AWS cli documentation change
Summary
Updated session mode documentation to explain privilege escalation attempt behavior during session creation
Security assessment
Clarifies permission evaluation logic but does not address a specific vulnerability. Enhances documentation of security practices by explaining permission fallbacks.
Diff
diff --git a/cli/latest/reference/s3api/head-bucket.md b/cli/latest/reference/s3api/head-bucket.md index dde3e1981..28bc9212a 100644 --- a//cli/latest/reference/s3api/head-bucket.md +++ b//cli/latest/reference/s3api/head-bucket.md @@ -15 +15 @@ - * [AWS CLI 2.34.5 Command Reference](../../index.html) » + * [AWS CLI 2.34.8 Command Reference](../../index.html) » @@ -78 +78 @@ Amazon Web Services CLI or SDKs handles authentication and authorization on your - * **Directory bucket permissions** \- You must have the ** `s3express:CreateSession` ** permission in the `Action` element of a policy. By default, the session is in the `ReadWrite` mode. If you want to restrict the access, you can explicitly set the `s3express:SessionMode` condition key to `ReadOnly` on the bucket. For more information about example bucket policies, see [Example bucket policies for S3 Express One Zone](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html) and [Amazon Web Services Identity and Access Management (IAM) identity-based policies for S3 Express One Zone](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html) in the _Amazon S3 User Guide_ . + * **Directory bucket permissions** \- You must have the ** `s3express:CreateSession` ** permission in the `Action` element of a policy. If no session mode is specified, the session will be created with the maximum allowable privilege, attempting `ReadWrite` first, then `ReadOnly` if `ReadWrite` is not permitted. If you want to explicitly restrict the access to be read-only, you can set the `s3express:SessionMode` condition key to `ReadOnly` on the bucket. For more information about example bucket policies, see [Example bucket policies for S3 Express One Zone](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html) and [Amazon Web Services Identity and Access Management (IAM) identity-based policies for S3 Express One Zone](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html) in the _Amazon S3 User Guide_ . @@ -351 +351 @@ AccessPointAlias -> (boolean) - * [AWS CLI 2.34.5 Command Reference](../../index.html) » + * [AWS CLI 2.34.8 Command Reference](../../index.html) »