AWS AmazonS3 medium security documentation change
Summary
Clarified default session creation behavior and ReadWrite/ReadOnly fallback logic.
Security assessment
Documents security-critical session mode behavior where ReadWrite is attempted first. Prevents unintended ReadOnly sessions that lack modify/delete permissions.
Diff
diff --git a/AmazonS3/latest/userguide/s3-express-create-session.md b/AmazonS3/latest/userguide/s3-express-create-session.md index 5b5e2fe18..56c88305f 100644 --- a//AmazonS3/latest/userguide/s3-express-create-session.md +++ b//AmazonS3/latest/userguide/s3-express-create-session.md @@ -13 +13 @@ If you use the Amazon S3 REST API, you can then use the `CreateSession` API oper -Session mode defines the scope of the session. In your bucket policy, you can specify the `s3express:SessionMode` condition key to control who can create a `ReadWrite` or `ReadOnly` session. For more information about `ReadWrite` or `ReadOnly` sessions, see the `x-amz-create-session-mode` parameter for [CreateSession](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html) in the _Amazon S3 API Reference_. For more information about the bucket policy to create, see [Example bucket policies for directory buckets](./s3-express-security-iam-example-bucket-policies.html). +Session mode defines the scope of the session. If the session mode is not specified in the CreateSession API request, the CreateSession action will attempt to create the session with the maximum allowable privilege, attempting `ReadWrite` first, then falling back to `ReadOnly` only if `ReadWrite` is not permitted by the policies. In your bucket policy, you can specify the `s3express:SessionMode` condition key to explicitly control who can create a `ReadWrite` or `ReadOnly` session. For more information about `ReadWrite` or `ReadOnly` sessions, see the `x-amz-create-session-mode` parameter for [CreateSession](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html) in the _Amazon S3 API Reference_. For more information about the bucket policy to create, see [Example bucket policies for directory buckets](./s3-express-security-iam-example-bucket-policies.html).