AWS AmazonS3 documentation change
Summary
Added three new bucket policy examples (9-11) for annotation operations: prefix-based access control, conditional write enforcement, and pagination size limiting.
Security assessment
The changes demonstrate security best practices (access control, concurrency control, and DOS prevention) but lack evidence of addressing a specific security vulnerability. They proactively document security features rather than fix issues.
Diff
diff --git a/AmazonS3/latest/userguide/amazon-s3-policy-keys.md b/AmazonS3/latest/userguide/amazon-s3-policy-keys.md index b1bd8c97a..7ae38b3cb 100644 --- a//AmazonS3/latest/userguide/amazon-s3-policy-keys.md +++ b//AmazonS3/latest/userguide/amazon-s3-policy-keys.md @@ -42,0 +43,6 @@ Several of the example policies show how you can use conditions keys with [PUT O + * Example 9: Restricting annotation access by name prefix + + * Example 10: Requiring conditional writes for annotation operations + + * Example 11: Limiting pagination size for ListObjectAnnotations + @@ -333,0 +340,77 @@ For bucket policy examples that use conditions in a bucket policy to enforce con +### Example 9: Restricting annotation access by name prefix + +The following bucket policy grants the `s3user` user permission to create, retrieve, and delete annotations that have names beginning with `ml-output.`. This allows you to restrict annotation access by annotation name prefix. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:user/s3user" + }, + "Action": [ + "s3:PutObjectAnnotation", + "s3:GetObjectAnnotation", + "s3:DeleteObjectAnnotation" + ], + "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*", + "Condition": { + "StringLike": { + "s3:annotation-prefix": "ml-output.*" + } + } + } + ] + } + +### Example 10: Requiring conditional writes for annotation operations + +The following bucket policy denies `PutObjectAnnotation` and `DeleteObjectAnnotation` requests unless the caller includes the `x-amz-object-if-match` conditional header. This enforces optimistic concurrency control for all annotation writes on the bucket. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "RequireConditionalWritesForAnnotations", + "Effect": "Deny", + "Principal": "*", + "Action": [ + "s3:PutObjectAnnotation", + "s3:DeleteObjectAnnotation" + ], + "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*", + "Condition": { + "Null": { + "s3:x-amz-object-if-match": "true" + } + } + } + ] + } + +### Example 11: Limiting pagination size for ListObjectAnnotations + +The following bucket policy limits the `max-annotation-results` parameter to 100 or fewer for all `ListObjectAnnotations` requests. This prevents callers from requesting excessively large result sets. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "LimitAnnotationListPageSize", + "Effect": "Deny", + "Principal": "*", + "Action": "s3:ListObjectAnnotation", + "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*", + "Condition": { + "NumericGreaterThan": { + "s3:max-annotation-results": "100" + } + } + } + ] + } +