AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2026-06-19 · Documentation low

File: AmazonS3/latest/userguide/amazon-s3-policy-keys.md

Summary

Added three new bucket policy examples (9-11) for annotation operations: prefix-based access control, conditional write enforcement, and pagination size limiting.

Security assessment

The changes demonstrate security best practices (access control, concurrency control, and DOS prevention) but lack evidence of addressing a specific security vulnerability. They proactively document security features rather than fix issues.

Diff

diff --git a/AmazonS3/latest/userguide/amazon-s3-policy-keys.md b/AmazonS3/latest/userguide/amazon-s3-policy-keys.md
index b1bd8c97a..7ae38b3cb 100644
--- a//AmazonS3/latest/userguide/amazon-s3-policy-keys.md
+++ b//AmazonS3/latest/userguide/amazon-s3-policy-keys.md
@@ -42,0 +43,6 @@ Several of the example policies show how you can use conditions keys with [PUT O
+  * Example 9: Restricting annotation access by name prefix
+
+  * Example 10: Requiring conditional writes for annotation operations
+
+  * Example 11: Limiting pagination size for ListObjectAnnotations
+
@@ -333,0 +340,77 @@ For bucket policy examples that use conditions in a bucket policy to enforce con
+### Example 9: Restricting annotation access by name prefix
+
+The following bucket policy grants the `s3user` user permission to create, retrieve, and delete annotations that have names beginning with `ml-output.`. This allows you to restrict annotation access by annotation name prefix.
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Principal": {
+                    "AWS": "arn:aws:iam::123456789012:user/s3user"
+                },
+                "Action": [
+                    "s3:PutObjectAnnotation",
+                    "s3:GetObjectAnnotation",
+                    "s3:DeleteObjectAnnotation"
+                ],
+                "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
+                "Condition": {
+                    "StringLike": {
+                        "s3:annotation-prefix": "ml-output.*"
+                    }
+                }
+            }
+        ]
+    }
+
+### Example 10: Requiring conditional writes for annotation operations
+
+The following bucket policy denies `PutObjectAnnotation` and `DeleteObjectAnnotation` requests unless the caller includes the `x-amz-object-if-match` conditional header. This enforces optimistic concurrency control for all annotation writes on the bucket.
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "RequireConditionalWritesForAnnotations",
+                "Effect": "Deny",
+                "Principal": "*",
+                "Action": [
+                    "s3:PutObjectAnnotation",
+                    "s3:DeleteObjectAnnotation"
+                ],
+                "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
+                "Condition": {
+                    "Null": {
+                        "s3:x-amz-object-if-match": "true"
+                    }
+                }
+            }
+        ]
+    }
+
+### Example 11: Limiting pagination size for ListObjectAnnotations
+
+The following bucket policy limits the `max-annotation-results` parameter to 100 or fewer for all `ListObjectAnnotations` requests. This prevents callers from requesting excessively large result sets.
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "LimitAnnotationListPageSize",
+                "Effect": "Deny",
+                "Principal": "*",
+                "Action": "s3:ListObjectAnnotation",
+                "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
+                "Condition": {
+                    "NumericGreaterThan": {
+                        "s3:max-annotation-results": "100"
+                    }
+                }
+            }
+        ]
+    }
+