aws-samples · SwaraGandhi · Mar 31, 2025 · Mar 10, 2025 · Mar 13, 2025 · Mar 13, 2025
diff --git a/Service-specific-controls/S3-Prevent-long-term-presigned-url.json b/Service-specific-controls/S3-Prevent-long-term-presigned-url.json
@@ -0,0 +1,18 @@
+{
+   "Version": "2012-10-17",
+   "Statement": [
+      {
+         "Effect": "Deny",
+         "Principal": "*",
+         "Action": "s3:*",
+         "Resource": "*",
+         "Condition": {
+            "NumericGreaterThan": {
+               "s3:signatureAge": [
+                  "[MAX_SIGNATURE_AGE_IN_MILLISECONDS]"
+               ]
+            }
+         }
+      }
+   ]
+}
diff --git a/Service-specific-controls/Service-specific-controls.md b/Service-specific-controls/Service-specific-controls.md
@@ -13,6 +13,7 @@
 |Amazon Simple Storage Service (S3)|[Deny users from modifying S3 Block Public Access (Account-Level)](S3-Deny-users-from-modifying-S3-Block-Public-Access-(Account-Level).json) |Deny users or roles in any affected account from modifying the S3 Block Public Access Account level settings.Note: When you apply block public access settings to an account, the settings apply to all AWS Regions globally. This control can be implemented using either SCP or RCP.|
 |Amazon Simple Storage Service (S3)|[Prevent S3 buckets from being made public (Bucket level)](S3-Prevent-S3-buckets-from-being-made-public-(Bucket-level).json) |Deny users or roles in any affected account from modifying the S3 Block Public Access bucket level settings. This control can be implemented using either SCP or RCP.|
 |Amazon Simple Storage Service (S3)|[Prevents usage of customer-provided encryption keys (SSE-C) for S3 buckets (Bucket level)](S3-Deny-SSE-C.json) |Deny the use of customer-provided encryption keys (SSE-C) across the organization. This security measure helps ensure all S3 bucket encryption remains under organizational control by denying the use of S3 with SSE-C.|
+|Amazon Simple Storage Service (S3)|[Prevents long term presigned URLs](S3-Prevent-long-term-presigned-url.json) |Deny the use of presigned URL with a signature age greater than the configured expiration time.|
 |AWS Key Management Service (KMS)|[Require an AWS Key Management Service key policy limiting creation of AWS KMS grants to AWS services](KMS-Require-an-AWS-Key-Management-Service-key-policy-limiting-creation-of-AWS-KMS-grants-to-AWS-services.json) |Prevent grants from being assigned directly to principals other than AWS service principals to reduce the opportunities for grant misuse.|
 |AWS Key Management Service (KMS)|[Deny AWS Key Management Service asymmetric key with RSA key material with key length of 2048 bits](KMS-Deny-AWS-Key-Management-Service-asymmetric-key-with-RSA-key-material-used-for-encryption-with-key-length-of-2048-bits.json) |Stronger RSA keys (3072-bit or 4096-bit) are recommended to provide better security.|
 |AWS Key Management Service (KMS)|[Require that an AWS KMS key is configured with the bypass policy lockout safety check enabled](KMS-Require-that-an-AWS-KMS-key-is-configured-with-the-bypass-policy-lockout-safety-check-enabled.json) |Deny bypassing the KMS key policy lockout safety check when creating a KMS key or updating its key policy, because bypassing this check increases the risk that a KMS key becomes unmanageable.|