AWS AmazonS3 documentation change
Summary
Added documentation for UpdateObjectEncryption API requirements including KMS permissions and cross-account access policies. Fixed minor typos.
Security assessment
New documentation explains required permissions for encryption key rotation and cross-account KMS access, which are security features. No evidence this addresses a specific vulnerability; it proactively documents encryption management best practices.
Diff
diff --git a/AmazonS3/latest/userguide/using-with-s3-policy-actions.md b/AmazonS3/latest/userguide/using-with-s3-policy-actions.md index fab6905b8..ac1c18227 100644 --- a//AmazonS3/latest/userguide/using-with-s3-policy-actions.md +++ b//AmazonS3/latest/userguide/using-with-s3-policy-actions.md @@ -280,0 +281,6 @@ API operations | Policy actions | Description of policy actions +[UpdateObjectEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/API_UpdateObjectEncryption.html) | (Required) `s3:UpdateObjectEncryption`, `s3:PutObject`, `kms:Encrypt`, `kms:Decrypt`, `kms:GenerateDataKey`, `kms:ReEncrypt*` | Required if you want to change encrypted objects between server-side encryption with Amazon S3 managed encryption (SSE-S3) and server-side encryption with AWS Key Management Service (AWS KMS) encryption keys (SSE-KMS). You can also use the `UpdateObjectEncryption` operation to apply S3 Bucket Keys to reduce AWS KMS request costs or change the customer-managed KMS key that's used to encrypt your data so that you can comply with custom key-rotation standards. +| (Conditionally required) `organizations:DescribeAccount` | If you're using AWS Organizations, to use the `UpdateObjectEncryption` operation with customer-managed KMS keys from other AWS accounts within your organization, you must have the `organizations:DescribeAccount` permission. + +###### Note + +You must also request the ability to use AWS KMS keys owned by other member accounts within your organization by contacting AWS Support. @@ -425 +431 @@ API operations | Policy actions | Description of policy actions -[GetAccessGrantsInstanceResourcePolicy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetAccessGrantsInstanceResourcePolicy.html) | (Required) `s3:GetAccessGrantsInstanceResourcePolicy` | Requred to return the resource policy of your S3 Access Grants instance. +[GetAccessGrantsInstanceResourcePolicy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetAccessGrantsInstanceResourcePolicy.html) | (Required) `s3:GetAccessGrantsInstanceResourcePolicy` | Required to return the resource policy of your S3 Access Grants instance.