AWS AmazonS3 documentation change
Summary
Added IAM role configuration options and requirements for annotation tables, including role creation/selection methods and mandatory Role field in configuration JSON.
Security assessment
The changes document security-related IAM role requirements for accessing annotation tables but don't address a specific vulnerability. They enhance security documentation by explaining permission controls.
Diff
diff --git a/AmazonS3/latest/userguide/metadata-tables-enable-disable-annotation-tables.md b/AmazonS3/latest/userguide/metadata-tables-enable-disable-annotation-tables.md index f3555e474..978aac769 100644 --- a//AmazonS3/latest/userguide/metadata-tables-enable-disable-annotation-tables.md +++ b//AmazonS3/latest/userguide/metadata-tables-enable-disable-annotation-tables.md @@ -136 +136,11 @@ Before you choose **Enabled** , make sure that you've reviewed and met the prere - * If you chose **Enabled** , you can choose whether to encrypt your table with server-side encryption using AWS Key Management Service (AWS KMS) keys (SSE-KMS). By default, annotation tables are encrypted with server-side encryption using Amazon S3 managed keys (SSE-S3). + * If you chose **Enabled** , under **IAM role** , choose one of the following IAM role selection methods: + + * **Create new IAM role** – Amazon S3 creates a new IAM role with the required permissions for the annotation table. + + * **Choose from existing IAM roles** – Select an existing IAM role from the **IAM role** dropdown. The role must have the required permissions to read annotations from your bucket. + + * **Enter IAM role ARN** – Enter the ARN of an existing IAM role that has the required permissions. + +For more information about the required permissions for the annotation table IAM role, see Annotation table IAM role. + +You can also choose whether to encrypt your table with server-side encryption using AWS Key Management Service (AWS KMS) keys (SSE-KMS). By default, annotation tables are encrypted with server-side encryption using Amazon S3 managed keys (SSE-S3). @@ -174,0 +185 @@ To encrypt your annotation table with server-side encryption using AWS Key Manag + "Role": "arn:aws:iam::account-id:role/annotation-table-role", @@ -180,0 +192,2 @@ To encrypt your annotation table with server-side encryption using AWS Key Manag +The `Role` field is required when enabling an annotation table for the first time or when changing the IAM role. The role must grant Amazon S3 Metadata permission to read annotations from your bucket. For more information, see Annotation table IAM role. +