AWS Security ChangesHomeSearch

AWS amazonglacier documentation change

Service: amazonglacier · 2025-10-01 · Documentation low

File: amazonglacier/latest/dev/security_iam_id-based-policy-examples.md

Summary

Updated service name references from 'S3 Glacier' to 'Glacier' throughout the document, adjusted links and policy examples to match naming conventions, and added/removed JSON policy examples.

Security assessment

The changes primarily involve branding/naming standardization (removing 'S3' from service names) and formatting updates to policy examples. No explicit security vulnerabilities, exploits, or incident-related fixes are mentioned. The updates to IAM policy examples are routine documentation improvements rather than new security features or vulnerability mitigations.

Diff

diff --git a/amazonglacier/latest/dev/security_iam_id-based-policy-examples.md b/amazonglacier/latest/dev/security_iam_id-based-policy-examples.md
index 2f0f22dc0..79f262bfd 100644
--- a//amazonglacier/latest/dev/security_iam_id-based-policy-examples.md
+++ b//amazonglacier/latest/dev/security_iam_id-based-policy-examples.md
@@ -7 +7 @@ Policy best practicesUsing the consoleAllow users to view their own permissionsC
-**This page is only for existing customers of the S3 Glacier service using Vaults and the original REST API from 2012.**
+**This page is only for existing customers of the Glacier service using Vaults and the original REST API from 2012.**
@@ -9 +9 @@ Policy best practicesUsing the consoleAllow users to view their own permissionsC
-If you're looking for archival storage solutions we suggest using the S3 Glacier storage classes in Amazon S3, **S3 Glacier Instant Retrieval** , **S3 Glacier Flexible Retrieval** , and **S3 Glacier Deep Archive**. To learn more about these storage options, see [S3 Glacier storage classes](https://aws.amazon.com/s3/storage-classes/glacier/) and [Long-term data storage using S3 Glacier storage classes](https://docs.aws.amazon.com/AmazonS3/latest/userguide/glacier-storage-classes) in the _Amazon S3 User Guide_. These storage classes use the Amazon S3 API, are available in all regions, and can be managed within the Amazon S3 console. They offer features like Storage Cost Analysis, Storage Lens, advanced optional encryption features, and more.
+If you're looking for archival storage solutions we suggest using the Glacier storage classes in Amazon S3, **S3 Glacier Instant Retrieval** , **S3 Glacier Flexible Retrieval** , and **S3 Glacier Deep Archive**. To learn more about these storage options, see [Glacier storage classes](https://aws.amazon.com/s3/storage-classes/glacier/) and [Long-term data storage using Glacier storage classes](https://docs.aws.amazon.com/AmazonS3/latest/userguide/glacier-storage-classes) in the _Amazon S3 User Guide_. These storage classes use the Amazon S3 API, are available in all regions, and can be managed within the Amazon S3 console. They offer features like Storage Cost Analysis, Storage Lens, advanced optional encryption features, and more.
@@ -11 +11 @@ If you're looking for archival storage solutions we suggest using the S3 Glacier
-# Identity-based policy examples for Amazon S3 Glacier
+# Identity-based policy examples for Amazon Glacier
@@ -13 +13 @@ If you're looking for archival storage solutions we suggest using the S3 Glacier
-By default, users and roles don't have permission to create or modify S3 Glacier resources. They also can't perform tasks by using the AWS Management Console, AWS Command Line Interface (AWS CLI), or AWS API. To grant users permission to perform actions on the resources that they need, an IAM administrator can create IAM policies. The administrator can then add the IAM policies to roles, and users can assume the roles.
+By default, users and roles don't have permission to create or modify Glacier resources. They also can't perform tasks by using the AWS Management Console, AWS Command Line Interface (AWS CLI), or AWS API. To grant users permission to perform actions on the resources that they need, an IAM administrator can create IAM policies. The administrator can then add the IAM policies to roles, and users can assume the roles.
@@ -17 +17,8 @@ To learn how to create an IAM identity-based policy by using these example JSON
-For details about actions and resource types defined by S3 Glacier, including the format of the ARNs for each of the resource types, see [Actions, resources, and condition keys for Amazon S3 Glacier](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3glacier.html) in the _Service Authorization Reference_.
+For details about actions and resource types defined by Glacier, including the format of the ARNs for each of the resource types, see [Actions, resources, and condition keys for Amazon Glacier](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3glacier.html) in the _Service Authorization Reference_.
+
