AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-04-25 · Documentation low

File: cli/latest/reference/s3api/put-bucket-inventory-configuration.md

Summary

Updated AWS CLI documentation for S3 inventory configuration to add comprehensive support for directory buckets, including endpoint requirements, permission differences (s3express:PutInventoryConfiguration), supported optional fields, and unsupported headers.

Security assessment

The changes document security-relevant differences for directory buckets, specifically that they require IAM identity-based policies with s3express:PutInventoryConfiguration permission instead of bucket policies. This clarifies proper access control configuration for directory buckets, which is a security best practice. However, there is no evidence this addresses a specific security vulnerability or incident.

Diff

diff --git a/cli/latest/reference/s3api/put-bucket-inventory-configuration.md b/cli/latest/reference/s3api/put-bucket-inventory-configuration.md
index a4bf5fa6b..36b76f774 100644
--- a//cli/latest/reference/s3api/put-bucket-inventory-configuration.md
+++ b//cli/latest/reference/s3api/put-bucket-inventory-configuration.md
@@ -15 +15 @@
-  * [AWS CLI 2.34.34 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.37 Command Reference](../../index.html) »
@@ -60,4 +59,0 @@ First time using the AWS CLI? See the [User Guide](https://docs.aws.amazon.com/c
-### Note
-
-This operation is not supported for directory buckets.
-
@@ -73,0 +70,4 @@ You must create a bucket policy on the _destination_ bucket to grant permissions
+### Note
+
+> **Directory buckets** \- For directory buckets, you must make requests for this API operation to the Regional endpoint. These endpoints support path-style requests in the format ``<https://s3express-control.*region-code*> .amazonaws.com/_bucket-name_ `` . Virtual-hosted-style requests aren’t supported. For more information about endpoints in Availability Zones, see [Regional and Zonal endpoints for directory buckets in Availability Zones](https://docs.aws.amazon.com/AmazonS3/latest/userguide/endpoint-directory-buckets-AZ.html) in the _Amazon S3 User Guide_ . For more information about endpoints in Local Zones, see [Concepts for directory buckets in Local Zones](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-lzs-for-directory-buckets.html) in the _Amazon S3 User Guide_ .
+
@@ -80 +80,4 @@ The `s3:PutInventoryConfiguration` permission allows a user to create an [S3 Inv
-To restrict access to an inventory report, see [Restricting access to an Amazon S3 Inventory report](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-use-case-10) in the _Amazon S3 User Guide_ . For more information about the metadata fields available in S3 Inventory, see [Amazon S3 Inventory lists](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-inventory.html#storage-inventory-contents) in the _Amazon S3 User Guide_ . For more information about permissions, see [Permissions related to bucket subresource operations](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources) and [Identity and access management in Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html) in the _Amazon S3 User Guide_ .
+  * **General purpose bucket permissions** \- The `s3:PutInventoryConfiguration` permission is required in a policy. For more information about general purpose buckets permissions, see [Using Bucket Policies and User Policies](https://docs.aws.amazon.com/AmazonS3/latest/dev/using-iam-policies.html) in the _Amazon S3 User Guide_ .
+  * **Directory bucket permissions** \- To grant access to this API operation, you must have the `s3express:PutInventoryConfiguration` permission in an IAM identity-based policy instead of a bucket policy. For more information about directory bucket policies and permissions, see [Amazon Web Services Identity and Access Management (IAM) for S3 Express One Zone](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html) in the _Amazon S3 User Guide_ .
+
+
@@ -81,0 +85,6 @@ To restrict access to an inventory report, see [Restricting access to an Amazon
+To restrict access to an inventory report, see [Restricting access to an Amazon S3 Inventory report](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-s3-inventory) in the _Amazon S3 User Guide_ . For more information about the metadata fields available in S3 Inventory, see [Amazon S3 Inventory lists](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-inventory.html#storage-inventory-contents) in the _Amazon S3 User Guide_ . For more information about permissions, see [Permissions related to bucket subresource operations](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources) and [Identity and access management in Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html) in the _Amazon S3 User Guide_ .
+
+> > HTTP Host header syntax
+> 
+> **Directory buckets** \- The HTTP Host header syntax is `s3express-control.*region-code* .amazonaws.com` .
+> 
@@ -149,0 +159,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/s3-200
+>
+>> **Directory buckets** \- When you use this operation with a directory bucket, you must use path-style requests in the format `https://s3express-control.*region-code* .amazonaws.com/*bucket-name* `` . Virtual-hosted-style requests aren't supported. Directory bucket names must be unique in the chosen Zone (Availability Zone or Local Zone). Bucket names must also follow the format `` *bucket-base-name* --*zone-id* --x-s3` (for example, `` _DOC-EXAMPLE-BUCKET_ – _usw2-az1_ –x-s3`` ). For information about bucket naming restrictions, see [Directory bucket naming rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html) in the _Amazon S3 User Guide_
@@ -241,0 +253,4 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/s3-200
+>> ### Note
+>> 
+>> The following optional fields are supported for directory buckets `Size | LastModifiedDate | StorageClass | ETag | IsMultipartUploaded | EncryptionStatus | BucketKeyStatus | ChecksumAlgorithm | LifecycleExpirationDate.` Throws MalformedXML error if unsupported optional field is provided.
+>> 
@@ -315,0 +331,4 @@ JSON Syntax:
+> 
+> ### Note
+> 
+> For directory buckets, this header is not supported in this API operation. If you specify this header, the request fails with the HTTP status code `501 Not Implemented` .
@@ -476 +495 @@ None
-  * [AWS CLI 2.34.34 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.37 Command Reference](../../index.html) »