AWS AmazonS3 documentation change
Summary
Removed 's3:PutObject' from required permissions for UpdateObjectEncryption operation
Security assessment
The change corrects documentation about required permissions but doesn't indicate any security vulnerability fix. It clarifies policy requirements without evidence of patching a security flaw.
Diff
diff --git a/AmazonS3/latest/userguide/using-with-s3-policy-actions.md b/AmazonS3/latest/userguide/using-with-s3-policy-actions.md index bcea54464..e73f292bc 100644 --- a//AmazonS3/latest/userguide/using-with-s3-policy-actions.md +++ b//AmazonS3/latest/userguide/using-with-s3-policy-actions.md @@ -283 +283 @@ API operations | Policy actions | Description of policy actions -[UpdateObjectEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/API_UpdateObjectEncryption.html) | (Required) `s3:UpdateObjectEncryption`, `s3:PutObject`, `kms:Encrypt`, `kms:Decrypt`, `kms:GenerateDataKey`, `kms:ReEncrypt*` | Required if you want to change encrypted objects between server-side encryption with Amazon S3 managed encryption (SSE-S3) and server-side encryption with AWS Key Management Service (AWS KMS) encryption keys (SSE-KMS). You can also use the `UpdateObjectEncryption` operation to apply S3 Bucket Keys to reduce AWS KMS request costs or change the customer-managed KMS key that's used to encrypt your data so that you can comply with custom key-rotation standards. +[UpdateObjectEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/API_UpdateObjectEncryption.html) | (Required) `s3:UpdateObjectEncryption`, `kms:Encrypt`, `kms:Decrypt`, `kms:GenerateDataKey`, `kms:ReEncrypt*` | Required if you want to change encrypted objects between server-side encryption with Amazon S3 managed encryption (SSE-S3) and server-side encryption with AWS Key Management Service (AWS KMS) encryption keys (SSE-KMS). You can also use the `UpdateObjectEncryption` operation to apply S3 Bucket Keys to reduce AWS KMS request costs or change the customer-managed KMS key that's used to encrypt your data so that you can comply with custom key-rotation standards.