AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2026-04-10 · Documentation medium

File: AmazonS3/latest/userguide/conditional-delete-enforce.md

Summary

Clarified bucket policy examples for conditional deletes, explaining the need for s3:GetObject permission when using specific ETag values and the behavior of If-Match: *.

Security assessment

The change adds important clarification about permission requirements for conditional delete operations. It explains that conditional deletes with specific ETag values require both s3:DeleteObject and s3:GetObject permissions, while If-Match: * only requires s3:DeleteObject. This improves documentation of a security feature (conditional delete enforcement) but does not indicate a security vulnerability was addressed.

Diff

diff --git a/AmazonS3/latest/userguide/conditional-delete-enforce.md b/AmazonS3/latest/userguide/conditional-delete-enforce.md
index 5c5c4cdca..19f6a7497 100644
--- a//AmazonS3/latest/userguide/conditional-delete-enforce.md
+++ b//AmazonS3/latest/userguide/conditional-delete-enforce.md
@@ -24 +24 @@ The following examples show how to use conditions in a bucket policy to force cl
-You can use this bucket policy to only allow conditional deletes using `DeleteObject` and `DeleteObjects` requests that include the `If-Match` header with the `ETag` value. All non-conditional deletes would be denied and conditional deletes would pass. 
+You can use this bucket policy to only allow conditional deletes using `DeleteObject` and `DeleteObjects` requests that include the `If-Match` header with the `ETag` value. The `Null` condition ensures the `If-Match` header is present, and the `s3:GetObject` permission is granted because conditional deletes with a specific ETag value require both `s3:DeleteObject` and `s3:GetObject` permissions. All non-conditional deletes would be denied and conditional deletes would pass.
@@ -58 +58 @@ You can use this bucket policy to only allow conditional deletes using `DeleteOb
-You can use this bucket policy to only allow conditional deletes using `DeleteObject` and `DeleteObjects` requests that include the `If-Match` header with `*` value. All non-conditional deletes would be denied and conditional deletes would pass. 
+You can use this bucket policy to only allow conditional deletes using `DeleteObject` and `DeleteObjects` requests that include the `If-Match` header with the `*` value. The `Null` condition ensures the `If-Match` header is present. Because `s3:GetObject` is not granted, conditional deletes with a specific ETag value will fail – only `If-Match: *` (which checks object existence and requires only `s3:DeleteObject` permission) will succeed. All non-conditional deletes would be denied, and only `If-Match: *` conditional deletes would succeed.