AWS Security ChangesHomeSearch

AWS AmazonS3 medium security documentation change

Service: AmazonS3 · 2025-11-22 · Security-related medium

File: AmazonS3/latest/userguide/create-bucket-overview.md

Summary

1. Added new section about S3 bucket tags for cost allocation and ABAC security 2. Fixed broken KMS documentation links

Security assessment

Added documentation for attribute-based access control (ABAC) using tags, which is a security feature for granular permission management. This enables security teams to implement tag-based access policies.

Diff

diff --git a/AmazonS3/latest/userguide/create-bucket-overview.md b/AmazonS3/latest/userguide/create-bucket-overview.md
index 4b7b9ed5c..5303a0eca 100644
--- a//AmazonS3/latest/userguide/create-bucket-overview.md
+++ b//AmazonS3/latest/userguide/create-bucket-overview.md
@@ -26,0 +27,2 @@ When you're creating a general purpose bucket, you can use the following setting
+  * **Tags** – An AWS tag is a key-value pair that holds metadata. You attach the tags to your Amazon S3 resources, such as buckets. You can tag resources when you create them or manage tags on existing resources. You can use tags for cost allocation to track storage costs by bucket tag in AWS Billing and Cost Management. You can also use tags for attribute-based access control (ABAC), to scale access permissions and grant access to S3 resources based on their tags. For more information, see [Using tags with S3 general purpose buckets](./buckets-tagging.html).
+
@@ -151 +153 @@ For more information about using server-side encryption to encrypt your data, se
-Both the AWS managed key (`aws/s3`) and your customer managed keys appear in this list. For more information about customer managed keys, see [Customer keys and AWS keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt) in the _AWS Key Management Service Developer Guide_.
+Both the AWS managed key (`aws/s3`) and your customer managed keys appear in this list. For more information about customer managed keys, see [Customer keys and AWS keys](https://docs.aws.amazon.com//kms/latest/developerguide/concepts.html#key-mgmt) in the _AWS Key Management Service Developer Guide_.
@@ -157 +159 @@ Both the AWS managed key (`aws/s3`) and your customer managed keys appear in thi
-For more information about creating an AWS KMS key, see [Creating keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html) in the _AWS Key Management Service Developer Guide_.
+For more information about creating an AWS KMS key, see [Creating keys](https://docs.aws.amazon.com//kms/latest/developerguide/create-keys.html) in the _AWS Key Management Service Developer Guide_.
@@ -161 +163 @@ For more information about creating an AWS KMS key, see [Creating keys](https://
-You can use only KMS keys that are available in the same AWS Region as the bucket. The Amazon S3 console lists only the first 100 KMS keys in the same Region as the bucket. To use a KMS key that isn't listed, you must enter your KMS key ARN. If you want to use a KMS key that's owned by a different account, you must first have permission to use the key, and then you must enter the KMS key ARN. For more information about cross account permissions for KMS keys, see [Creating KMS keys that other accounts can use](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html#cross-account-console) in the _AWS Key Management Service Developer Guide_. For more information about SSE-KMS, see [Specifying server-side encryption with AWS KMS (SSE-KMS)](./specifying-kms-encryption.html). For more information about DSSE-KMS, see [Using dual-layer server-side encryption with AWS KMS keys (DSSE-KMS)](./UsingDSSEncryption.html).
+You can use only KMS keys that are available in the same AWS Region as the bucket. The Amazon S3 console lists only the first 100 KMS keys in the same Region as the bucket. To use a KMS key that isn't listed, you must enter your KMS key ARN. If you want to use a KMS key that's owned by a different account, you must first have permission to use the key, and then you must enter the KMS key ARN. For more information about cross account permissions for KMS keys, see [Creating KMS keys that other accounts can use](https://docs.aws.amazon.com//kms/latest/developerguide/key-policy-modifying-external-accounts.html#cross-account-console) in the _AWS Key Management Service Developer Guide_. For more information about SSE-KMS, see [Specifying server-side encryption with AWS KMS (SSE-KMS)](./specifying-kms-encryption.html). For more information about DSSE-KMS, see [Using dual-layer server-side encryption with AWS KMS keys (DSSE-KMS)](./UsingDSSEncryption.html).
@@ -163 +165 @@ You can use only KMS keys that are available in the same AWS Region as the bucke
-When you use an AWS KMS key for server-side encryption in Amazon S3, you must choose a symmetric encryption KMS key. Amazon S3 supports only symmetric encryption KMS keys and not asymmetric KMS keys. For more information, see [Identifying symmetric and asymmetric KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html) in the _AWS Key Management Service Developer Guide_.
+When you use an AWS KMS key for server-side encryption in Amazon S3, you must choose a symmetric encryption KMS key. Amazon S3 supports only symmetric encryption KMS keys and not asymmetric KMS keys. For more information, see [Identifying symmetric and asymmetric KMS keys](https://docs.aws.amazon.com//kms/latest/developerguide/find-symm-asymm.html) in the _AWS Key Management Service Developer Guide_.