AWS Security ChangesHomeSearch

AWS transform high security documentation change

Service: transform · 2025-05-28 · Security-related high

File: transform/latest/userguide/data-encryption.md

Summary

Added Important note about S3 bucket created during discovery account connection lacking SecureTransport by default, requiring manual policy update for TLS enforcement.

Security assessment

The change highlights a security-relevant configuration gap where S3 buckets created automatically do not enforce HTTPS by default. This directly addresses a potential data-in-transit security risk by informing users to enable SecureTransport.

Diff

diff --git a/transform/latest/userguide/data-encryption.md b/transform/latest/userguide/data-encryption.md
index 9804e94be..c14350e46 100644
--- a//transform/latest/userguide/data-encryption.md
+++ b//transform/latest/userguide/data-encryption.md
@@ -108 +108,5 @@ This allows AWS Transform to do the following:
-All communication between customers and AWS Transform and between AWS Transform and its downstream dependencies is protected using TLS 1.2 or higher connections. 
+Communication between customers and AWS Transform and between AWS Transform and its downstream dependencies is protected using TLS 1.2 or higher connections.
+
+###### Important
+
+When you [Connect a discovery account](https://docs.aws.amazon.com/transform-vmware-connect-discovery-account.html), AWS Transform creates an Amazon S3 bucket on your behalf in that account. That bucket does not have `SecureTransport` enabled by default. If you want the bucket policy to include secure transport you must update the policy. For more information, see [Security best practices for Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html).