AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2026-06-28 · Documentation medium

File: AmazonS3/latest/userguide/directory-buckets-objects-lifecycle.md

Summary

Added documentation about required permissions for S3 Lifecycle operations in directory buckets, including explicit CreateSession permissions for the S3 Lifecycle service principal.

Security assessment

The changes explicitly document required permissions (s3express:CreateSession with ReadWrite mode) for S3 Lifecycle to function in directory buckets. This enhances security documentation by clarifying access controls but doesn't address a specific vulnerability. The addition of AbortMultipartUpload to the API operations list further improves accuracy of security-related operations.

Diff

diff --git a/AmazonS3/latest/userguide/directory-buckets-objects-lifecycle.md b/AmazonS3/latest/userguide/directory-buckets-objects-lifecycle.md
index 02cf015ec..e1a0037a8 100644
--- a//AmazonS3/latest/userguide/directory-buckets-objects-lifecycle.md
+++ b//AmazonS3/latest/userguide/directory-buckets-objects-lifecycle.md
@@ -19 +19 @@ When you add a Lifecycle configuration to a bucket, the configuration rules appl
-For objects in directory buckets, you can create lifecycle rules to expire objects and delete incomplete multipart uploads. However, S3 Lifecycle for directory buckets doesn't support transition actions between storage classes. 
+For objects in directory buckets, you can create lifecycle rules to expire objects and delete incomplete multipart uploads. However, S3 Lifecycle for directory buckets doesn't support transition actions between storage classes. S3 Lifecycle for directory buckets requires you to grant explicit permissions to the S3 Lifecycle service principal. 
@@ -21 +21 @@ For objects in directory buckets, you can create lifecycle rules to expire objec
-**CreateSession**
+### S3 Lifecycle permissions
@@ -23 +23 @@ For objects in directory buckets, you can create lifecycle rules to expire objec
-Lifecycle uses public `DeleteObject` and `DeleteObjects` API operations to expire objects in directory buckets. To use these API operations, S3 Lifecycle will use the `CreateSession` API to establish temporary security credentials to access the objects in the directory buckets. For more information, see [`CreateSession`in the _Amazon S3 API Reference_.](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html)
+S3 Lifecycle uses the `DeleteObject`, `DeleteObjects`, and `AbortMultipartUpload` API operations to expire objects in directory buckets. To call these operations, S3 Lifecycle uses the `CreateSession` API to obtain temporary security credentials. You must grant the `s3express:CreateSession` permission with `ReadWrite` session mode to the S3 Lifecycle service principal (`lifecycle.s3.amazonaws.com`). If you don't grant this permission, or if an active policy explicitly denies delete permissions to the S3 Lifecycle service principal, S3 Lifecycle cannot expire objects in your directory bucket. For more information about `CreateSession`, see [CreateSession in the _Amazon S3 API Reference_](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html). 
@@ -25,3 +25 @@ Lifecycle uses public `DeleteObject` and `DeleteObjects` API operations to expir
-If you have an active policy that denies delete permissions to the lifecycle principal, this will prevent you from allowing S3 Lifecycle to delete objects on your behalf. 
-
-### Using a bucket policy to Grant permissions to the S3 Lifecycle service principal
+### Using a bucket policy to grant permissions to the S3 Lifecycle service principal
@@ -31 +29 @@ The following bucket policy grants the S3 Lifecycle service principal permission
-###### Example– Bucket policy to allow `CreateSession` calls with an explicit `ReadWrite` session mode for lifecycle operations
+###### Example Bucket policy to allow `CreateSession` with an explicit `ReadWrite` session mode for lifecycle operations