AWS AmazonS3 medium security documentation change
Summary
Clarified bucket policy requirements for lifecycle operations and updated example title to emphasize explicit ReadWrite session mode.
Security assessment
Explicitly requires ReadWrite sessions for lifecycle operations to prevent permission failures. Mitigates misconfiguration risks where ReadOnly sessions could block critical operations.
Diff
diff --git a/AmazonS3/latest/userguide/directory-buckets-objects-lifecycle.md b/AmazonS3/latest/userguide/directory-buckets-objects-lifecycle.md index a0fbc3870..0cf33fbe9 100644 --- a//AmazonS3/latest/userguide/directory-buckets-objects-lifecycle.md +++ b//AmazonS3/latest/userguide/directory-buckets-objects-lifecycle.md @@ -27 +27 @@ If you have an active policy that denies delete permissions to the lifecycle pri -The following bucket policy grants permission to allow CreateSession calls with the default `ReadWrite` session and allows the lifecycle service principal. +The following bucket policy grants the S3 Lifecycle service principal permission to create sessions for performing operations such as `DeleteObject` and `DeleteObjects`. When no session mode is specified in a `CreateSession` request, the session is created with the maximum allowable privilege by the permissions in (attempting `ReadWrite` first, then `ReadOnly` if `ReadWrite` is not permitted). However, `ReadOnly` sessions are insufficient for lifecycle operations that modify or delete objects. Therefore, this example explicitly requires a `ReadWrite` session mode by using the `s3express:SessionMode` condition key. @@ -29 +29 @@ The following bucket policy grants permission to allow CreateSession calls with -###### Example – Bucket policy to allow `CreateSession` calls with the default `ReadWrite` session +###### Example– Bucket policy to allow `CreateSession` calls with an explicit `ReadWrite` session mode for lifecycle operations