AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2025-09-19 · Documentation low

File: AmazonS3/latest/userguide/access-grants-location-register.md

Summary

Added IAM role policy examples with granular permissions and KMS conditions for Access Grants

Security assessment

The changes demonstrate secure configuration patterns including least-privilege permissions, KMS encryption controls, and access grants conditions. While security-related, there is no evidence of addressing an existing vulnerability.

Diff

diff --git a/AmazonS3/latest/userguide/access-grants-location-register.md b/AmazonS3/latest/userguide/access-grants-location-register.md
index 3c61465c9..e3e577574 100644
--- a//AmazonS3/latest/userguide/access-grants-location-register.md
+++ b//AmazonS3/latest/userguide/access-grants-location-register.md
@@ -191,0 +192,21 @@ _TestRolePolicy.json_
+JSON
+    
+
+****
+    
+    
+    
+    {
+      "Version": "2012-10-17",		 	 	 
+      "Statement": [
+        {
+          "Sid": "Stmt1234567891011",
+          "Action": ["sts:AssumeRole", "sts:SetSourceIdentity"],
+          "Effect": "Allow",
+          "Principal": {"Service": "access-grants.s3.amazonaws.com"}
+        }
+      ]
+    }
+    
+    
+
@@ -241,0 +263,88 @@ _iam-policy.json_
+JSON
+    
+
+****
+    
+    
+    
+    {
+       "Version": "2012-10-17",		 	 	 
+       "Statement": [
+           {
+             "Sid": "ObjectLevelReadPermissions",
+             "Effect": "Allow",
+             "Action": [
+                "s3:GetObject",
+                "s3:GetObjectVersion",
+                "s3:GetObjectAcl",
+                "s3:GetObjectVersionAcl",
+                "s3:ListMultipartUploadParts"
+             ],
+             "Resource": [ 
+                "arn:aws:s3:::*"  
+             ],
+             "Condition": {
+                "StringEquals": { "aws:ResourceAccount": "111122223333" },
+                "ArnEquals": {
+                    "s3:AccessGrantsInstanceArn": ["arn:aws:s3:us-east-1::access-grants/default"]
+                }
+            } 
+          },
+          {
+             "Sid": "ObjectLevelWritePermissions",
+             "Effect": "Allow",
+             "Action": [
+                "s3:PutObject",
+                "s3:PutObjectAcl",
+                "s3:PutObjectVersionAcl",
+                "s3:DeleteObject",
+                "s3:DeleteObjectVersion",
+                "s3:AbortMultipartUpload"
+             ],
+             "Resource": [
+                "arn:aws:s3:::*"  
+             ],
+             "Condition": {
+                "StringEquals": { "aws:ResourceAccount": "111122223333" },
+                "ArnEquals": {
+                    "s3:AccessGrantsInstanceArn": ["arn:aws:s3:us-east-1::access-grants/default"]
+                }
+             } 
+          },
+          {
+             "Sid": "BucketLevelReadPermissions",
+             "Effect": "Allow",
+             "Action": [
+                "s3:ListBucket"
+             ],
+             "Resource": [
+                "arn:aws:s3:::*"
+             ],
+             "Condition": {
+                "StringEquals": { "aws:ResourceAccount": "111122223333" },
+                "ArnEquals": {
+                    "s3:AccessGrantsInstanceArn": ["arn:aws:s3:us-east-1::access-grants/default"]
+                }
+             }     
+          },
+          {
+             "Sid": "KMSPermissions",
+             "Effect": "Allow",
+             "Action": [
+                "kms:Decrypt",
+                "kms:GenerateDataKey"
+             ],
+             "Resource": [
+                "*"
+             ],
+             "Condition": {
+                "StringEquals": {
+                   "kms:ViaService": "s3.us-east-1.amazonaws.com"
+                }
+             }
+          }
+       ]
+    }
+    
+    
+