AWS Security ChangesHomeSearch

AWS fsx documentation change

Service: fsx · 2025-09-19 · Documentation medium

File: fsx/latest/LustreGuide/s3-validation-error.md

Summary

Removed cross-account S3 bucket policy example that restricted access via aws:PrincipalArn condition

Security assessment

While removing the policy example could lead to potential misconfigurations, there is no evidence this change addresses an active security issue. The removal might simplify documentation at the cost of reduced guidance on secure cross-account access.

Diff

diff --git a/fsx/latest/LustreGuide/s3-validation-error.md b/fsx/latest/LustreGuide/s3-validation-error.md
index 9c62a77cd..4c827175c 100644
--- a//fsx/latest/LustreGuide/s3-validation-error.md
+++ b//fsx/latest/LustreGuide/s3-validation-error.md
@@ -21,34 +21 @@ If the FSx for Lustre file system is in the same account as the S3 bucket, this
-If the FSx for Lustre file system is in a different account as the S3 bucket (cross-account case), in additional to making sure the IAM role you used has the required permissions, the S3 bucket policy should be configured to allow the access from the account that the FSx for Lustre is created in. Following is a sample bucket policy,
-    
-    
-    {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Effect": "Allow",
-                "Principal": {
-                    "AWS": "*"
-                },
-                "Action": [
-                    "s3:AbortMultipartUpload",
-                    "s3:DeleteObject",
-                    "s3:PutObject",
-                    "s3:GetObject",
-                    "s3:GetBucketAcl",
-                    "s3:GetBucketNotification",
-                    "s3:ListBucket",
-                    "s3:PutBucketNotification"
-                ],
-                "Resource": [
-                    "arn:aws:s3:::bucket_name",
-                    "arn:aws:s3:::bucket_name/*"
-                ],
-                "Condition": {
-                    "StringLike": {     
-                        "aws:PrincipalArn": [
-                            "arn:aws:iam::file_system_account_ID:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/AWSServiceRoleForFSxS3Access_fs-*"
-                    }
-                }
-            }
-        ]
-    }
+If the FSx for Lustre file system is in a different account as the S3 bucket (cross-account case), in additional to making sure the IAM role you used has the required permissions, the S3 bucket policy should be configured to allow the access from the account that the FSx for Lustre is created in.