AWS Security ChangesHomeSearch

AWS singlesignon documentation change

Service: singlesignon · 2025-08-28 · Documentation low

File: singlesignon/latest/userguide/tip-tutorial-s3.md

Summary

Removed detailed S3 bucket policies and trust policy examples for Access Grants integration

Security assessment

While the removed content relates to security configurations, the deletion of examples does not indicate a security vulnerability fix. This appears to be documentation restructuring rather than addressing a specific security issue.

Diff

diff --git a/singlesignon/latest/userguide/tip-tutorial-s3.md b/singlesignon/latest/userguide/tip-tutorial-s3.md
index 47ed21922..61d91cf9b 100644
--- a//singlesignon/latest/userguide/tip-tutorial-s3.md
+++ b//singlesignon/latest/userguide/tip-tutorial-s3.md
@@ -55,94 +54,0 @@ To use these policies, replace the `italicized placeholder text` in the example
-JSON
-    
-
-****
-    
-        
-                {
-            "Version": "2012-10-17",
-            "Statement": [
-                {
-                    "Sid": "ObjectLevelReadPermissions",
-                    "Effect": "Allow",
-                    "Action": [
-                        "s3:GetObject",
-                        "s3:GetObjectVersion",
-                        "s3:GetObjectAcl",
-                        "s3:GetObjectVersionAcl",
-                        "s3:ListMultipartUploadParts"
-                    ],
-                    "Resource": [
-                        "arn:aws:s3:::*"
-                    ],
-                    "Condition": {
-                        "StringEquals": {
-                            "aws:ResourceAccount": "Your-AWS-Account-ID"
-                        },
-                        "ArnEquals": {
-                            "s3:AccessGrantsInstanceArn": [
-                                "Your-Custom-Access-Grants-Location-ARN"
-                            ]
-                        }
-                    }
-                },
-                {
-                    "Sid": "ObjectLevelWritePermissions",
-                    "Effect": "Allow",
-                    "Action": [
-                        "s3:PutObject",
-                        "s3:PutObjectAcl",
-                        "s3:PutObjectVersionAcl",
-                        "s3:DeleteObject",
-                        "s3:DeleteObjectVersion",
-                        "s3:AbortMultipartUpload"
-                    ],
-                    "Resource": [
-                        "arn:aws:s3:::*"
-                    ],
-                    "Condition": {
-                        "StringEquals": {
-                            "aws:ResourceAccount": "Your-AWS-Account-ID"
-                        },
-                        "ArnEquals": {
-                            "s3:AccessGrantsInstanceArn": [
-                                "Your-Custom-Access-Grants-Location-ARN"
-                            ]
-                        }
-                    }
-                },
-                {
-                    "Sid": "BucketLevelReadPermissions",
-                    "Effect": "Allow",
-                    "Action": [
-                        "s3:ListBucket"
-                    ],
-                    "Resource": [
-                        "arn:aws:s3:::*"
-                    ],
-                    "Condition": {
-                        "StringEquals": {
-                            "aws:ResourceAccount": "Your-AWS-Account-ID"
-                        },
-                        "ArnEquals": {
-                            "s3:AccessGrantsInstanceArn": [
-                                "Your-Custom-Access-Grants-Location-ARN"
-                            ]
-                        }
-                    }
-                },
-                "//Optionally add the following section if you use SSE-KMS encryption",
-                {
-                    "Sid": "KMSPermissions",
-                    "Effect": "Allow",
-                    "Action": [
-                        "kms:Decrypt",
-                        "kms:GenerateDataKey"
-                    ],
-                    "Resource": [
-                        "*"
-                    ]
-                }
-            ]
-        }
-        
-
@@ -153,48 +58,0 @@ In the IAM role trust policy, give the S3 Access Grants service (`access-grants.
-JSON
-    
-
-****
-    
-        
-                {
-            "Version": "2012-10-17",
-            "Statement": [
-                {
-                    "Sid": "Stmt1234567891011",
-                    "Effect": "Allow",
-                    "Principal": {
-                        "Service": "access-grants.s3.amazonaws.com"
-                    },
-                    "Action": [
-                        "sts:AssumeRole",
-                        "sts:SetSourceIdentity"
-                    ],
-                    "Condition": {
-                        "StringEquals": {
-                            "aws:SourceAccount": "Your-AWS-Account-ID",
-                            "aws:SourceArn": "Your-Custom-Access-Grants-Location-ARN"
-                        }
-                    }
-                },
-                "//For an IAM Identity Center use case, add:",
-                {
-                    "Sid": "Stmt1234567891012",
-                    "Effect": "Allow",
-                    "Principal": {
-                        "Service": "access-grants.s3.amazonaws.com"
-                    },
-                    "Action": "sts:SetContext",
-                    "Condition": {
-                        "StringEquals": {
-                            "aws:SourceAccount": "Your-AWS-Account-ID",
-                            "aws:SourceArn": "Your-Custom-Access-Grants-Location-ARN"
-                        },
-                        "ForAllValues:ArnEquals": {
-                            "sts:RequestContextProviders": "arn:aws:iam::aws:contextProvider/IdentityCenter"
-                        }
-                    }
-                }
-            ]
-        }
-        
-