AWS config documentation change
Summary
Clarified when S3 bucket policies are considered non-compliant for public read access, adding that fixed values containing wildcards can still be compliant
Security assessment
This change clarifies AWS Config rule behavior for S3 bucket public access policies. It provides more precise documentation about what constitutes a compliant vs non-compliant policy, helping users better understand security controls. No evidence of addressing a specific security vulnerability.
Diff
diff --git a/config/latest/developerguide/s3-bucket-public-read-prohibited.md b/config/latest/developerguide/s3-bucket-public-read-prohibited.md index ec207d016..2f08b0359 100644 --- a//config/latest/developerguide/s3-bucket-public-read-prohibited.md +++ b//config/latest/developerguide/s3-bucket-public-read-prohibited.md @@ -31 +31 @@ The rule is noncompliant when: -To be considered non-public, an S3 bucket policy must grant access only to fixed values. This means values that don't contain a wildcard or the following IAM policy element: [Variables](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-using-variables). +To be considered non-public, an S3 bucket policy must grant access only to fixed values. This means a policy is NON_COMPLIANT if it grants access to a wildcard or the following IAM policy element: [Variables](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-using-variables). A fixed value containing a wildcard can still be COMPLIANT.