+The following is an example policy that grants permissions for three Glacier vault-related actions (`glacier:CreateVault`, `glacier:DescribeVault` and `glacier:ListVaults`) on a resource, using the Amazon Resource Name (ARN) that identifies all of the vaults in the `us-west-2` AWS Region. ARNs uniquely identify AWS resources. For more information about ARNs used with Glacier, see [Policy resources for Glacier](./security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources).
+
+JSON
+    
+
+****
@@ -19 +25,0 @@ For details about actions and resource types defined by S3 Glacier, including th
-The following is an example policy that grants permissions for three S3 Glacier vault-related actions (`glacier:CreateVault`, `glacier:DescribeVault` and `glacier:ListVaults`) on a resource, using the Amazon Resource Name (ARN) that identifies all of the vaults in the `us-west-2` AWS Region. ARNs uniquely identify AWS resources. For more information about ARNs used with S3 Glacier, see [Policy resources for S3 Glacier](./security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources).
@@ -47 +54 @@ When you grant permissions to create a vault using the `glacier:CreateVault` ope
-  * Using the S3 Glacier console
+  * Using the Glacier console
@@ -58 +65 @@ When you grant permissions to create a vault using the `glacier:CreateVault` ope
-Identity-based policies determine whether someone can create, access, or delete S3 Glacier resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations:
+Identity-based policies determine whether someone can create, access, or delete Glacier resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations:
@@ -75 +82 @@ For more information about best practices in IAM, see [Security best practices i
-## Using the S3 Glacier console
+## Using the Glacier console
@@ -77 +84 @@ For more information about best practices in IAM, see [Security best practices i
-To access the Amazon S3 Glacier console, you must have a minimum set of permissions. These permissions must allow you to list and view details about the S3 Glacier resources in your AWS account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (users or roles) with that policy.
+To access the Amazon Glacier console, you must have a minimum set of permissions. These permissions must allow you to list and view details about the Glacier resources in your AWS account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (users or roles) with that policy.
@@ -81 +88,7 @@ You don't need to allow minimum console permissions for users that are making ca
-The S3 Glacier console provides an integrated environment for you to create and manage S3 Glacier vaults. At a minimum IAM identities that you create must be granted permissions for the `glacier:ListVaults` action to view the S3 Glacier console as shown in the following example. 
+The Glacier console provides an integrated environment for you to create and manage Glacier vaults. At a minimum IAM identities that you create must be granted permissions for the `glacier:ListVaults` action to view the Glacier console as shown in the following example. 
+
+JSON
+    
+
+****
+    
@@ -99 +113 @@ AWS addresses many common use cases by providing standalone IAM policies that ar
-The following AWS managed policies, which you can attach to users in your account, are specific to S3 Glacier:
+The following AWS managed policies, which you can attach to users in your account, are specific to Glacier:
@@ -101 +115 @@ The following AWS managed policies, which you can attach to users in your accoun
-  * **AmazonGlacierReadOnlyAccess** – Grants read only access to S3 Glacier through the AWS Management Console.
+  * **AmazonGlacierReadOnlyAccess** – Grants read only access to Glacier through the AWS Management Console.
@@ -103 +117 @@ The following AWS managed policies, which you can attach to users in your accoun
-  * **AmazonGlacierFullAccess** – Grants full access to S3 Glacier through the AWS Management Console. 
+  * **AmazonGlacierFullAccess** – Grants full access to Glacier through the AWS Management Console. 
@@ -108 +122 @@ The following AWS managed policies, which you can attach to users in your accoun
-You can also create your own custom IAM policies to allow permissions for S3 Glacier API actions and resources. You can attach these custom policies to the custom IAM roles that you create for your S3 Glacier vaults. 
+You can also create your own custom IAM policies to allow permissions for Glacier API actions and resources. You can attach these custom policies to the custom IAM roles that you create for your Glacier vaults. 
@@ -110 +124 @@ You can also create your own custom IAM policies to allow permissions for S3 Gla
-Both of the S3 Glacier AWS Managed policies discussed in the next section grant permissions for `glacier:ListVaults`. 
+Both of the Glacier AWS Managed policies discussed in the next section grant permissions for `glacier:ListVaults`. 
@@ -154 +168 @@ This example shows how you might create a policy that allows IAM users to view t
