AWS cli documentation change
Summary
Updated session mode behavior description for S3 directory bucket copies
Security assessment
Clarified session privilege escalation behavior (ReadWrite fallback to ReadOnly) and added explicit guidance about restricting access using s3express:SessionMode condition key. This improves security documentation by explaining privilege management but doesn't indicate a resolved security issue.
Diff
diff --git a/cli/latest/reference/s3api/copy-object.md b/cli/latest/reference/s3api/copy-object.md index beacd7f16..485a10794 100644 --- a//cli/latest/reference/s3api/copy-object.md +++ b//cli/latest/reference/s3api/copy-object.md @@ -15 +15 @@ - * [AWS CLI 2.34.5 Command Reference](../../index.html) » + * [AWS CLI 2.34.8 Command Reference](../../index.html) » @@ -104 +104 @@ You must have _read_ access to the source object and _write_ access to the desti - * If the source object that you want to copy is in a directory bucket, you must have the ** `s3express:CreateSession` ** permission in the `Action` element of a policy to read the object. By default, the session is in the `ReadWrite` mode. If you want to restrict the access, you can explicitly set the `s3express:SessionMode` condition key to `ReadOnly` on the copy source bucket. + * If the source object that you want to copy is in a directory bucket, you must have the ** `s3express:CreateSession` ** permission in the `Action` element of a policy to read the object. If no session mode is specified, the session will be created with the maximum allowable privilege, attempting `ReadWrite` first, then `ReadOnly` if `ReadWrite` is not permitted. If you want to explicitly restrict the access to be read-only, you can set the `s3express:SessionMode` condition key to `ReadOnly` on the copy source bucket. @@ -1059 +1059 @@ RequestCharged -> (string) - * [AWS CLI 2.34.5 Command Reference](../../index.html) » + * [AWS CLI 2.34.8 Command Reference](../../index.html) »