AWS AmazonS3 documentation change
Summary
Expanded S3 Block Public Access documentation with organization-level management via AWS Organizations, including centralized policy enforcement and audit capabilities.
Security assessment
Adds guidance for multi-account security management but does not fix a vulnerability. Documents security feature enhancements (organization-wide Block Public Access policies) as part of security best practices.
Diff
diff --git a/AmazonS3/latest/userguide/security-best-practices.md b/AmazonS3/latest/userguide/security-best-practices.md index d71c81a87..3b5516b37 100644 --- a//AmazonS3/latest/userguide/security-best-practices.md +++ b//AmazonS3/latest/userguide/security-best-practices.md @@ -85 +85,3 @@ Unless you explicitly require anyone on the internet to be able to read or write - * Use S3 Block Public Access. With S3 Block Public Access, you can easily set up centralized controls to limit public access to your Amazon S3 resources. These centralized controls are enforced regardless of how the resources are created. For more information, see [Blocking public access to your Amazon S3 storage](./access-control-block-public-access.html). + * Use S3 Block Public Access. With S3 Block Public Access, you can easily set up centralized controls to limit public access to your Amazon S3 resources. These centralized controls are enforced regardless of how the resources are created. For organizations managing multiple AWS accounts, you can now use organization-level enforcement through AWS Organizations to centrally manage S3 Block Public Access settings across your entire organization with a single policy configuration. + +For more information, see [Blocking public access to your Amazon S3 storage](./access-control-block-public-access.html). @@ -99,0 +102,13 @@ Unless you explicitly require anyone on the internet to be able to read or write +**For organizations with multiple AWS accounts, consider using organization-level Block Public Access management:** + + * Centralized policy management: Use AWS Organizations to create a single S3 Block Public Access policy that automatically applies to all member accounts or selected organizational units (OUs). + + * Automatic inheritance: When you attach the policy at the root or OU level, new member accounts automatically inherit the Block Public Access settings without individual account setup. + + * Simplified compliance: Organization-level policies eliminate the need to maintain complex Service Control Policies (SCPs) for Block Public Access enforcement and reduce operational overhead of managing individual account configurations. + + * Audit capabilities: Use AWS CloudTrail to monitor policy attachment and enforcement across member accounts for compliance tracking. + + + +