AWS Security ChangesHomeSearch

AWS res medium security documentation change

Service: res · 2026-06-22 · Security-related medium

File: res/archive/release-minus-1/ug/S3-buckets-preventing-exfiltration.md

Summary

Added security note about S3 control plane operations in VPC endpoint policy example.

Security assessment

Added warning about metadata exfiltration risks through S3 control plane operations (event notifications, replication) and recommended explicit Deny statements. This addresses a data leakage vulnerability in the example policy.

Diff

diff --git a/res/archive/release-minus-1/ug/S3-buckets-preventing-exfiltration.md b/res/archive/release-minus-1/ug/S3-buckets-preventing-exfiltration.md
index 42e17c294..365950ac4 100644
--- a//res/archive/release-minus-1/ug/S3-buckets-preventing-exfiltration.md
+++ b//res/archive/release-minus-1/ug/S3-buckets-preventing-exfiltration.md
@@ -42,0 +43,4 @@ To prevent users from exfiltrating data from secure S3 buckets into their own S3
+###### Note
+
+This example policy uses `s3:*` and does not restrict S3 control plane operations such as event notification configuration, replication, or inventory. These operations could allow object metadata (such as bucket names and object keys) to be sent to cross-account destinations. If this is a concern, add explicit Deny statements for the relevant S3 control plane actions in the VPC endpoint policy.
+