AWS AmazonS3 documentation change
Summary
Added a markdown link at the top and a new section 'Using VPC endpoint policy conditions with table bucket policies' with example policy and explanation of VPC endpoint condition keys
Security assessment
This change adds documentation about using VPC endpoint policy conditions (aws:SourceVpce, aws:SourceVpc, aws:VpcSourceIp) and the aws:CalledVia condition key to restrict access to S3 Tables resources. It explains a security best practice for network isolation and provides a policy example. However, there is no evidence of a specific security vulnerability being addressed; it appears to be general security guidance.
Diff
diff --git a/AmazonS3/latest/userguide/s3-tables-VPC.md b/AmazonS3/latest/userguide/s3-tables-VPC.md index 30c8858f8..b3358cfae 100644 --- a//AmazonS3/latest/userguide/s3-tables-VPC.md +++ b//AmazonS3/latest/userguide/s3-tables-VPC.md @@ -0,0 +1,2 @@ +[View a markdown version of this page](s3-tables-VPC.md) + @@ -5 +7 @@ -Creating VPC endpointsAccessing S3 Tables endpoints with the AWS CLIConfiguring a VPC network when using query enginesDual-stack endpointsRestricting access to S3 Tables within the VPC network +Creating VPC endpointsAccessing S3 Tables endpoints with the AWS CLIConfiguring a VPC network when using query enginesDual-stack endpointsVPC endpoint policy conditionsRestricting access to S3 Tables within the VPC network @@ -26,0 +29,2 @@ To learn more about using AWS PrivateLink to create and work with endpoints for + * Using VPC endpoint policy conditions with table bucket policies + @@ -133,0 +138,40 @@ If your network supports IPv6 and you want to update your VPC to enable IPv6 you +## Using VPC endpoint policy conditions with table bucket policies + +You can use the `aws:SourceVpce`, `aws:SourceVpc`, and `aws:VpcSourceIp` condition keys in a table bucket policy to restrict access to table bucket resources from a specific VPC or VPC endpoint. For more information about these condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the _IAM User Guide_. + +When using the [Iceberg REST APIs](./s3-tables-integrating-open-source.html), S3 Tables makes requests to Amazon S3 on your behalf to read and write table metadata. When an Iceberg REST API request is made through a VPC endpoint, the source VPC of the initial request is not preserved in the table metadata requests to Amazon S3. If your table bucket policy restricts access using these condition keys, you must also add a condition for `aws:CalledVia` to allow these table metadata requests from S3 Tables. + +The following example table bucket policy denies all S3 Tables actions unless the request comes from the specified VPC endpoint or is a request made by the Amazon S3 Tables Iceberg REST endpoint on your behalf. + +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Sid": "RestrictToVPCe", + "Effect": "Deny", + "Principal": "*", + "Action": "s3tables:*", + "Resource": [ + "arn:aws:s3tables:us-east-1:111122223333:bucket/amzn-s3-demo-bucket", + "arn:aws:s3tables:us-east-1:111122223333:bucket/amzn-s3-demo-bucket/*" + ], + "Condition": { + "StringNotEquals": { + "aws:SourceVpce": "vpce-1a2b3c4d" + }, + "ForAllValues:StringNotEquals": { + "aws:CalledVia": "s3tables.amazonaws.com" + } + } + } + ] + } + +