AWS AmazonS3 documentation change
Summary
Added example bucket policy JSON for cross-account S3 Batch Operations manifest access
Security assessment
Documents secure cross-account access patterns for batch operations but does not indicate remediation of a security issue. Shows proper resource-based policy configuration.
Diff
diff --git a/AmazonS3/latest/userguide/specify-batchjob-manifest-xaccount-csv.md b/AmazonS3/latest/userguide/specify-batchjob-manifest-xaccount-csv.md index abb3b000b..7678a3ef8 100644 --- a//AmazonS3/latest/userguide/specify-batchjob-manifest-xaccount-csv.md +++ b//AmazonS3/latest/userguide/specify-batchjob-manifest-xaccount-csv.md @@ -69,0 +70,28 @@ The following is an example of the bucket policy to apply to the source manifest +JSON + + +**** + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowBatchOperationsSourceManifestRead", + "Effect": "Allow", + "Principal": { + "AWS": [ + "arn:aws:iam::111122223333:user/ConsoleUserCreatingJob", + "arn:aws:iam::111122223333:role/BatchOperationsDestinationRoleCOPY" + ] + }, + "Action": [ + "s3:GetObject", + "s3:GetObjectVersion" + ], + "Resource": "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" + } + ] + } + +