AWS AmazonS3 medium security documentation change
Summary
Added guidance on avoiding version IDs in unversioned buckets and ensuring proper DeleteObject/DeleteObjectVersion permissions.
Security assessment
Explicitly addresses misconfigurations that could lead to unintended or unauthorized deletions, reducing data loss risks.
Diff
diff --git a/AmazonS3/latest/userguide/DeletingObjects.md b/AmazonS3/latest/userguide/DeletingObjects.md index b6c990e6c..62e781cdc 100644 --- a//AmazonS3/latest/userguide/DeletingObjects.md +++ b//AmazonS3/latest/userguide/DeletingObjects.md @@ -43,0 +44,2 @@ The S3 Lifecycle rules must apply to the right subset of objects to prevent unin + * Avoid sending object version IDs to unversioned buckets. Also, make sure to properly set both the `s3:DeleteObject` and `s3:DeleteObjectVersion` permissions on all buckets (including unversioned buckets). + @@ -69,0 +72,2 @@ If your bucket is unversioned, you can specify the object's key in the `Delete` +For unversioned buckets, if the `s3:DeleteObject` or `s3:DeleteObjectVersion` permissions are explicitly denied in your bucket policy, then any `DeleteObject`, `DeleteObjects`, or `DeleteObjectVersion` requests result in a `403 Access Denied` error. +