AWS Security ChangesHomeSearch

AWS AmazonS3 medium security documentation change

Service: AmazonS3 · 2025-11-04 · Security-related medium

File: AmazonS3/latest/userguide/DeletingObjects.md

Summary

Added guidance on avoiding version IDs in unversioned buckets and ensuring proper DeleteObject/DeleteObjectVersion permissions.

Security assessment

Explicitly addresses misconfigurations that could lead to unintended or unauthorized deletions, reducing data loss risks.

Diff

diff --git a/AmazonS3/latest/userguide/DeletingObjects.md b/AmazonS3/latest/userguide/DeletingObjects.md
index b6c990e6c..62e781cdc 100644
--- a//AmazonS3/latest/userguide/DeletingObjects.md
+++ b//AmazonS3/latest/userguide/DeletingObjects.md
@@ -43,0 +44,2 @@ The S3 Lifecycle rules must apply to the right subset of objects to prevent unin
+  * Avoid sending object version IDs to unversioned buckets. Also, make sure to properly set both the `s3:DeleteObject` and `s3:DeleteObjectVersion` permissions on all buckets (including unversioned buckets).
+
@@ -69,0 +72,2 @@ If your bucket is unversioned, you can specify the object's key in the `Delete`
+For unversioned buckets, if the `s3:DeleteObject` or `s3:DeleteObjectVersion` permissions are explicitly denied in your bucket policy, then any `DeleteObject`, `DeleteObjects`, or `DeleteObjectVersion` requests result in a `403 Access Denied` error.
+