AWS fsx documentation change
Summary
Removed cross-account S3 bucket policy example that restricted access via aws:PrincipalArn condition
Security assessment
While removing the policy example could lead to potential misconfigurations, there is no evidence this change addresses an active security issue. The removal might simplify documentation at the cost of reduced guidance on secure cross-account access.
Diff
diff --git a/fsx/latest/LustreGuide/s3-validation-error.md b/fsx/latest/LustreGuide/s3-validation-error.md index 9c62a77cd..4c827175c 100644 --- a//fsx/latest/LustreGuide/s3-validation-error.md +++ b//fsx/latest/LustreGuide/s3-validation-error.md @@ -21,34 +21 @@ If the FSx for Lustre file system is in the same account as the S3 bucket, this -If the FSx for Lustre file system is in a different account as the S3 bucket (cross-account case), in additional to making sure the IAM role you used has the required permissions, the S3 bucket policy should be configured to allow the access from the account that the FSx for Lustre is created in. Following is a sample bucket policy, - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Action": [ - "s3:AbortMultipartUpload", - "s3:DeleteObject", - "s3:PutObject", - "s3:GetObject", - "s3:GetBucketAcl", - "s3:GetBucketNotification", - "s3:ListBucket", - "s3:PutBucketNotification" - ], - "Resource": [ - "arn:aws:s3:::bucket_name", - "arn:aws:s3:::bucket_name/*" - ], - "Condition": { - "StringLike": { - "aws:PrincipalArn": [ - "arn:aws:iam::file_system_account_ID:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/AWSServiceRoleForFSxS3Access_fs-*" - } - } - } - ] - } +If the FSx for Lustre file system is in a different account as the S3 bucket (cross-account case), in additional to making sure the IAM role you used has the required permissions, the S3 bucket policy should be configured to allow the access from the account that the FSx for Lustre is created in.