AWS AmazonS3 documentation change
Summary
Clarified bucket policy examples for conditional deletes, explaining the need for s3:GetObject permission when using specific ETag values and the behavior of If-Match: *.
Security assessment
The change adds important clarification about permission requirements for conditional delete operations. It explains that conditional deletes with specific ETag values require both s3:DeleteObject and s3:GetObject permissions, while If-Match: * only requires s3:DeleteObject. This improves documentation of a security feature (conditional delete enforcement) but does not indicate a security vulnerability was addressed.
Diff
diff --git a/AmazonS3/latest/userguide/conditional-delete-enforce.md b/AmazonS3/latest/userguide/conditional-delete-enforce.md index 5c5c4cdca..19f6a7497 100644 --- a//AmazonS3/latest/userguide/conditional-delete-enforce.md +++ b//AmazonS3/latest/userguide/conditional-delete-enforce.md @@ -24 +24 @@ The following examples show how to use conditions in a bucket policy to force cl -You can use this bucket policy to only allow conditional deletes using `DeleteObject` and `DeleteObjects` requests that include the `If-Match` header with the `ETag` value. All non-conditional deletes would be denied and conditional deletes would pass. +You can use this bucket policy to only allow conditional deletes using `DeleteObject` and `DeleteObjects` requests that include the `If-Match` header with the `ETag` value. The `Null` condition ensures the `If-Match` header is present, and the `s3:GetObject` permission is granted because conditional deletes with a specific ETag value require both `s3:DeleteObject` and `s3:GetObject` permissions. All non-conditional deletes would be denied and conditional deletes would pass. @@ -58 +58 @@ You can use this bucket policy to only allow conditional deletes using `DeleteOb -You can use this bucket policy to only allow conditional deletes using `DeleteObject` and `DeleteObjects` requests that include the `If-Match` header with `*` value. All non-conditional deletes would be denied and conditional deletes would pass. +You can use this bucket policy to only allow conditional deletes using `DeleteObject` and `DeleteObjects` requests that include the `If-Match` header with the `*` value. The `Null` condition ensures the `If-Match` header is present. Because `s3:GetObject` is not granted, conditional deletes with a specific ETag value will fail – only `If-Match: *` (which checks object existence and requires only `s3:DeleteObject` permission) will succeed. All non-conditional deletes would be denied, and only `If-Match: *` conditional deletes would succeed.