AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2025-08-01 · Documentation low

File: AmazonS3/latest/userguide/directory-buckets-tagging.md

Summary

Restructured documentation to focus on ABAC (Attribute-Based Access Control) usage with directory buckets. Removed detailed explanations of tag components and cost allocation workflows, added example ABAC policies, and corrected resource ARN formats.

Security assessment

The changes emphasize ABAC (security feature) usage with tag-based access control policies, including example IAM/bucket policies. However, there is no evidence of addressing a specific security vulnerability. The updates improve documentation for security-related features but do not indicate a patched issue.

Diff

diff --git a/AmazonS3/latest/userguide/directory-buckets-tagging.md b/AmazonS3/latest/userguide/directory-buckets-tagging.md
index 8874cd907..f69537ec9 100644
--- a//AmazonS3/latest/userguide/directory-buckets-tagging.md
+++ b//AmazonS3/latest/userguide/directory-buckets-tagging.md
@@ -5 +5 @@
-How tags workCommon ways to use tagsWorking with tags
+Common ways to use tags with directory bucketsManaging tags for directory buckets
@@ -9 +9 @@ How tags workCommon ways to use tagsWorking with tags
-An AWS tag is a key-value pair that holds metadata about resources, in this case Amazon S3 directory buckets. You can tag S3 directory buckets when you create them or manage tags on existing directory buckets. There is no additional charge for using tags on directory buckets beyond the standard S3 API request rates. For more information, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/).
+An AWS tag is a key-value pair that holds metadata about resources, in this case Amazon S3 directory buckets. You can tag S3 directory buckets when you create them or manage tags on existing directory buckets. For general information about tags, see [Tagging for cost allocation or attribute-based access control (ABAC)](./tagging.html).
@@ -11,51 +11 @@ An AWS tag is a key-value pair that holds metadata about resources, in this case
-## How tags work
-
-Amazon S3 directory buckets support two types of tags:
-
-  * **AWS-generated tags:** AWS automatically applies these tags, and you cannot modify them or remove them. To learn more about AWS-generated tags, see [Using AWS-generated tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/aws-tags.html).
-
-  * **User-defined tags:** You apply these tags to your S3 directory buckets or other resources and manage them.
-
-
-
-
-### User-defined tags
-
-A user-defined tag is a tag key-value pair that you use to label your resources. User-defined tags consists of a required key and an optional value. These are the main components of a user-defined tag:
-
-#### The tag key
-
-The tag key is the required name of the tag. For example, `project` is the tag key in the following tag key-value pair:
-
-Key | Value  
----|---  
-`project` | `Trinity`  
-  
-The tag key is a case-sensitive string that must contain between 1 and 128 Unicode characters.
-
-#### The tag value
-
-The tag value is an optional string. For example, `Trinity` is the tag value in this tag key-value pair:
-
-Key | Value  
----|---  
-`project` | `Trinity`  
-  
-The tag value is a case-sensitive string that can contain between 0 and 256 Unicode characters.
-
-For details on the characters allowed in user-defined tags and other restrictions, see [User-Defined Tag Restrictions](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/custom-tags.html#allocation-tag-restrictions) in the _AWS Billing and Cost Management User Guide_.
-
-#### The tag set
-
-Each S3 directory bucket has one _tag set_ that contains all of the tag key and value pairs that are assigned to that bucket. A tag set can contain as many as 50 user-defined tags, or it can be empty.
-
-While each key must be unique in a tag set, you can use the same value multiple times. For example, you can have the same value, `Trinity`, for following two tag keys:
-
-Key | Value  
----|---  
-`project` | `Trinity`  
-`cost-center` | `Trinity`  
-  
-Within a bucket, when you add a tag that has the same key as an existing tag, the new value overwrites the old value.
-
-AWS doesn't apply any semantic meaning to your tags. We interpret tags strictly as character strings.
+###### Note
@@ -63 +13 @@ AWS doesn't apply any semantic meaning to your tags. We interpret tags strictly
-To add, list, modify, or delete tags, you can use the Amazon S3 console, the AWS Command Line Interface (AWS CLI), or the Amazon S3 API. 
+There is no additional charge for using tags on directory buckets beyond the standard S3 API request rates. For more information, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/).
@@ -65 +15 @@ To add, list, modify, or delete tags, you can use the Amazon S3 console, the AWS
-## Common ways to use tags
+## Common ways to use tags with directory buckets
@@ -69 +19 @@ Use tags on your S3 directory buckets for:
-  1. **Cost allocation** – Track storage costs by bucket tag in AWS Billing and Cost Management.
+  1. **Cost allocation** – Track storage costs by bucket tag in AWS Billing and Cost Management. For more information, see [Using tags for ABAC](https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging.xml#using-tags-for-cost-allocation).
@@ -71 +21 @@ Use tags on your S3 directory buckets for:
-  2. **Attribute based access control (ABAC)** – Scale access permissions and grant access to S3 directory buckets based on their tags.
