Change the wording - from "make objects more accessible than the Buck…

…et itself" to "grant read/write object access to IAM principals in other accounts".
aws · Feb 8, 2021 · aaa51d3 · aaa51d3
1 parent 32391ea
commit aaa51d3
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -99,7 +99,7 @@ used by CDK Pipelines) must upgrade their bootstrap stacks. Run `cdk bootstrap`.
 
 * **s3-deployment**: This version includes an important update, please upgrade to prevent deployment failure. This is in prepartion of Lambda deprecation of the request module in boto, more details are available in [AWS blog](https://aws.amazon.com/blogs/compute/upcoming-changes-to-the-python-sdk-in-aws-lambda/). Note, users of versions < `1.81.0` will not be impacted by this deprecation, but are still encouraged to upgrade to the latest version.
 * **s3**: The `grantWrite()` and `grantReadWrite()` methods no longer add the `s3:PutObject*` permissions that included `s3:PutObjectAcl`,
-  which could be used to make objects more accessible than the Bucket itself.
+  which could be used to grant read/write object access to IAM principals in other accounts.
   This change is gated behind the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag,
   so make sure to set it to `true` in the `context` key of your `cdk.json` file when upgrading.
   If you still need the principal to have `s3:PutObjectAcl` permissions after upgrading,

diff --git a/packages/@aws-cdk/aws-s3/lib/bucket.ts b/packages/@aws-cdk/aws-s3/lib/bucket.ts
@@ -148,7 +148,7 @@ export interface IBucket extends IResource {
    * of written files will also be granted to the same principal.
    *
    * Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`,
-   * which could be used to make objects more accessible than the Bucket itself.
+   * which could be used to grant read/write object access to IAM principals in other accounts.
    * If you want to get rid of that behavior, update your CDK version to 1.85.0 or later,
    * and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true`
    * in the `context` key of your cdk.json file.
@@ -199,7 +199,7 @@ export interface IBucket extends IResource {
    * encrypt/decrypt will also be granted.
    *
    * Before CDK version 1.85.0, this method granted the `s3:PutObject*` permission that included `s3:PutObjectAcl`,
-   * which could be used to make objects more accessible than the Bucket itself.
+   * which could be used to grant read/write object access to IAM principals in other accounts.
    * If you want to get rid of that behavior, update your CDK version to 1.85.0 or later,
    * and make sure the `@aws-cdk/aws-s3:grantWriteWithoutAcl` feature flag is set to `true`
    * in the `context` key of your cdk.json file.

diff --git a/packages/@aws-cdk/cx-api/lib/features.ts b/packages/@aws-cdk/cx-api/lib/features.ts
@@ -83,7 +83,7 @@ export const KMS_DEFAULT_KEY_POLICIES = '@aws-cdk/aws-kms:defaultKeyPolicies';
 /**
  * Change the old 's3:PutObject*' permission to 's3:PutObject' on Bucket,
  * as the former includes 's3:PutObjectAcl',
- * which allows changing the visibility of an object written to the Bucket.
+ * which could be used to grant read/write object access to IAM principals in other accounts.
  * Use a feature flag to make sure existing customers who might be relying
  * on the overly-broad permissions are not broken.
  */