AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2026-07-10 · Documentation low

File: prescriptive-guidance/latest/presigned-url-best-practices/additional-guardrails.md

Summary

Editorial updates including grammar fixes, punctuation corrections, and minor wording improvements. Added hyperlinks to s3:authType documentation and adjusted markdown formatting.

Security assessment

Changes are purely editorial (contraction usage, commas, punctuation) and documentation link improvements. No security vulnerabilities, weaknesses, or incidents are addressed. The added s3:authType links provide better reference but don't introduce new security guidance.

Diff

diff --git a/prescriptive-guidance/latest/presigned-url-best-practices/additional-guardrails.md b/prescriptive-guidance/latest/presigned-url-best-practices/additional-guardrails.md
index 168903754..faf3b9dfb 100644
--- a//prescriptive-guidance/latest/presigned-url-best-practices/additional-guardrails.md
+++ b//prescriptive-guidance/latest/presigned-url-best-practices/additional-guardrails.md
@@ -11 +11 @@ Guardrail for s3:signatureAgeResource control policiesGuardrail for s3:authTypeC
-When presigned requests are used appropriately by solution builders and users, they provide a secure mechanism for giving users access to data. In addition, the ability to generate presigned requests doesn’t provide principals with access that they didn’t already have.
+When presigned requests are used appropriately by solution builders and users, they provide a secure mechanism for giving users access to data. In addition, the ability to generate presigned requests doesn't provide principals with access that they didn't already have.
@@ -62 +62 @@ If a solution requires a longer time before expiration and is therefore affected
-If you implement an exception policy by using `aws:PrincipalTag`, you must control access to setting tags on principals. Tags of this type can come directly from principals and can be controlled by an SCP, as in [this example of controlling which tag values can be set](https://github.com/aws-samples/data-perimeter-policy-examples/blob/main/service_control_policies/data_perimeter_governance_scp.json). A tag of this type can also come from [session tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html), which are set by an identity provider (IdP) or when using AWS STS. Controlling access to `aws:PrincipalTag` is a complex topic. However, an organization that has experience in using [attribute-based access control (ABAC)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) will have the experience and controls to enable the appropriate use of `aws:PrincipalTag` for this use case.
+If you implement an exception policy by using `aws:PrincipalTag`, you must control access to setting tags on principals. Tags of this type can come directly from principals and can be controlled by an SCP, as in [this example of controlling which tag values can be set](https://github.com/aws-samples/data-perimeter-policy-examples/blob/main/service_control_policies/data_perimeter_governance_scp.json). A tag of this type can also come from [session tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html), which are set by an identity provider (IdP) or AWS STS. Controlling access to `aws:PrincipalTag` is a complex topic. However, an organization that has experience in using [attribute-based access control (ABAC)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) will have the experience and controls to enable the appropriate use of `aws:PrincipalTag` for this use case.
@@ -64 +64 @@ If you implement an exception policy by using `aws:PrincipalTag`, you must contr
-In the following example, the `aws:PrincipalTag` condition creates an exception that allows any principal with the named tag (`long-presigned-allowed`) assigned and set to `true`. With this exception the restriction on signature age is not applied.
+In the following example, the `aws:PrincipalTag` condition creates an exception that allows any principal with the named tag (`long-presigned-allowed`) assigned, and set to `true`. With this exception the restriction on signature age is not applied.
@@ -89 +89 @@ In the following example, the `aws:PrincipalTag` condition creates an exception
-You can apply bucket policies to all or selected buckets by using a policy as in the following example. Unlike an SCP, a bucket policy also targets [service principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services) usage. [Appendix A](./appendix-a.html) doesn’t document any expected service principal usage of presigned requests, but if you wanted to implement a control in order to prove that limit, the following policy would provide that control. Also, unlike an SCP, a bucket policy can apply to principals in your management account.
+You can apply bucket policies to all or selected buckets by using a policy as in the following example. Unlike an SCP, a bucket policy also targets [service principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services) usage. Appendix A doesn't document any expected service principal usage of presigned requests, but if you wanted to implement a control that for the sake of proving that limit, the following policy would provide that control. Also, unlike an SCP, a bucket policy can apply to principals in your management account. 
@@ -93 +93 @@ ABAC-based exceptions work in bucket policies in the same way as an SCP. A goal
-In the following example, the `aws:PrincipalTag` condition in the first statement creates an exception for a principal with the named tag (`long-presigned-allowed`) assigned and set to `true`. With this exception the restriction on signature age is not applied. The second statement applies this restriction to all principals outside the AWS organization that owns the bucket. The scope of this second statement should match ABAC controls to set the named tag for principals. 
+In the following example, the aws:PrincipalTag condition in the first statement creates an exception for a principal with the named tag (`long-presigned-allowed`) assigned, and set to `true`. With this exception the restriction on signature age is not applied. The second statement applies this restriction to all principals outside the AWS organization that owns the bucket. The scope of this second statement should match ABAC controls to set the named tag for principals.
@@ -134 +134 @@ In the following example, the `aws:PrincipalTag` condition in the first statemen
-You can apply a policy to buckets at scale by using [resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html). Like SCPs and unlike bucket policies, RCPs do not target service principal usage. RCPs affect non-service principals from any account, but they do not affect resources in the management account. For more information, see the [AWS Organizations documentation](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html#actions-not-restricted-by-rcps). 
+You can apply a policy to buckets at scale by using [resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html). Like SCPs and unlike bucket policies, RCPs do not target service principal usage. RCPs affect non-service principals from any account, but they do not affect resources in the management account. For more information, see the [AWS Organizations documentation.](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html#actions-not-restricted-by-rcps)
@@ -136 +136 @@ You can apply a policy to buckets at scale by using [resource control policies (
-As with bucket policies, if you use `aws:PrincipalTags` to create exceptions for principals, keep in mind the scope of ABAC controls on the tagging of principals. 
+As with bucket policies**,** if you use `aws:PrincipalTags` to create exceptions for principals, keep in mind the scope of ABAC controls on the tagging of principals.
@@ -138 +138 @@ As with bucket policies, if you use `aws:PrincipalTags` to create exceptions for
-The following RCP restricts presigned URL usage across all S3 buckets in an organization by limiting signature age to 15 minutes.
+The following RCP restricts presigned URL usage across all S3 buckets in an organization by limiting signature age to 15 minutes:
@@ -179 +179 @@ The following RCP restricts presigned URL usage across all S3 buckets in an orga
-Presigned URLs use [query string authentication](https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html), and presigned POSTs always use [POST authentication](https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-authentication-HTTPPOST.html). Amazon S3 supports the denial of requests based on authentication type through the [s3:authType](https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html) condition key. `REST-QUERY-STRING` is the `s3:authType` value for query strings, and `POST` is the `s3:authType` value for POST.
+Presigned URLs use [query string authentication](https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html), and presigned POSTs always use [POST authentication](https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-authentication-HTTPPOST.html). Amazon S3 supports the denial of requests based on authentication type through the [s3:authType](https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html) condition key. `REST-QUERY-STRING` is the [s3:authType](https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html) value for query strings, and `POST` is the [s3:authType](https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html) value for POST.