AWS Security ChangesHomeSearch

AWS config documentation change

Service: config · 2026-03-22 · Documentation low

File: config/latest/developerguide/s3-bucket-public-write-prohibited.md

Summary

Clarified when S3 bucket policies are considered non-compliant for public write access, adding that fixed values containing wildcards can still be compliant

Security assessment

This change clarifies AWS Config rule behavior for S3 bucket public write access policies. It provides more precise documentation about what constitutes a compliant vs non-compliant policy, helping users better understand security controls. No evidence of addressing a specific security vulnerability.

Diff

diff --git a/config/latest/developerguide/s3-bucket-public-write-prohibited.md b/config/latest/developerguide/s3-bucket-public-write-prohibited.md
index 96124b7c6..995c05e70 100644
--- a//config/latest/developerguide/s3-bucket-public-write-prohibited.md
+++ b//config/latest/developerguide/s3-bucket-public-write-prohibited.md
@@ -35 +35 @@ This rule does not evaluate changes to account level public block access. To che
-To be considered non-public, an S3 bucket policy must grant access only to fixed values. This means values that don't contain a wildcard or the following IAM policy element: [Variables](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-using-variables).
+To be considered non-public, an S3 bucket policy must grant access only to fixed values. This means a policy is NON_COMPLIANT if it grants access to a wildcard or the following IAM policy element: [Variables](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-using-variables). A fixed value containing a wildcard can still be COMPLIANT.