AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-11-25 · Documentation low

File: securityhub/latest/userguide/exposure-s3-bucket.md

Summary

Fixed typos (unathorized->unauthorized, duplicate 'the'), updated documentation references to use consistent naming ('Amazon S3 User Guide'->'Amazon Simple Storage Service User Guide'), corrected CloudFront link text, fixed presigned URL documentation reference, improved access point public access risk wording, and adjusted section formatting.

Security assessment

Changes are primarily editorial improvements (typo fixes, formatting, documentation reference consistency). While some text clarifies security risks (e.g., 'it could allow anyone on the internet' vs original wording), this is a clarification rather than addressing a new vulnerability. No new security controls or mitigations are added.

Diff

diff --git a/securityhub/latest/userguide/exposure-s3-bucket.md b/securityhub/latest/userguide/exposure-s3-bucket.md
index 4e6cbbdee..881d7f0bc 100644
--- a//securityhub/latest/userguide/exposure-s3-bucket.md
+++ b//securityhub/latest/userguide/exposure-s3-bucket.md
@@ -119 +119 @@ To enable MFA delete, first, ensure that versioning is enabled on your Amazon S3
-Amazon S3 bucket policies control access to buckets and objects. When bucket policies allow principals from other AWS accounts to modify bucket permissions, unauthorized users can reconfigure your bucket. If external principal credentials are compromised, unathorized users can gain control over your bucket, leading to data breaches or service disruptions. Following standard security principles, AWS recommends that you restrict permission management actions to trusted principals only. 
+Amazon S3 bucket policies control access to buckets and objects. When bucket policies allow principals from other AWS accounts to modify bucket permissions, unauthorized users can reconfigure your bucket. If external principal credentials are compromised, unauthorized users can gain control over your bucket, leading to data breaches or service disruptions. Following standard security principles, AWS recommends that you restrict permission management actions to trusted principals only. 
@@ -123 +123 @@ Amazon S3 bucket policies control access to buckets and objects. When bucket pol
-In the the exposure, identify the Amazon S3 bucket in the ARN field. In the Amazon S3 console, select the bucket, and navigate to the **Permissions** tab to review the bucket policy. Review the permissions policy attached to the bucket. Look for policy statements that grant actions like `s3:PutBucketPolicy, s3:PutBucketAcl, s3:DeleteBucketPolicy, s3:* ` or policy statements that allow access to principals outside your account, as denoted in the principal statement. 
+In the exposure, identify the Amazon S3 bucket in the ARN field. In the Amazon S3 console, select the bucket, and navigate to the **Permissions** tab to review the bucket policy. Review the permissions policy attached to the bucket. Look for policy statements that grant actions like `s3:PutBucketPolicy, s3:PutBucketAcl, s3:DeleteBucketPolicy, s3:* ` or policy statements that allow access to principals outside your account, as denoted in the principal statement. 
@@ -133 +133 @@ Modify the bucket policy to remove or restrict actions granted to other AWS acco
-For information about modifying a bucket policy, see [Adding a bucket policy by using the Amazon S3 console](https://docs.aws.amazon.com/AmazonS3/latest/userguide/add-bucket-policy.html) in the _Amazon S3 User Guide_. 
+For information about modifying a bucket policy, see [Adding a bucket policy by using the Amazon S3 console](https://docs.aws.amazon.com/AmazonS3/latest/userguide/add-bucket-policy.html) in the _Amazon Simple Storage Service User Guide_. 
@@ -175 +175 @@ If public read access is required, consider these more secure alternatives:
-     * **CloudFront** – Use CloudFront with an Origin Access Identity (OAI) or Origin Access Control (OAC) to allow read access from a private Amazon S3 bucket. This alternative restricts direct access to your Amazon S3 bucket while allowing content to be publicly accessible through CloudFront. For more information, see [Restricting access to an Amazon Amazon S3 origin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html) in the _Amazon CloudFront Developer Guide_. 
+     * **CloudFront** – Use CloudFront with an Origin Access Identity (OAI) or Origin Access Control (OAC) to allow read access from a private Amazon S3 bucket. This alternative restricts direct access to your Amazon S3 bucket while allowing content to be publicly accessible through CloudFront. For more information, see [Restricting access to an Amazon S3 origin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html) in the _Amazon CloudFront Developer Guide_. 
@@ -177 +177 @@ If public read access is required, consider these more secure alternatives:
-     * **Presigned URLs** – Use presigned URLs for temporary access to specific objects. For more information, see [Sharing objects with presigned URLs](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html) in the _AWSAmazon S3User Guide_. 
+     * **Presigned URLs** – Use presigned URLs for temporary access to specific objects. For more information, see [Sharing objects with presigned URLs](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html) in the _Amazon CloudFront Developer Guide_. 
@@ -194 +194,3 @@ For a more granular approach to remove public write access, review the bucket po
-  3. **Alternative access methods** If public read access is required, consider these more secure alternatives: 
+  3. **Alternative access methods**
+
+If public read access is required, consider these more secure alternatives: 
@@ -205 +207 @@ For a more granular approach to remove public write access, review the bucket po
-Amazon S3 access points provide customized access to shared datasets in Amazon S3 buckets. When you enable public access for an access point, anyone on the internet to access to your data. Following standard security principles, AWS recommends restricting public access to Amazon S3 access points. 
+Amazon S3 access points provide customized access to shared datasets in Amazon S3 buckets. When you enable public access for an access point, it could allow anyone on the internet to access your data. Following standard security principles, AWS recommends restricting public access to Amazon S3 access points. 
@@ -209 +211 @@ Amazon S3 access points provide customized access to shared datasets in Amazon S
-Amazon S3 doesn't support changing an access point’s public access settings after an access point has been created. For information about creating an access point, see [Managing public access to access points for general purpose buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-access-points.html) in the _Amazon S3 User Guide_. For more information about managing public access to access points, see [Creating access points for general purpose buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-bpa-settings.html) in the _Amazon S3 User Guide_. 
+Amazon S3 doesn't support changing an access point’s public access settings after an access point has been created. For information about creating an access point, see [Managing public access to access points for general purpose buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-access-points.html) in the _Amazon Simple Storage Service User Guide_. For more information about managing public access to access points, see [Creating access points for general purpose buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-bpa-settings.html) in the _Amazon Simple Storage Service User Guide_.