AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-03-13 · Documentation low

File: cli/latest/reference/s3api/head-bucket.md

Summary

Updated session mode documentation to explain privilege escalation attempt behavior during session creation

Security assessment

Clarifies permission evaluation logic but does not address a specific vulnerability. Enhances documentation of security practices by explaining permission fallbacks.

Diff

diff --git a/cli/latest/reference/s3api/head-bucket.md b/cli/latest/reference/s3api/head-bucket.md
index dde3e1981..28bc9212a 100644
--- a//cli/latest/reference/s3api/head-bucket.md
+++ b//cli/latest/reference/s3api/head-bucket.md
@@ -15 +15 @@
-  * [AWS CLI 2.34.5 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.8 Command Reference](../../index.html) »
@@ -78 +78 @@ Amazon Web Services CLI or SDKs handles authentication and authorization on your
-  * **Directory bucket permissions** \- You must have the ** `s3express:CreateSession` ** permission in the `Action` element of a policy. By default, the session is in the `ReadWrite` mode. If you want to restrict the access, you can explicitly set the `s3express:SessionMode` condition key to `ReadOnly` on the bucket. For more information about example bucket policies, see [Example bucket policies for S3 Express One Zone](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html) and [Amazon Web Services Identity and Access Management (IAM) identity-based policies for S3 Express One Zone](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html) in the _Amazon S3 User Guide_ .
+  * **Directory bucket permissions** \- You must have the ** `s3express:CreateSession` ** permission in the `Action` element of a policy. If no session mode is specified, the session will be created with the maximum allowable privilege, attempting `ReadWrite` first, then `ReadOnly` if `ReadWrite` is not permitted. If you want to explicitly restrict the access to be read-only, you can set the `s3express:SessionMode` condition key to `ReadOnly` on the bucket. For more information about example bucket policies, see [Example bucket policies for S3 Express One Zone](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html) and [Amazon Web Services Identity and Access Management (IAM) identity-based policies for S3 Express One Zone](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html) in the _Amazon S3 User Guide_ .
@@ -351 +351 @@ AccessPointAlias -> (boolean)
-  * [AWS CLI 2.34.5 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.8 Command Reference](../../index.html) »