AWS AmazonS3 medium security documentation change
Summary
Removed JSON examples demonstrating cross-account ListBucket permissions and explicit deny policies
Security assessment
The deleted deny policy example showed how to explicitly block ListBucket actions, which is a security control. Removing it may lead to overly permissive configurations if users lack guidance on implementing deny safeguards.
Diff
diff --git a/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example2.md b/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example2.md index abf461d07..5d470bf05 100644 --- a//AmazonS3/latest/userguide/example-walkthroughs-managing-access-example2.md +++ b//AmazonS3/latest/userguide/example-walkthroughs-managing-access-example2.md @@ -195,24 +194,0 @@ It's assumed that you're signed in to the console using **AccountBadmin** user c -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "Example", - "Effect": "Allow", - "Action": [ - "s3:ListBucket" - ], - "Resource": [ - "arn:aws:s3:::example-s3-bucket;" - ] - } - ] - } - - @@ -268,40 +243,0 @@ You can have permissions granted by using an access control list (ACL), a bucket -JSON - - -**** - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "Example permissions", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::AccountB-ID:root" - }, - "Action": [ - "s3:GetLifecycleConfiguration", - "s3:ListBucket" - ], - "Resource": [ - "arn:aws:s3:::amzn-s3-demo-bucket" - ] - }, - { - "Sid": "Deny permission", - "Effect": "Deny", - "Principal": { - "AWS": "arn:aws:iam::AccountB-ID:root" - }, - "Action": [ - "s3:ListBucket" - ], - "Resource": [ - "arn:aws:s3:::amzn-s3-demo-bucket" - ] - } - ] - } - -