AWS Security ChangesHomeSearch

AWS AmazonS3 medium security documentation change

Service: AmazonS3 · 2025-10-25 · Security-related medium

File: AmazonS3/latest/userguide/metadata-tables-bucket-query-permissions.md

Summary

Updated example policy with concrete region/account IDs and added KMS key ARN to permissions

Security assessment

The addition of KMS key permissions in the example policy demonstrates proper encryption key management requirements for accessing metadata tables, ensuring least-privilege access to encrypted resources.

Diff

diff --git a/AmazonS3/latest/userguide/metadata-tables-bucket-query-permissions.md b/AmazonS3/latest/userguide/metadata-tables-bucket-query-permissions.md
index 30aaa37ae..b9bcefed1 100644
--- a//AmazonS3/latest/userguide/metadata-tables-bucket-query-permissions.md
+++ b//AmazonS3/latest/userguide/metadata-tables-bucket-query-permissions.md
@@ -27,2 +27,3 @@ To query metadata tables, you can use the following example policy. To use this
-                "arn:aws:s3tables:region:account_id:bucket/aws-s3",
-                "arn:aws:s3tables:region:account_id:bucket/aws-s3/table/*"
+                "arn:aws:s3tables:us-east-1:111122223333:bucket/aws-s3",
+                "arn:aws:s3tables:us-east-1:111122223333:bucket/aws-s3/table/*",
+                "arn:aws:kms:us-east-1:111122223333:key/01234567-89ab-cdef-0123-456789abcdef"