AWS AmazonS3 documentation change
Summary
Added new permissions (s3:GetObjectAnnotation and s3:GetObjectVersionAnnotation) to IAM policies and updated descriptions for cross-account inventory batch operations
Security assessment
Adds documentation for new annotation-related permissions in cross-account scenarios. This updates security documentation by specifying required permissions but doesn't address any disclosed vulnerability or security incident.
Diff
diff --git a/AmazonS3/latest/userguide/specify-batchjob-manifest-xaccount-inventory.md b/AmazonS3/latest/userguide/specify-batchjob-manifest-xaccount-inventory.md index 37501ac87..9a224c5f0 100644 --- a//AmazonS3/latest/userguide/specify-batchjob-manifest-xaccount-inventory.md +++ b//AmazonS3/latest/userguide/specify-batchjob-manifest-xaccount-inventory.md @@ -57,6 +56,0 @@ Then choose **Create policy** to attach the following policy to the role. To use -JSON - - -**** - - @@ -80 +74,3 @@ JSON - "s3:GetObjectVersionTagging" + "s3:GetObjectVersionTagging", + "s3:GetObjectAnnotation", + "s3:GetObjectVersionAnnotation" @@ -90,0 +87 @@ JSON +The role uses the policy to grant `batchoperations.s3.amazonaws.com` permission to read the manifest in the destination bucket. It also grants permissions to `GET` objects, access control lists (ACLs), tags, annotations, and versions in the source object bucket. And it grants permissions to `PUT` objects, ACLs, tags, and versions into the destination object bucket. @@ -92,3 +89 @@ JSON -The role uses the policy to grant `batchoperations.s3.amazonaws.com` permission to read the manifest in the destination bucket. It also grants permissions to `GET` objects, access control lists (ACLs), tags, and versions in the source object bucket. And it grants permissions to `PUT` objects, ACLs, tags, and versions into the destination object bucket. - - 8. In the source account, create a bucket policy for the source bucket that grants the role that you created in the previous step permissions to `GET` objects, ACLs, tags, and versions in the source bucket. This step allows S3 Batch Operations to get objects from the source bucket through the trusted role. + 8. In the source account, create a bucket policy for the source bucket that grants the role that you created in the previous step permissions to `GET` objects, ACLs, tags, annotations, and versions in the source bucket. This step allows S3 Batch Operations to get objects from the source bucket through the trusted role. @@ -98,6 +92,0 @@ The following is an example of the bucket policy for the source account. To use -JSON - - -**** - - @@ -119 +108,3 @@ JSON - "s3:GetObjectVersionTagging" + "s3:GetObjectVersionTagging", + "s3:GetObjectAnnotation", + "s3:GetObjectVersionAnnotation"