AWS AmazonS3 documentation change
Summary
Updated example IAM policy to enforce tagging requirements during bucket creation and tagging operations.
Security assessment
The revised policy demonstrates Attribute-Based Access Control (ABAC) for tagging enforcement, a security best practice. No specific security vulnerability is addressed.
Diff
diff --git a/AmazonS3/latest/userguide/buckets-tagging.md b/AmazonS3/latest/userguide/buckets-tagging.md index 2a9d1756a..d22e7086f 100644 --- a//AmazonS3/latest/userguide/buckets-tagging.md +++ b//AmazonS3/latest/userguide/buckets-tagging.md @@ -65 +65 @@ See the following example ABAC policies for Amazon S3 buckets. -In this bucket policy, IAM principals (users and roles) are denied `s3:ListBucket`, `s3:GetObject`, and `s3:PutObject` actions on the bucket only if value of the `project` tag on the bucket matches the value of the `project` tag on the principal. +In this IAM policy, users or roles with this policy can only create S3 buckets if they tag the bucket with the tag key `project` and tag value `Trinity `in the bucket creation request. They can also add or modify tags on existing S3 buckets as long as the `TagResource` request includes the tag key-value pair `project:Trinity`. This policy does not grant read, write, or delete permissions on the buckets or its objects. @@ -72,7 +72,7 @@ In this bucket policy, IAM principals (users and roles) are denied `s3:ListBucke - "Sid": "DenyObjectOperations", - "Effect": "Deny", - "Principal": "*", - "Action": ["s3:ListBucket", - "s3:GetObject", - "s3:PutObject"], - "Resource": "arn:aws:s3:::aws-s3-demo/*", + "Sid": "CreateBucketWithTags", + "Effect": "Allow", + "Action": [ + "s3:CreateBucket", + "s3:TagResource" + ], + "Resource": "*", @@ -81 +81,3 @@ In this bucket policy, IAM principals (users and roles) are denied `s3:ListBucke - "aws:ResourceTag/project": "${aws:PrincipalTag/project}" + "aws:RequestTag/project": [ + "Trinity" + ]