AWS AmazonS3 high security documentation change
Summary
Removed a JSON bucket policy example enforcing SSE-KMS encryption for directory buckets
Security assessment
The deleted policy explicitly enforced encryption (via Deny rule if SSE-KMS is not used). Removing this example could lead to insecure configurations where objects are stored without encryption, constituting a security risk. The removal eliminates guidance for a critical security control.
Diff
diff --git a/AmazonS3/latest/userguide/s3-express-UsingKMSEncryption.md b/AmazonS3/latest/userguide/s3-express-UsingKMSEncryption.md index 8dd49fe54..956ec3578 100644 --- a//AmazonS3/latest/userguide/s3-express-UsingKMSEncryption.md +++ b//AmazonS3/latest/userguide/s3-express-UsingKMSEncryption.md @@ -78,28 +77,0 @@ To require SSE-KMS of all objects in a particular directory bucket, you can use -JSON - - -**** - - - - { - "Version":"2012-10-17", - "Id":"UploadObjectPolicy", - "Statement":[{ - "Sid":"DenyObjectsThatAreNotSSEKMS", - "Effect":"Deny", - "Principal":"*", - "Action":"s3express:CreateSession", - "Resource":"arn:aws:s3express:aws-region:111122223333:bucket/amzn-s3-demo-bucket--usw2-az1--x-s3/*", - "Condition":{ - "Null":{ - "s3express:x-amz-server-side-encryption-aws-kms-key-id":"true" - } - } - } - ] - } - - - -