AWS Security ChangesHomeSearch

AWS AmazonS3 high security documentation change

Service: AmazonS3 · 2025-08-28 · Security-related high

File: AmazonS3/latest/userguide/example-bucket-policies.md

Summary

Removed multiple JSON examples including policies enforcing SSE-KMS encryption, HTTPS-only access, and referer-based restrictions

Security assessment

Deleted examples included security-critical policies: enforcing encryption-at-rest (SSE-KMS), blocking insecure HTTP traffic, and restricting access via HTTP referer. Their removal reduces visibility into security best practices, increasing risks of data exposure or unauthorized access.

Diff

diff --git a/AmazonS3/latest/userguide/example-bucket-policies.md b/AmazonS3/latest/userguide/example-bucket-policies.md
index f1a15ea7d..b4fc43aa0 100644
--- a//AmazonS3/latest/userguide/example-bucket-policies.md
+++ b//AmazonS3/latest/userguide/example-bucket-policies.md
@@ -133,25 +132,0 @@ The following example policy denies any objects from being written to the bucket
-JSON
-    
-
-****
-    
-    
-    
-    {
-    "Version": "2012-10-17",
-    "Id": "PutObjPolicy",
-    "Statement": [{
-      "Sid": "DenyObjectsThatAreNotSSEKMSWithSpecificKey",
-      "Principal": "*",
-      "Effect": "Deny",
-      "Action": "s3:PutObject",
-      "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
-      "Condition": {
-        "ArnNotEqualsIfExists": {
-          "s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:aws-region:111122223333:key/01234567-89ab-cdef-0123-456789abcdef"
-        }
-      }
-    }]
-    }
-    
-
@@ -471,27 +445,0 @@ In the following example, the bucket policy explicitly denies HTTP requests.
-JSON
-    
-
-****
-    
-    
-    
-    {
-        "Version": "2012-10-17",
-        "Statement": [{
-            "Sid": "RestrictToTLSRequestsOnly",
-            "Action": "s3:*",
-            "Effect": "Deny",
-            "Resource": [
-                "arn:aws:s3:::amzn-s3-demo-bucket",
-                "arn:aws:s3:::example-s3-bucket;/*"
-            ],
-            "Condition": {
-                "Bool": {
-                    "aws:SecureTransport": "false"
-                }
-            },
-            "Principal": "*"
-        }]
-    }
-    
-
@@ -504,25 +451,0 @@ To allow read access to these objects from your website, you can add a bucket po
-JSON
-    
-
-****
-    
-    
-    
-    {
-      "Version":"2012-10-17",
-      "Id":"HTTP referer policy example",
-      "Statement":[
-        {
-          "Sid":"Allow only GET requests originating from www.example.com and example.com.",
-          "Effect":"Allow",
-          "Principal":"*",
-          "Action":["s3:GetObject","s3:GetObjectVersion"],
-          "Resource":"arn:aws:s3:::amzn-s3-demo-bucket/*",
-          "Condition":{
-            "StringLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}
-          }
-        }
-      ]
-    }
-    
-