AWS AmazonS3 documentation change
Summary
Added iam:PassRole requirement for annotation tables, included new UpdateBucketMetadataAnnotationTableConfiguration permission, and added KMS key resources to policies.
Security assessment
Documents proper IAM role passing and encryption (KMS) requirements for metadata tables. Enhances security posture but doesn't address a specific vulnerability.
Diff
diff --git a/AmazonS3/latest/userguide/metadata-tables-permissions.md b/AmazonS3/latest/userguide/metadata-tables-permissions.md index 649591bbf..41ee85c8a 100644 --- a//AmazonS3/latest/userguide/metadata-tables-permissions.md +++ b//AmazonS3/latest/userguide/metadata-tables-permissions.md @@ -26,0 +27,9 @@ The `s3:CreateBucketMetadataTableConfiguration`, `s3:GetBucketMetadataTableConfi + * `iam:PassRole` – To create an Amazon S3 Metadata configuration that includes an annotation table, you need this permission to pass the annotation table IAM role. Add the following statement to your caller's IAM policy: + + { + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": "arn:aws:iam::123456789012:role/annotation-table-role", + "Condition": {"StringEquals": {"iam:PassedToService": "metadata.s3.amazonaws.com"}} + } + @@ -88,6 +96,0 @@ When you create your metadata table configuration, your metadata tables are stor -JSON - - -**** - - @@ -106,0 +110 @@ JSON + "s3:UpdateBucketMetadataAnnotationTableConfiguration", @@ -113 +117,2 @@ JSON - "arn:aws:s3tables:us-east-1:111122223333:bucket/aws-s3/table/*" + "arn:aws:s3tables:us-east-1:111122223333:bucket/aws-s3/table/*", + "arn:aws:kms:Region:Account:key/KmsKeyId" @@ -122,6 +125,0 @@ To query metadata tables, you can use the following example policy. If your meta -JSON - - -**** - - @@ -143 +141,2 @@ JSON - "arn:aws:s3tables:us-east-1:111122223333:bucket/aws-s3/table/*" + "arn:aws:s3tables:us-east-1:111122223333:bucket/aws-s3/table/*", + "arn:aws:kms:Region:Account:key/KmsKeyId"