AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2026-06-22 · Documentation low

File: AmazonS3/latest/userguide/specify-batchjob-manifest-xaccount-inventory.md

Summary

Added new permissions (s3:GetObjectAnnotation and s3:GetObjectVersionAnnotation) to IAM policies and updated descriptions for cross-account inventory batch operations

Security assessment

Adds documentation for new annotation-related permissions in cross-account scenarios. This updates security documentation by specifying required permissions but doesn't address any disclosed vulnerability or security incident.

Diff

diff --git a/AmazonS3/latest/userguide/specify-batchjob-manifest-xaccount-inventory.md b/AmazonS3/latest/userguide/specify-batchjob-manifest-xaccount-inventory.md
index 37501ac87..9a224c5f0 100644
--- a//AmazonS3/latest/userguide/specify-batchjob-manifest-xaccount-inventory.md
+++ b//AmazonS3/latest/userguide/specify-batchjob-manifest-xaccount-inventory.md
@@ -57,6 +56,0 @@ Then choose **Create policy** to attach the following policy to the role. To use
-JSON
-    
-
-****
-    
-    
@@ -80 +74,3 @@ JSON
-            "s3:GetObjectVersionTagging"
+            "s3:GetObjectVersionTagging",
+            "s3:GetObjectAnnotation",
+            "s3:GetObjectVersionAnnotation"
@@ -90,0 +87 @@ JSON
+The role uses the policy to grant `batchoperations.s3.amazonaws.com` permission to read the manifest in the destination bucket. It also grants permissions to `GET` objects, access control lists (ACLs), tags, annotations, and versions in the source object bucket. And it grants permissions to `PUT` objects, ACLs, tags, and versions into the destination object bucket.
@@ -92,3 +89 @@ JSON
-The role uses the policy to grant `batchoperations.s3.amazonaws.com` permission to read the manifest in the destination bucket. It also grants permissions to `GET` objects, access control lists (ACLs), tags, and versions in the source object bucket. And it grants permissions to `PUT` objects, ACLs, tags, and versions into the destination object bucket.
-
-  8. In the source account, create a bucket policy for the source bucket that grants the role that you created in the previous step permissions to `GET` objects, ACLs, tags, and versions in the source bucket. This step allows S3 Batch Operations to get objects from the source bucket through the trusted role.
+  8. In the source account, create a bucket policy for the source bucket that grants the role that you created in the previous step permissions to `GET` objects, ACLs, tags, annotations, and versions in the source bucket. This step allows S3 Batch Operations to get objects from the source bucket through the trusted role.
@@ -98,6 +92,0 @@ The following is an example of the bucket policy for the source account. To use
-JSON
-    
-
-****
-    
-    
@@ -119 +108,3 @@ JSON
-                    "s3:GetObjectVersionTagging"
+                    "s3:GetObjectVersionTagging",
+                    "s3:GetObjectAnnotation",
+                    "s3:GetObjectVersionAnnotation"