AWS Security ChangesHomeSearch

AWS config documentation change

Service: config · 2026-03-22 · Documentation low

File: config/latest/developerguide/s3-bucket-public-read-prohibited.md

Summary

Clarified when S3 bucket policies are considered non-compliant for public read access, adding that fixed values containing wildcards can still be compliant

Security assessment

This change clarifies AWS Config rule behavior for S3 bucket public access policies. It provides more precise documentation about what constitutes a compliant vs non-compliant policy, helping users better understand security controls. No evidence of addressing a specific security vulnerability.

Diff

diff --git a/config/latest/developerguide/s3-bucket-public-read-prohibited.md b/config/latest/developerguide/s3-bucket-public-read-prohibited.md
index ec207d016..2f08b0359 100644
--- a//config/latest/developerguide/s3-bucket-public-read-prohibited.md
+++ b//config/latest/developerguide/s3-bucket-public-read-prohibited.md
@@ -31 +31 @@ The rule is noncompliant when:
-To be considered non-public, an S3 bucket policy must grant access only to fixed values. This means values that don't contain a wildcard or the following IAM policy element: [Variables](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-using-variables).
+To be considered non-public, an S3 bucket policy must grant access only to fixed values. This means a policy is NON_COMPLIANT if it grants access to a wildcard or the following IAM policy element: [Variables](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-using-variables). A fixed value containing a wildcard can still be COMPLIANT.