AWS config documentation change
Summary
Clarified when S3 bucket policies are considered non-compliant for public write access, adding that fixed values containing wildcards can still be compliant
Security assessment
This change clarifies AWS Config rule behavior for S3 bucket public write access policies. It provides more precise documentation about what constitutes a compliant vs non-compliant policy, helping users better understand security controls. No evidence of addressing a specific security vulnerability.
Diff
diff --git a/config/latest/developerguide/s3-bucket-public-write-prohibited.md b/config/latest/developerguide/s3-bucket-public-write-prohibited.md index 96124b7c6..995c05e70 100644 --- a//config/latest/developerguide/s3-bucket-public-write-prohibited.md +++ b//config/latest/developerguide/s3-bucket-public-write-prohibited.md @@ -35 +35 @@ This rule does not evaluate changes to account level public block access. To che -To be considered non-public, an S3 bucket policy must grant access only to fixed values. This means values that don't contain a wildcard or the following IAM policy element: [Variables](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-using-variables). +To be considered non-public, an S3 bucket policy must grant access only to fixed values. This means a policy is NON_COMPLIANT if it grants access to a wildcard or the following IAM policy element: [Variables](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-using-variables). A fixed value containing a wildcard can still be COMPLIANT.