AWS AmazonS3 medium security documentation change
Summary
Removed deprecated Email Grantee ACL documentation and display name fields from examples.
Security assessment
The removal of Email Grantee ACL documentation aligns with AWS deprecating an insecure feature (email-based ACLs vulnerable to spoofing). This change mitigates potential misconfiguration risks by removing outdated guidance.
Diff
diff --git a/AmazonS3/latest/userguide/acl-overview.md b/AmazonS3/latest/userguide/acl-overview.md index c45e81091..50234b895 100644 --- a//AmazonS3/latest/userguide/acl-overview.md +++ b//AmazonS3/latest/userguide/acl-overview.md @@ -26 +25,0 @@ When you create a bucket or an object, Amazon S3 creates a default ACL that gran - <DisplayName>owner-display-name</DisplayName> @@ -33 +31,0 @@ When you create a bucket or an object, Amazon S3 creates a default ACL that gran - <DisplayName>display-name</DisplayName> @@ -63,10 +60,0 @@ An ACL can have up to 100 grants. -###### Important - -End of support notice: Beginning October 1, 2025, Amazon S3 will discontinue support for creating new Email Grantee Access Control Lists (ACL). Email Grantee ACLs created prior to this date will continue to work and remain accessible through the AWS Management Console, Command Line Interface (CLI), SDKs, and REST API. However, you will no longer be able to create new Email Grantee ACLs. - -Between July 15, 2025 and October 1, 2025, you will begin to see an increasing rate of `HTTP 405` errors for requests to Amazon S3 when attempting to create new Email Grantee ACLs. - -This change affects the following AWS Regions: US East (N. Virginia), US West (N. California), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Europe (Ireland), and South America (São Paulo). - -A grantee can be an AWS account or one of the predefined Amazon S3 groups. You grant permission to an AWS account using the email address or the canonical user ID. However, if you provide an email address in your grant request, Amazon S3 finds the canonical user ID for that account and adds it to the ACL. The resulting ACLs always contain the canonical user ID for the AWS account, not the email address of the AWS account. - @@ -79,33 +66,0 @@ When you grant access rights, you specify each grantee as a ``type`="`value`"` p - * `emailAddress` – If the value specified is the email address of an AWS account - - - - -###### Important - -Using email addresses to specify a grantee is only supported in the following AWS Regions: - - * US East (N. Virginia) - - * US West (N. California) - - * US West (Oregon) - - * Asia Pacific (Singapore) - - * Asia Pacific (Sydney) - - * Asia Pacific (Tokyo) - - * Europe (Ireland) - - * South America (São Paulo) - - - - -For a list of all the Amazon S3 supported regions and endpoints, see [Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region) in the _Amazon Web Services General Reference_. - -###### Example: Email address - -For example, the following `x-amz-grant-read` header grants the AWS accounts identified by email addresses permissions to read object data and its metadata: @@ -114 +68,0 @@ For example, the following `x-amz-grant-read` header grants the AWS accounts ide - x-amz-grant-read: emailAddress="[email protected]", emailAddress="[email protected]" @@ -294 +247,0 @@ The following sample ACL on a bucket identifies the resource owner and a set of - <DisplayName>display-name</DisplayName> @@ -300 +252,0 @@ The following sample ACL on a bucket identifies the resource owner and a set of - <DisplayName>display-name</DisplayName> @@ -308 +259,0 @@ The following sample ACL on a bucket identifies the resource owner and a set of - <DisplayName>display-name</DisplayName> @@ -316 +266,0 @@ The following sample ACL on a bucket identifies the resource owner and a set of - <DisplayName>display-name</DisplayName>