AWS Security ChangesHomeSearch

AWS AWSEC2 documentation change

Service: AWSEC2 · 2026-01-10 · Documentation low

File: AWSEC2/latest/UserGuide/copy-ami-permissions.md

Summary

Added requirement for s3:PutBucketOwnershipControls permission to enable ACLs for new S3 buckets during AMI copy operations

Security assessment

The change documents a new permission requirement for configuring bucket ACLs during AMI copies, which relates to access control mechanisms. However, there's no evidence of a specific security vulnerability being addressed. The addition helps users properly configure permissions for secure AMI copying operations.

Diff

diff --git a/AWSEC2/latest/UserGuide/copy-ami-permissions.md b/AWSEC2/latest/UserGuide/copy-ami-permissions.md
index f8e2a4cad..999e67459 100644
--- a//AWSEC2/latest/UserGuide/copy-ami-permissions.md
+++ b//AWSEC2/latest/UserGuide/copy-ami-permissions.md
@@ -22 +22,3 @@ If you're copying an instance stored-backed AMI, you need the following _additio
-  * `s3:GetBucketAcl` – To read the ACL permissions for the source bucket
+  * `s3:PutBucketOwnershipControls` – To enable ACLs for the newly created S3 bucket so that objects can be written with the `aws-exec-read` [canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl)
+
+  * `s3:GetBucketAcl` – To read the ACLs for the source bucket