AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2025-07-25 · Documentation medium

File: AmazonS3/latest/userguide/s3-tables-integrating-firehose.md

Summary

Updated resource ARNs with explicit regions (us-east-1) and tightened KMS condition (kms:ViaService)

Security assessment

The KMS condition now restricts usage to s3.us-east-1.amazonaws.com, demonstrating a security best practice for least privilege. This improves security documentation but does not indicate a resolved vulnerability.

Diff

diff --git a/AmazonS3/latest/userguide/s3-tables-integrating-firehose.md b/AmazonS3/latest/userguide/s3-tables-integrating-firehose.md
index 6530ca0f5..f1680d57b 100644
--- a//AmazonS3/latest/userguide/s3-tables-integrating-firehose.md
+++ b//AmazonS3/latest/userguide/s3-tables-integrating-firehose.md
@@ -35,0 +36,6 @@ Firehose needs an IAM [service role](https://docs.aws.amazon.com/IAM/latest/User
+JSON
+    
+
+****
+    
+    
@@ -48,5 +54,5 @@ Firehose needs an IAM [service role](https://docs.aws.amazon.com/IAM/latest/User
-            "arn:aws:glue:region:account-id:catalog/s3tablescatalog/*",
-            "arn:aws:glue:region:account-id:catalog/s3tablescatalog",
-            "arn:aws:glue:region:account-id:catalog",
-            "arn:aws:glue:region:account-id:database/*",
-            "arn:aws:glue:region:account-id:table/*/*"
+                    "arn:aws:glue:us-east-1:account-id:catalog/s3tablescatalog/*",
+                    "arn:aws:glue:us-east-1:account-id:catalog/s3tablescatalog",
+                    "arn:aws:glue:us-east-1:account-id:catalog",
+                    "arn:aws:glue:us-east-1:account-id:database/*",
+                    "arn:aws:glue:us-east-1:account-id:table/*/*"
@@ -80 +86 @@ Firehose needs an IAM [service role](https://docs.aws.amazon.com/IAM/latest/User
-          "Resource": "arn:aws:kinesis:region:account-id:stream/stream-name"
+                "Resource": "arn:aws:kinesis:us-east-1:account-id:stream/stream-name"
@@ -98 +104 @@ Firehose needs an IAM [service role](https://docs.aws.amazon.com/IAM/latest/User
-            "arn:aws:kms:region:account-id:key/KMS-key-id"
+                    "arn:aws:kms:us-east-1:account-id:key/KMS-key-id"
@@ -102 +108 @@ Firehose needs an IAM [service role](https://docs.aws.amazon.com/IAM/latest/User
-              "kms:ViaService": "s3.region.amazonaws.com"
+                        "kms:ViaService": "s3.us-east-1.amazonaws.com"
@@ -116 +122 @@ Firehose needs an IAM [service role](https://docs.aws.amazon.com/IAM/latest/User
-            "arn:aws:logs:region:account-id:log-group:log-group-name:log-stream:log-stream-name"
+                    "arn:aws:logs:us-east-1:account-id:log-group:log-group-name:log-stream:log-stream-name"
@@ -127 +133 @@ Firehose needs an IAM [service role](https://docs.aws.amazon.com/IAM/latest/User
-            "arn:aws:lambda:region:account-id:function:function-name:function-version"
+                    "arn:aws:lambda:us-east-1:account-id:function:function-name:function-version"
@@ -144,0 +152,6 @@ If error logging is enabled, Firehose also sends data delivery errors to your Cl
+JSON
+    
+
+****
+    
+