AWS Security ChangesHomeSearch

AWS prescriptive-guidance high security documentation change

Service: prescriptive-guidance · 2025-10-13 · Security-related high

File: prescriptive-guidance/latest/presigned-url-best-practices/additional-guardrails.md

Summary

Added 'Principal': '*' to S3 bucket policy examples in Resource Condition Policies (RCP) for presigned URL guardrails

Security assessment

Adding a wildcard principal (*) in IAM policies can introduce security risks if not properly constrained. However, in this context, it appears to be part of a broader RCP configuration to enforce presigned URL restrictions. The change directly modifies security controls but requires careful validation to avoid unintended access.

Diff

diff --git a/prescriptive-guidance/latest/presigned-url-best-practices/additional-guardrails.md b/prescriptive-guidance/latest/presigned-url-best-practices/additional-guardrails.md
index d4536311b..1dfea39c7 100644
--- a//prescriptive-guidance/latest/presigned-url-best-practices/additional-guardrails.md
+++ b//prescriptive-guidance/latest/presigned-url-best-practices/additional-guardrails.md
@@ -144,0 +145 @@ The following RCP restricts presigned URL usage across all S3 buckets in an orga
+          "Principal": "*",
@@ -158,0 +160 @@ The following RCP restricts presigned URL usage across all S3 buckets in an orga
+          "Principal": "*",