AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2026-06-04 · Documentation low

File: AmazonS3/latest/userguide/troubleshoot-403-errors.md

Summary

Updated documentation links, clarified IAM permission requirements for bucket policy operations, improved example descriptions, and corrected external resource references.

Security assessment

Changes involve routine documentation maintenance: link updates, clarifying IAM permissions (GetBucketPolicy for view vs PutBucketPolicy for edit), and example improvements. No evidence of addressing a specific security vulnerability or incident. Security implications are indirect through improved clarity of permission requirements.

Diff

diff --git a/AmazonS3/latest/userguide/troubleshoot-403-errors.md b/AmazonS3/latest/userguide/troubleshoot-403-errors.md
index 5103745f7..3404c9841 100644
--- a//AmazonS3/latest/userguide/troubleshoot-403-errors.md
+++ b//AmazonS3/latest/userguide/troubleshoot-403-errors.md
@@ -20 +20 @@ Access denied (HTTP `403 Forbidden`) errors appear when AWS explicitly or implic
-Because an AWS Identity and Access Management (IAM) policy implicitly denies an IAM principal by default, the policy must explicitly allow the principal to perform an action. Otherwise, the policy implicitly denies access. For more information, see [The difference between explicit and implicit denies](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#AccessPolicyLanguage_Interplay) in the _IAM User Guide_. For information about the policy evaluation logic that determines whether an access request is allowed or denied, see [Policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the _IAM User Guide_. 
+Because an AWS Identity and Access Management (IAM) policy implicitly denies an IAM principal by default, the policy must explicitly allow the principal to perform an action. Otherwise, the policy implicitly denies access. For more information, see [The difference between explicit and implicit denies](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic_AccessPolicyLanguage_Interplay.html) in the _IAM User Guide_. For information about the policy evaluation logic that determines whether an access request is allowed or denied, see [Policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the _IAM User Guide_. 
@@ -137 +137 @@ For more information about this setting, see [Blocking or unblocking SSE-C for a
-  2. Update your SCP by adding the `Allow` statement. For more information, see [Updating an SCP](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_create.html#update_policy) in the _AWS Organizations User Guide_.
+  2. Update your SCP by adding the `Allow` statement. For more information, see [Updating an SCP](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_policies_update.html#update_policy) in the _AWS Organizations User Guide_.
@@ -150 +150 @@ For more information about this setting, see [Blocking or unblocking SSE-C for a
-  2. Update your SCP by changing the `Deny` statement to allow the user the necessary access. For an example of how you can do this, see [Prevent IAM users and roles from making specified changes, with an exception for a specified admin role](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-restricts-with-exception) in the _AWS Organizations User Guide_. For more information about updating your SCP, see [Updating an SCP](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_create.html#update_policy) in the _AWS Organizations User Guide_.
+  2. Update your SCP by changing the `Deny` statement to allow the user the necessary access. For an example of how you can do this, see [Service control policy examples](https://github.com/aws-samples/service-control-policy-examples) on GitHub. For more information about updating your SCP, see [Updating an SCP](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_policies_update.html#update_policy) in the _AWS Organizations User Guide_.
@@ -281 +281 @@ You might also need to adjust your `RestrictPublicBuckets` block public access s
-  1. Check for a missing `Allow` statement for the action in identity-based policies attached to the identity. For the following example, the action is `s3:GetObject` attached to the user `MaryMajor`.
+  1. Check for a missing `Allow` statement for the action in identity-based policies attached to the identity. For the following example, the action is `s3:GetObject` and the identity is the IAM user `MaryMajor`.
@@ -294 +294 @@ You might also need to adjust your `RestrictPublicBuckets` block public access s
-  1. Check for an explicit `Deny` statement for the action in identity-based policies attached to the identity. For the following example, the action is `s3:GetObject` attached to the user `MaryMajor`.
+  1. Check for an explicit `Deny` statement for the action in identity-based policies attached to the identity. For the following example, the action is `s3:GetObject` and the identity is the IAM user `MaryMajor`.
@@ -392 +392 @@ By including the `--request-payer requester` parameter or setting the `x-amz-req
-If there is no bucket policy in place, then the bucket implicitly allows requests from any AWS Identity and Access Management (IAM) identity in the bucket-owner's account. The bucket also implicitly denies requests from any other IAM identities from any other accounts, and anonymous (unsigned) requests. However, if there is no IAM user policy in place, the requester (unless they're the AWS account root user) is implicitly denied from making any requests. For more information about this evaluation logic, see [Determining whether a request is denied or allowed within an account](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow) in the _IAM User Guide_.
+If there is no bucket policy in place, then the bucket implicitly allows requests from any AWS Identity and Access Management (IAM) identity in the bucket-owner's account. The bucket also implicitly denies requests from any other IAM identities from any other accounts, and anonymous (unsigned) requests. However, if there is no IAM user policy in place, the requester (unless they're the AWS account root user) is implicitly denied from making any requests. For more information about this evaluation logic, see [Determining whether a request is denied or allowed within an account](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic_policy-eval-denyallow.html) in the _IAM User Guide_.
@@ -417 +417 @@ Therefore, to ensure that your bucket policy or IAM user policy isn't causing an
-To view or edit a bucket policy, you must have the `s3:GetBucketPolicy` permission.
+To view a bucket policy, you must have the `s3:GetBucketPolicy` permission. To edit a bucket policy, you must have the `s3:PutBucketPolicy` permission.
@@ -432 +432 @@ To view or edit a bucket policy, you must have the `s3:GetBucketPolicy` permissi
-To review or edit your bucket policy by using the AWS Command Line Interface (AWS CLI), use the [get-bucket-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-bucket-policy.html) command.
+To review your bucket policy by using the AWS Command Line Interface (AWS CLI), use the [get-bucket-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-bucket-policy.html) command. To edit your bucket policy, use the [put-bucket-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-policy.html) command.
@@ -598 +598 @@ Based on your encryption settings, make sure that the following permissions requ
-  * **SSE-C (with a customer provided key)** – No additional permissions are required. You can configure the bucket policy to [require and restrict server-side encryption with customer-provided encryption keys](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html#ssec-require-condition-key) for objects in your bucket.
+  * **SSE-C (with a customer provided key)** – No additional permissions are required. You can configure the bucket policy to [require and restrict server-side encryption with customer-provided encryption keys](https://docs.aws.amazon.com/AmazonS3/latest/userguide/specifying-s3-c-encryption.html#example-bucket-policy-to-enforce-sse-c-encryption) for objects in your bucket.
@@ -733 +733 @@ For more guidance on Access Denied (403 Forbidden) errors you can check the foll
-  * [Why do I get a 403 Forbidden error when I try to access an Amazon S3 bucket or object?](https://repost.aws/knowledge-center/s3-403-forbidden-error) in the AWS re:Post Knowledge Center.
+  * [Why am I getting a "403 Forbidden" error when I try to upload files in Amazon S3?](https://repost.aws/knowledge-center/s3-403-forbidden-error) in the AWS re:Post Knowledge Center.