AWS Security ChangesHomeSearch

AWS prescriptive-guidance high security documentation change

Service: prescriptive-guidance · 2025-08-13 · Security-related high

File: prescriptive-guidance/latest/presigned-url-best-practices/additional-guardrails.md

Summary

Added documentation about resource control policies (RCPs) for presigned URL guardrails, expanded policy examples with organizational scope controls, and clarified ABAC exception handling

Security assessment

The changes introduce Resource Control Policies (RCPs) as a new security control mechanism, add explicit deny policies for principals outside the organization, and strengthen signature age enforcement. These are security-focused guardrails to prevent unauthorized presigned URL usage across AWS organizations. The added policies specifically mitigate risks of long-lived presigned URLs being exploited by external actors.

Diff

diff --git a/prescriptive-guidance/latest/presigned-url-best-practices/additional-guardrails.md b/prescriptive-guidance/latest/presigned-url-best-practices/additional-guardrails.md
index a929d7478..af24bd1bf 100644
--- a//prescriptive-guidance/latest/presigned-url-best-practices/additional-guardrails.md
+++ b//prescriptive-guidance/latest/presigned-url-best-practices/additional-guardrails.md
@@ -5 +5 @@
-Guardrail for s3:signatureAgeGuardrail for s3:authTypeCombining presigned guardrails and exceptions to other guardrailsLimitations to s3:signatureAgeTargeting buckets at scale
+Guardrail for s3:signatureAgeResource control policiesGuardrail for s3:authTypeCombining presigned guardrails and exceptions to other guardrailsLimitations to s3:signatureAgeTargeting buckets at scale
@@ -25 +25 @@ The second statement from the policy denies any Signature Version 2 access. [Thi
-You can apply the following policy as an AWS Organizations service control policy (SCP). Users can still use presigned requests and deploy solutions that depend on those requests, as long as the time between signature generation and usage is less than 15 minutes. Depending on the implementation, this limitation might have no impact, it might cause the solution to become unusable, or it might cause occasional failures that can be retried.
+You can apply the following policy as an AWS Organizations service control policy (SCP). Users can still use presigned requests and deploy solutions that depend on those requests, as long as the time between signature generation and usage is less than 15 minutes. Depending on the implementation, this limitation might have no impact, it might cause a solution to become unusable, or it might cause occasional failures that can be retried.
@@ -61,0 +62,2 @@ If you implement an exception policy by using `aws:PrincipalTag`, you must contr
+In the following example, the `aws:PrincipalTag` condition creates an exception that allows any principal with the named tag (`long-presigned-allowed`) assigned and set to `true`. With this exception the restriction on signature age is not applied.
+    
@@ -75 +76,0 @@ If you implement an exception policy by using `aws:PrincipalTag`, you must contr
-    --- Example exception ---
@@ -79 +79,0 @@ If you implement an exception policy by using `aws:PrincipalTag`, you must contr
-    --- Example exception end ---
@@ -87 +87,5 @@ If you implement an exception policy by using `aws:PrincipalTag`, you must contr
-You can apply bucket policies to all or selected buckets by using a policy as in the following example. Unlike an SCP, a bucket policy also targets [service principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services) usage. [Appendix A](./appendix-a.html) doesn’t document any expected service principal usage of presigned requests, but if you wanted to implement a control in order to prove that limit, the following policy would provide that control. Also, unlike an SCP, a bucket policy can apply to principals in your management account. ABAC-based exceptions work in bucket policies in the same way as an SCP. 
+You can apply bucket policies to all or selected buckets by using a policy as in the following example. Unlike an SCP, a bucket policy also targets [service principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services) usage. [Appendix A](./appendix-a.html) doesn’t document any expected service principal usage of presigned requests, but if you wanted to implement a control in order to prove that limit, the following policy would provide that control. Also, unlike an SCP, a bucket policy can apply to principals in your management account.
+
+ABAC-based exceptions work in bucket policies in the same way as an SCP. A goal of a bucket policy might be to apply to principals outside the organization, so ABAC exceptions should be constrained to the principals for which ABAC controls apply.
+
