AWS AmazonS3 documentation change
Summary
Added documentation about organization-level Block Public Access policy interactions and hierarchy enforcement. Clarified that S3 applies the most restrictive combination of bucket/account/organization settings.
Security assessment
The changes clarify security controls but do not address a specific vulnerability. They enhance documentation about existing security features (Block Public Access) by explaining policy hierarchy and enforcement mechanisms.
Diff
diff --git a/AmazonS3/latest/userguide/configuring-block-public-access-bucket.md b/AmazonS3/latest/userguide/configuring-block-public-access-bucket.md index f68bc76a6..b2bee2255 100644 --- a//AmazonS3/latest/userguide/configuring-block-public-access-bucket.md +++ b//AmazonS3/latest/userguide/configuring-block-public-access-bucket.md @@ -7 +7 @@ -Amazon S3 Block Public Access provides settings for access points, buckets, and accounts to help you manage public access to Amazon S3 resources. By default, new buckets, access points, and objects do not allow public access. +Amazon S3 Block Public Access provides settings for access points, buckets, organizations, and accounts to help you manage public access to Amazon S3 resources. By default, new buckets, access points, and objects do not allow public access. For more information, see [Blocking public access to your Amazon S3 storage](./access-control-block-public-access.html). @@ -9 +9,3 @@ Amazon S3 Block Public Access provides settings for access points, buckets, and -For more information, see [Blocking public access to your Amazon S3 storage](./access-control-block-public-access.html). +###### Note + +Bucket-level Block Public Access settings work alongside organization and account-level policies. S3 applies the most restrictive setting between bucket-level and effective account-level configurations (which may be enforced by organization policies if present). @@ -13 +15,3 @@ You can use the S3 console, AWS CLI, AWS SDKs, and REST API to grant public acce -To configure block public access settings for every bucket in your account, see [Configuring block public access settings for your account](./configuring-block-public-access-account.html). For information about configuring block public access for access points, see [Performing block public access operations on an access point](./access-control-block-public-access.html#access-control-block-public-access-examples-access-point). +To configure block public access settings for every bucket in your account, see [Configuring block public access settings for your account](./configuring-block-public-access-account.html). For organization-wide centralized management, see [S3 policy](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_s3.html) in the _AWS Organizations user guide_. + +For information about configuring block public access for access points, see [Performing block public access operations on an access point](./access-control-block-public-access.html#access-control-block-public-access-examples-access-point). @@ -50,0 +55,4 @@ Follow these steps if you need to change the public access settings for a single +###### Important + +Even if you disable bucket-level Block Public Access settings, your bucket may still be protected by account-level or organization-level policies. S3 always applies the most restrictive combination of settings across all levels. + @@ -67,0 +76,4 @@ For more information and examples, see [put-public-access-block](https://awscli. +###### Note + +These bucket-level operations are not restricted by organization-level policies. However, the effective public access behavior will still be governed by the most restrictive combination of bucket, account, and organization settings. For more information about the hierarchy and policy interactions, see [Using the S3 console](./block-public-access-bucket.html). +