AWS AmazonS3 medium security documentation change
Summary
Updated example policy with concrete region/account IDs and added KMS key ARN to permissions
Security assessment
The addition of KMS key permissions in the example policy demonstrates proper encryption key management requirements for accessing metadata tables, ensuring least-privilege access to encrypted resources.
Diff
diff --git a/AmazonS3/latest/userguide/metadata-tables-bucket-query-permissions.md b/AmazonS3/latest/userguide/metadata-tables-bucket-query-permissions.md index 30aaa37ae..b9bcefed1 100644 --- a//AmazonS3/latest/userguide/metadata-tables-bucket-query-permissions.md +++ b//AmazonS3/latest/userguide/metadata-tables-bucket-query-permissions.md @@ -27,2 +27,3 @@ To query metadata tables, you can use the following example policy. To use this - "arn:aws:s3tables:region:account_id:bucket/aws-s3", - "arn:aws:s3tables:region:account_id:bucket/aws-s3/table/*" + "arn:aws:s3tables:us-east-1:111122223333:bucket/aws-s3", + "arn:aws:s3tables:us-east-1:111122223333:bucket/aws-s3/table/*", + "arn:aws:kms:us-east-1:111122223333:key/01234567-89ab-cdef-0123-456789abcdef"