-In this section, you can find example user policies that grant permissions for various S3 Glacier actions. These policies work when you are using S3 Glacier REST API, the Amazon SDKs, the AWS CLI, or, if applicable, the S3 Glacier management console. 
+In this section, you can find example user policies that grant permissions for various Glacier actions. These policies work when you are using Glacier REST API, the Amazon SDKs, the AWS CLI, or, if applicable, the Glacier management console. 
@@ -177,15 +191 @@ To download an archive, you first initiate a job to retrieve the archive. After
-The policy grants these permissions on a vault named `examplevault`. You can get the vault ARN from the [Amazon S3 Glacier console](https://console.aws.amazon.com/glacier/home), or programmatically by calling either the [Describe Vault (GET vault)](./api-vault-get.html) or the [List Vaults (GET vaults)](./api-vaults-get.html) API actions.
-    
-    
-    {
-                   "Version":"2012-10-17",
-                   "Statement": [
-                      {
-                         "Effect": "Allow",
-                         "Resource": "arn:aws:glacier:us-west-2:123456789012:vaults/examplevault",
-                         "Action":["glacier:InitiateJob",
-                                  "glacier:GetJobOutput",
-                                  "glacier:DescribeJob"] 
-                      }
-                   ]
-                   }
+The policy grants these permissions on a vault named `examplevault`. You can get the vault ARN from the [Amazon Glacier console](https://console.aws.amazon.com/glacier/home), or programmatically by calling either the [Describe Vault (GET vault)](./api-vault-get.html) or the [List Vaults (GET vaults)](./api-vaults-get.html) API actions.
@@ -195 +195 @@ The policy grants these permissions on a vault named `examplevault`. You can get
-The following example policy grants permissions to create a vault in the us-west-2 Region as specified in the `Resource` element and configure notifications. For more information about working with notifications, see [Configuring Vault Notifications in Amazon S3 Glacier](./configuring-notifications.html). The policy also grants permissions to list vaults in the AWS Region and get a specific vault description. 
+The following example policy grants permissions to create a vault in the us-west-2 Region as specified in the `Resource` element and configure notifications. For more information about working with notifications, see [Configuring Vault Notifications in Amazon Glacier](./configuring-notifications.html). The policy also grants permissions to list vaults in the AWS Region and get a specific vault description. 
@@ -201,17 +200,0 @@ When you grant permissions to create a vault using the `glacier:CreateVault` ope
-    
-    {
-                   "Version":"2012-10-17",
-                   "Statement": [
-                      {
-                         "Effect": "Allow",
-                         "Resource": "arn:aws:glacier:us-west-2:123456789012:vaults/*",
-                         "Action":["glacier:CreateVault",
-                                  "glacier:SetVaultNotifications",
-                                  "glacier:GetVaultNotifications",
-                                  "glacier:DeleteVaultNotifications",
-                                  "glacier:DescribeVault",
-                                  "glacier:ListVaults"] 
-                      }
-                   ]
-                   }
-
@@ -222,17 +204,0 @@ The following example policy grants permissions to upload archives to a specific
-    
-    {
-                   "Version":"2012-10-17",
-                   "Statement": [
-                      {
-                         "Effect": "Allow",
-                         "Resource": "arn:aws:glacier:us-west-2:123456789012:vaults/examplevault",
-                         "Action":["glacier:UploadArchive",
-                                  "glacier:InitiateMultipartUpload",
-                                  "glacier:UploadMultipartPart",
-                                  "glacier:ListParts",
-                                  "glacier:ListMultipartUploads",
-                                  "glacier:CompleteMultipartUpload"] 
-                      }
-                   ]
-                   }
-
@@ -241,13 +207 @@ The following example policy grants permissions to upload archives to a specific
-The following example policy grants permissions for all S3 Glacier actions on a vault named `examplevault`.
-    
-    
-    {
-                "Version":"2012-10-17",
-                "Statement": [
-                   {
-                      "Effect": "Allow",
-                      "Resource": "arn:aws:glacier:us-west-2:123456789012:vaults/examplevault",
-                      "Action":["glacier:*"] 
-                   }
-                ]
-                }
+The following example policy grants permissions for all Glacier actions on a vault named `examplevault`.
@@ -261 +215 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-How Amazon S3 Glacier works with IAM
+How Amazon Glacier works with IAM