AWS AmazonS3 documentation change
Summary
Removed sections about S3 table bucket KMS permissions and additional permissions required for S3 table bucket exports with KMS encryption, including example KMS key policies.
Security assessment
This change removes detailed documentation about KMS encryption permissions and policies for S3 Storage Lens metrics export. While encryption is a security feature, the removal of this documentation doesn't indicate a security issue was fixed. It appears to be removing outdated or deprecated content, possibly related to the S3 Tables feature being phased out.
Diff
diff --git a/AmazonS3/latest/userguide/storage_lens_encrypt_permissions.md b/AmazonS3/latest/userguide/storage_lens_encrypt_permissions.md index 06830b207..ff7db0951 100644 --- a//AmazonS3/latest/userguide/storage_lens_encrypt_permissions.md +++ b//AmazonS3/latest/userguide/storage_lens_encrypt_permissions.md @@ -5,2 +4,0 @@ -S3 table bucket KMS permissions - @@ -63,54 +61,0 @@ You can also use the AWS KMS `PUT` key policy API operation ([PutKeyPolicy](http -## Additional permissions for S3 table bucket exports - -All data in S3 tables including S3 Storage Lens metrics are encrypted with SSE-S3 encryption by default. You can choose to encrypt your Storage Lens metrics report with AWS KMS keys (SSE-KMS). If you choose to encrypt your S3 Storage Lens metric reports with KMS keys, you must have additional permissions. - - 1. The user or IAM role needs the following permissions. You can grant these permissions by using the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). - - * `kms:DescribeKey` on the AWS KMS key used - - 2. On the key policy for the AWS KMS key, you need the following permissions. You can grant these permissions by using the AWS KMS console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms). To use this policy, replace the ``user input placeholders`` with your own information. - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "EnableSystemTablesKeyUsage", - "Effect": "Allow", - "Principal": { - "Service": "systemtables.s3.amazonaws.com" - }, - "Action": [ - "kms:DescribeKey", - "kms:GenerateDataKey", - "kms:Decrypt" - ], - "Resource": "arn:aws:kms:us-east-1:111122223333:key/key-id", - "Condition": { - "StringEquals": { - "aws:SourceAccount": "111122223333" - } - } - }, - { - "Sid": "EnableKeyUsage", - "Effect": "Allow", - "Principal": { - "Service": "maintenance.s3tables.amazonaws.com" - }, - "Action": [ - "kms:GenerateDataKey", - "kms:Decrypt" - ], - "Resource": "arn:aws:kms:us-east-1:111122223333:key/key-id", - "Condition": { - "StringLike": { - "kms:EncryptionContext:aws:s3:arn": "<table-bucket-arn>/*" - } - } - } - ] - } - - - -