+In the following example, the `aws:PrincipalTag` condition in the first statement creates an exception for a principal with the named tag (`long-presigned-allowed`) assigned and set to `true`. With this exception the restriction on signature age is not applied. The second statement applies this restriction to all principals outside the AWS organization that owns the bucket. The scope of this second statement should match ABAC controls to set the named tag for principals. 
@@ -94 +98 @@ You can apply bucket policies to all or selected buckets by using a policy as in
-          "Sid": "DenyPresignedOver15Minutes",
+          "Sid": "DenyPresignedOver15MinWithExceptions",
@@ -103 +106,0 @@ You can apply bucket policies to all or selected buckets by using a policy as in
-    --- Example exception ---
@@ -107 +110,58 @@ You can apply bucket policies to all or selected buckets by using a policy as in
-    --- Example exception end ---
+          }
+        },
+        {
+          "Sid": "DenyPresignedOver15MinutesOutsideOrg",
+          "Effect": "Deny",
+          "Principal": "*",
+          "Action": "s3:*",
+          "Resource": "arn:aws:s3:::{bucket-name}/*",
+          "Condition": {
+            "NumericGreaterThan": {
+              "s3:signatureAge": "900000"
+            },
+            "StringNotEquals": {
+              "aws:PrincipalOrgID": "${aws:ResourceOrgID}"
+            }
+          }
+        }
+      ]
+    }
+
+## Resource control policies
+
+You can apply a policy to buckets at scale by using [resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html). Like SCPs and unlike bucket policies, RCPs do not target service principal usage. RCPs affect non-service principals from any account, but they do not affect resources in the management account. For more information, see the [AWS Organizations documentation](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html#actions-not-restricted-by-rcps). 
+
+As with bucket policies, if you use `aws:PrincipalTags` to create exceptions for principals, keep in mind the scope of ABAC controls on the tagging of principals. 
+
+The following RCP restricts presigned URL usage across all S3 buckets in an organization by limiting signature age to 15 minutes.
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "DenyPresignedOver15MinWithExceptions",
+          "Effect": "Deny",
+          "Action": "s3:*",
+          "Resource": "arn:aws:s3:::*/*",
+          "Condition": {
+            "NumericGreaterThan": {
+              "s3:signatureAge": "900000"
+            },
+            "StringNotEquals": {
+              "aws:PrincipalTag/long-presigned-allowed": "true",
+            }
+          }
+        },
+        {
+          "Sid": "DenyPresignedOver15MinutesOutsideOrg",
+          "Effect": "Deny",
+          "Action": "s3:*",
+          "Resource": "arn:aws:s3:::*/*",
+          "Condition": {
+            "NumericGreaterThan": {
+              "s3:signatureAge": "900000"
+            },
+            "StringNotEquals": {
+              "aws:PrincipalOrgID": "${aws:ResourceOrgID}"
+            }
@@ -213 +273 @@ Although `s3:signatureAge` is measured in milliseconds, it isn't practical to se
-SCPs can use `aws:PrincipalTag` to make exceptions for users. You can't use tags on a bucket to control access through `aws:ResourceTag`―[only object tags are used for access control](https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging-and-policies.html). It isn't generally scalable to add a tag to every object you want to apply this control to. 
+SCPs and RCPs can use `aws:PrincipalTag` to make exceptions for users. You can't use tags on a bucket to control access through `aws:ResourceTag`―[only object tags are used for access control](https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging-and-policies.html). It isn't generally scalable to add a tag to every object you want to apply this control to. 
@@ -215 +275 @@ SCPs can use `aws:PrincipalTag` to make exceptions for users. You can't use tags
-A solution that fits many use cases is to apply the policy and exception at the account level, either by changing the accounts that the SCP applies to or by using [aws:ResourceAccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceaccount), [aws:ResourceOrgPaths](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceorgpaths), or [aws:ResourceOrgID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceorgid). For example, an SCP might be applied to a set of production accounts.
+A solution that fits many use cases is to apply the policy and exception at the account level, either by changing the accounts that the SCP or RCP applies to or by using [aws:ResourceAccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceaccount), [aws:ResourceOrgPaths](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceorgpaths), or [aws:ResourceOrgID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceorgid). For example, an SCP or RCP might be applied to a set of production accounts.