:PutObje +JSON + + +**** + + @@ -293,0 +343,6 @@ The following example policy grants a user permission to perform the `s3:PutObje +JSON + + +**** + + @@ -327,0 +384,6 @@ This example bucket policy grants `s3:PutObject` permissions to only the logging +JSON + + +**** + + @@ -371,0 +435,6 @@ Here’s an example of a resource-based bucket policy that you can use to grant +JSON + + +**** + + @@ -400,0 +471,6 @@ In the following example, the bucket policy explicitly denies HTTP requests. +JSON + + +**** + + @@ -410 +486 @@ In the following example, the bucket policy explicitly denies HTTP requests. - "arn:aws:s3:::amzn-s3-demo-bucket/*" + "arn:aws:s3:::/*" @@ -426,0 +504,6 @@ To allow read access to these objects from your website, you can add a bucket po +JSON + + +**** + + @@ -433 +516 @@ To allow read access to these objects from your website, you can add a bucket po - "Sid":"Allow only GET requests originating from www.example.com and example.com.", + "Sid":"Allow only GET requests originating from www. and .", @@ -439 +522 @@ To allow read access to these objects from your website, you can add a bucket po - "StringLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]} + "StringLike":{"aws:Referer":["http://www./*","http:///*"]} @@ -471,0 +556,6 @@ The following example bucket policy grants ``JohnDoe`` full console access to on +JSON + + +**** + + @@ -530,0 +622,6 @@ In the following example, the bucket policy grants Elastic Load Balancing (ELB) +JSON + + +**** + + @@ -537 +634 @@ In the following example, the bucket policy grants Elastic Load Balancing (ELB) - "AWS": "arn:aws:iam::elb-account-id:root" + "AWS": "arn:aws:iam::111122223333:root" @@ -551,0 +650,6 @@ If your AWS Region does not appear in the supported Elastic Load Balancing Regio +JSON + + +**** + + @@ -585,0 +691,6 @@ To use this example: +JSON + + +**** + + @@ -611,0 +724,6 @@ The following example bucket policy grants Amazon S3 permission to write objects +JSON + + +**** + + @@ -650,0 +770,6 @@ The following example bucket policy grants Amazon S3 permission to write objects +JSON + + +**** + + @@ -689,0 +816,6 @@ The following example policy grants a user (``Ana``) permission to create an inv +JSON + + +**** + + @@ -775,0 +909,6 @@ This example policy denies any Amazon S3 operation on the ``/taxdocuments`` fold +JSON + + +**** + + @@ -795,0 +936,6 @@ The following bucket policy is an extension of the preceding bucket policy. The +JSON + + +**** + + @@ -822,0 +970,6 @@ For example, the following bucket policy, in addition to requiring MFA authentic +JSON + + +**** + + @@ -861,0 +1016,6 @@ In the following policy example, you explicitly deny `DELETE Object` permissions +JSON + + +**** + +