AWS AmazonS3 medium security documentation change
Summary
Added AWS KMS key policy requirements to replication failure reason documentation
Security assessment
Explicitly documents required KMS permissions (kms:Decrypt and kms:GenerateDataKey*) for replication roles. This addresses potential security misconfigurations where improper KMS key policies could block replication and cause data consistency issues.
Diff
diff --git a/AmazonS3/latest/userguide/replication-metrics-events.md b/AmazonS3/latest/userguide/replication-metrics-events.md index 4ec489e2f..8e23eb672 100644 --- a//AmazonS3/latest/userguide/replication-metrics-events.md +++ b//AmazonS3/latest/userguide/replication-metrics-events.md @@ -108 +108 @@ Replication failure reason | Description -`DstPutObjectNotPermitted` | Amazon S3 is unable to replicate objects to the destination bucket. The `s3:ReplicateObject` or `s3:ObjectOwnerOverrideToBucketOwner` permissions might be missing for the destination bucket. +`DstPutObjectNotPermitted` | Amazon S3 is unable to replicate objects to the destination bucket. This can occur when required permissions (`s3:ReplicateObject` or `s3:ObjectOwnerOverrideToBucketOwner` permissions) are missing for the destination bucket or when the AWS KMS key policy doesn't allow the source bucket's replication role to use the AWS KMS key (`kms:Decrypt` and `kms:GenerateDataKey*` actions) at the destination bucket.