AWS Security ChangesHomeSearch

AWS datasync documentation change

Service: datasync · 2025-10-01 · Documentation medium

File: datasync/latest/userguide/API_CreateLocationS3.md

Summary

Removed all examples showing IAM role configuration for S3 bucket access

Security assessment

Removes implementation examples but does not directly address security vulnerabilities. However, removal of IAM configuration examples could indirectly impact security posture if users misconfigure permissions.

Diff

diff --git a/datasync/latest/userguide/API_CreateLocationS3.md b/datasync/latest/userguide/API_CreateLocationS3.md
index ff048f882..efe2f9a76 100644
--- a//datasync/latest/userguide/API_CreateLocationS3.md
+++ b//datasync/latest/userguide/API_CreateLocationS3.md
@@ -5 +5 @@
-Request SyntaxRequest ParametersResponse SyntaxResponse ElementsErrorsExamplesSee Also
+Request SyntaxRequest ParametersResponse SyntaxResponse ElementsErrorsSee Also
@@ -188,84 +187,0 @@ HTTP Status Code: 400
-## Examples
-
-### Step 1. Allow to assume the IAM role required to write to the bucket
-
-The following example shows the simplest policy that grants the required permissions for AWS DataSync to access a destination Amazon S3 bucket, followed by an IAM role to which the `create-location-s3-iam-role` policy has been attached.
-    
-    
-    {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Principal": {
-            "Service": "datasync.amazonaws.com"
-          },
-          "Action": "sts:AssumeRole"
-        }
-      ]
-    }
-    
-    
-    "Role": {
-            "Path": "/",
-            "RoleName": "amzn-s3-demo-bucket-access-role",
-            "RoleId": "role-id",
-            "Arn": "arn:aws:iam::account-id:role/amzn-s3-demo-bucket-access-role",
-            "CreateDate": "2018-07-27T02:49:23.117Z",
-            "AssumeRolePolicyDocument": {
-                "Version": "2012-10-17",
-                "Statement": [
-                    {
-                        "Effect": "Allow",
-                        "Principal": {
-                            "Service": "datasync.amazonaws.com"
-                        },
-                        "Action": "sts:AssumeRole"
-                    }
-                ]
-            }
-        }
-    }
-
-### Step 2. Allow the created IAM role to write to the bucket
-
-Attach a policy that has sufficient permissions to access the bucket to the role. An example of such policy is the `AWSDataSyncFullAccess` managed policy.
-
-For more information, see [AWSDataSyncFullAccess](https://console.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/AWSDataSyncFullAccess$jsonEditor) in the IAM console.
-
-You don't need to create this policy. It's managed by AWS, so all that you need to do is specify its ARN in the `attach-role-policy` command.
-    
-    
-    IAM_POLICY_ARN='arn:aws:iam::aws:policy/AWSDataSyncFullAccess'
-
-### Step 3. Create an endpoint for an Amazon S3 bucket
-
-The following example creates an endpoint for an Amazon S3 bucket.
-
-When the S3 endpoint is created, a response similar to the second example following returns the Amazon Resource Name (ARN) for the new Amazon S3 location.
-
-#### Sample Request
-    
-    
-    {
-      "S3BucketArn": "arn:aws:s3:::amzn-s3-demo-bucket",
-      "S3Config": {
-         "BucketAccessRoleArn": "arn:aws:iam::111222333444:role/amzn-s3-demo-bucket-access-role",
-        },
-        "S3StorageClass": "STANDARD",
-        "Subdirectory": "/MyFolder",
-        "Tags": [
-           {
-              "Key": "Name",
-              "Value": "s3Bucket-1"
-           }
-         ]
-    }
-
-#### Sample Response
-    
-    
-    {
-      "LocationArn": "arn:aws:datasync:us-east-2:111222333444:location/loc-07db7abfc326c50s3"
-    }
-