AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2025-11-25 · Documentation low

File: AmazonS3/latest/userguide/buckets-tagging.md

Summary

Updated example IAM policy to enforce tagging requirements during bucket creation and tagging operations.

Security assessment

The revised policy demonstrates Attribute-Based Access Control (ABAC) for tagging enforcement, a security best practice. No specific security vulnerability is addressed.

Diff

diff --git a/AmazonS3/latest/userguide/buckets-tagging.md b/AmazonS3/latest/userguide/buckets-tagging.md
index 2a9d1756a..d22e7086f 100644
--- a//AmazonS3/latest/userguide/buckets-tagging.md
+++ b//AmazonS3/latest/userguide/buckets-tagging.md
@@ -65 +65 @@ See the following example ABAC policies for Amazon S3 buckets.
-In this bucket policy, IAM principals (users and roles) are denied `s3:ListBucket`, `s3:GetObject`, and `s3:PutObject` actions on the bucket only if value of the `project` tag on the bucket matches the value of the `project` tag on the principal.
+In this IAM policy, users or roles with this policy can only create S3 buckets if they tag the bucket with the tag key `project` and tag value `Trinity `in the bucket creation request. They can also add or modify tags on existing S3 buckets as long as the `TagResource` request includes the tag key-value pair `project:Trinity`. This policy does not grant read, write, or delete permissions on the buckets or its objects. 
@@ -72,7 +72,7 @@ In this bucket policy, IAM principals (users and roles) are denied `s3:ListBucke
-                "Sid": "DenyObjectOperations",
-                "Effect": "Deny",
-                "Principal": "*",
-                "Action": ["s3:ListBucket",
-                           "s3:GetObject",
-                           "s3:PutObject"],
-                "Resource": "arn:aws:s3:::aws-s3-demo/*",
+          "Sid": "CreateBucketWithTags",
+          "Effect": "Allow",
+          "Action": [
+            "s3:CreateBucket",
+            "s3:TagResource"
+          ],
+          "Resource": "*",
@@ -81 +81,3 @@ In this bucket policy, IAM principals (users and roles) are denied `s3:ListBucke
-                        "aws:ResourceTag/project": "${aws:PrincipalTag/project}"
+              "aws:RequestTag/project": [
+                "Trinity"
+              ]