AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2025-04-18 · Documentation low

File: AmazonS3/latest/userguide/metadata-tables-permissions.md

Summary

Added required KMS permissions and service principal access for SSE-KMS encrypted S3 Tables

Security assessment

Documents necessary permissions for encryption key management but does not indicate a resolved security vulnerability. Improves clarity for secure configuration.

Diff

diff --git a/AmazonS3/latest/userguide/metadata-tables-permissions.md b/AmazonS3/latest/userguide/metadata-tables-permissions.md
index 475e01a63..7b5e275d7 100644
--- a//AmazonS3/latest/userguide/metadata-tables-permissions.md
+++ b//AmazonS3/latest/userguide/metadata-tables-permissions.md
@@ -37 +37,6 @@ For detailed information about all table and table bucket permissions, see [Acce
-If you also want to integrate your table bucket with AWS analytics services so that you can query your metadata table, you need additional permissions. For more information, see [ Integrating Amazon S3 Tables with AWS analytics services](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-integrating-aws.html).
+  * If you also want to integrate your table bucket with AWS analytics services so that you can query your metadata table, you need additional permissions. For more information, see [ Integrating Amazon S3 Tables with AWS analytics services](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-integrating-aws.html).
+
+  * If your table bucket is using server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS) you also need `kms:GenerateDataKey` and `kms:Decrypt` permissions. Additionally you need to grant permission for the `metadata.s3.amazonaws.com` and `maintenance.s3tables.amazonaws.com` service principals to access your KMS key. For more information, see [ Granting the S3 Metadata service principal permissions to use your KMS key ](./s3-tables-kms-permissions.html#tables-kms-metadata-permissions).
+
+
+