+  2. **Attribute-based access control (ABAC)** – Scale access permissions and grant access to S3 directory buckets based on their tags. For more information, see [Using tags for ABAC](https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging.xml#using-tags-for-abac).
@@ -80,31 +30 @@ You can use the same tags for both cost allocation and access control.
-### Using tags for cost allocation
-
-Track your Amazon S3 storage costs by applying tags to S3 directory buckets and activating these tags for cost allocation.
-
-To start tracking costs:
-
-  1. Add tags to your S3 directory buckets or use existing tags. For more information on how to add user-defined tags to your directory buckets, see Working with tags. For example, you can label buckets with a tag that identifies a project or a group of projects.
-
-  2. Activate the tags for cost allocation in the AWS Billing and Cost Management console. See [Activating user-defined cost allocation tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/activating-tags.html) in the _AWS Billing and Cost Management User Guide_. You can activate user-defined or AWS-generated tags. For more information, see [Organizing and tracking costs using AWS cost allocation tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html).
-
-
-
-
-AWS uses the activated tags to organize your resource costs in various billing and cost management tools, such as: 
-
-  * **Cost allocation report**
-
-Provides a high-level view of costs organized by your activated tags. For more information, see [Using the monthly cost allocation report](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/configurecostallocreport.html) in the _AWS Billing User Guide_.
-
-  * **Cost and Usage Report (CUR)**
-
-Provides the most detailed set of AWS cost and usage data, including tag-based cost breakdowns. For more information, see [What are AWS Cost and Usage Reports?](https://docs.aws.amazon.com/cur/latest/userguide/what-is-cur.html) in the _AWS Data Export User Guide_.
-
-
-
-
-### Using tags for attribute based access control (ABAC)
-
-Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes, i.e., tags. You can attach tags to AWS Identity and Access Management (IAM) entities (users or roles) and to AWS resources, such as Amazon S3 directory buckets. Then, you control permissions to these resources using tag-based conditions in access control policies to allow or deny operations when these conditions are met. 
-
-#### ABAC for S3 directory buckets
+### ABAC for S3 directory buckets
@@ -112 +32 @@ Attribute-based access control (ABAC) is an authorization strategy that defines
-Amazon S3 directory buckets support attribute-based access control (ABAC) using tags. Use tag based condition keys in your AWS organizations, IAM, and S3 directory bucket policies. For enterprises, ABAC in Amazon S3 supports authorization across multiple AWS accounts. 
+Amazon S3 directory buckets support attribute-based access control (ABAC) using tags. Use tag-based condition keys in your AWS organizations, IAM, and S3 directory bucket policies. For enterprises, ABAC in Amazon S3 supports authorization across multiple AWS accounts. 
@@ -135 +55 @@ In your IAM policies, you can control access to S3 directory buckets based on th
-#### Example policies
+### Example ABAC policies for directory buckets
@@ -139 +59 @@ See the following example ABAC policies for Amazon S3 directory buckets.
-##### 1.1 - IAM policy to create or modify buckets with specific tags
+#### 1.1 - IAM policy to create or modify buckets with specific tags
@@ -167 +87 @@ In this IAM policy, users or roles with this policy can only create S3 directory
-##### 1.2 - Bucket policy to restrict operations on the bucket using tags
+#### 1.2 - Bucket policy to restrict operations on the bucket using tags
@@ -182 +102 @@ In this bucket policy, IAM principals (users and roles) can perform operations u
-          "Resource": "arn:aws:s3express:us-west-2:111122223333:bucket/amzn-s3-demo-bucket--usw2-az1--x-s3",
+          "Resource": "arn:aws::s3express:us-west-2:111122223333:bucket/amzn-s3-demo-bucket--usw2-az1--x-s3",
@@ -192 +112 @@ In this bucket policy, IAM principals (users and roles) can perform operations u
-##### 1.3 - IAM policy to modify tags on existing resources maintaining tagging governence
+#### 1.3 - IAM policy to modify tags on existing resources maintaining tagging governence
@@ -206 +126 @@ In this IAM policy, IAM principals (users or roles) can modify tags on a bucket
-          "Resource": "arn:aws:s3express:*:*:bucket/*",
+          "Resource": "arn:aws::s3express:us-west-2:111122223333:bucket/*",
@@ -224 +144 @@ In this IAM policy, IAM principals (users or roles) can modify tags on a bucket
-##### 1.4 - Using the s3express:BucketTag condition key
+#### 1.4 - Using the s3express:BucketTag condition key
@@ -236 +156 @@ In this IAM policy, the condition statement allows access to the bucket's data o
-          "Resource": "arn:aws:s3express:*:*:accesspoint/*",
+          "Resource": "arn:aws::s3express:us-west-2:111122223333:accesspoint/*",
@@ -247 +167 @@ In this IAM policy, the condition statement allows access to the bucket's data o
-## Working with tags
+## Managing tags for directory buckets
@@ -257 +177 @@ You can add or manage tags for S3 directory buckets using the Amazon S3 Console,
-  * [Viewing directory bucket tags](./w955aac16c69c17.html)
+  * [Viewing directory bucket tags](./w968aac16c69c17.html)