AWS Security ChangesHomeSearch

AWS amazondynamodb medium security documentation change

Service: amazondynamodb · 2026-07-13 · Security-related medium

File: amazondynamodb/latest/developerguide/S3DataExport_Requesting.md

Summary

Added cross-account export requirements and IAM role guidance

Security assessment

The change addresses potential authorization vulnerabilities by clarifying that exports must originate from the table's account, preventing cross-account privilege escalation. It explicitly documents security controls for cross-account data access.

Diff

diff --git a/amazondynamodb/latest/developerguide/S3DataExport_Requesting.md b/amazondynamodb/latest/developerguide/S3DataExport_Requesting.md
index 02e688c26..9d916a2a8 100644
--- a//amazondynamodb/latest/developerguide/S3DataExport_Requesting.md
+++ b//amazondynamodb/latest/developerguide/S3DataExport_Requesting.md
@@ -113,0 +114,4 @@ Revoking these permissions while an export is in progress will result in partial
+You must call `ExportTableToPointInTime` as a principal in the same AWS account as the source table. Although the destination bucket can belong to a different account (as described earlier), the export request itself must originate from the table's account. A request made from a different account fails with a `ValidationException`: "This action is only supported by accounts that match the resource owner's account." To export a table that is owned by another account, assume an IAM role in the table's account and make the export request with that role's credentials. When that role writes to a bucket in a different account, include the bucket owner and grant the role write access in the bucket policy as described above.
+
+###### Note
+