AWS AmazonS3 medium security documentation change
Summary
Clarified permissions required to deny deletions in versioning-suspended buckets.
Security assessment
Explains how to secure versioning-suspended buckets against unauthorized deletions, addressing a potential security gap.
Diff
diff --git a/AmazonS3/latest/userguide/DeletingObjectsfromVersioningSuspendedBuckets.md b/AmazonS3/latest/userguide/DeletingObjectsfromVersioningSuspendedBuckets.md index 8066939bd..56dfdbace 100644 --- a//AmazonS3/latest/userguide/DeletingObjectsfromVersioningSuspendedBuckets.md +++ b//AmazonS3/latest/userguide/DeletingObjectsfromVersioningSuspendedBuckets.md @@ -30 +30,3 @@ The following figure shows a bucket that doesn't have a null version. In this ca -Even in a versioning-suspended bucket, the bucket owner can permanently delete a specified version by including the version ID in the `DELETE` request. The following figure shows that deleting a specified object version permanently removes that version of the object. Only the bucket owner can delete a specified object version. +Even in a versioning-suspended bucket, the bucket owner can permanently delete a specified version by including the version ID in the `DELETE` request, unless permissions for the `DELETE` request have been explicitly denied. For example, to deny deletion of any objects that have a `null` version ID, you must explicitly deny the `s3:DeleteObject` and `s3:DeleteObjectVersions` permissions. + +The following figure shows that deleting a specified object version permanently removes that version of the object. Only the bucket owner can delete a specified object version.