AWS Security ChangesHomeSearch

AWS AmazonS3 medium security documentation change

Service: AmazonS3 · 2025-05-31 · Security-related medium

File: AmazonS3/latest/userguide/replication-metrics-events.md

Summary

Added AWS KMS key policy requirements to replication failure reason documentation

Security assessment

Explicitly documents required KMS permissions (kms:Decrypt and kms:GenerateDataKey*) for replication roles. This addresses potential security misconfigurations where improper KMS key policies could block replication and cause data consistency issues.

Diff

diff --git a/AmazonS3/latest/userguide/replication-metrics-events.md b/AmazonS3/latest/userguide/replication-metrics-events.md
index 4ec489e2f..8e23eb672 100644
--- a//AmazonS3/latest/userguide/replication-metrics-events.md
+++ b//AmazonS3/latest/userguide/replication-metrics-events.md
@@ -108 +108 @@ Replication failure reason | Description
-`DstPutObjectNotPermitted` | Amazon S3 is unable to replicate objects to the destination bucket. The `s3:ReplicateObject` or `s3:ObjectOwnerOverrideToBucketOwner` permissions might be missing for the destination bucket.  
+`DstPutObjectNotPermitted` | Amazon S3 is unable to replicate objects to the destination bucket. This can occur when required permissions (`s3:ReplicateObject` or `s3:ObjectOwnerOverrideToBucketOwner` permissions) are missing for the destination bucket or when the AWS KMS key policy doesn't allow the source bucket's replication role to use the AWS KMS key (`kms:Decrypt` and `kms:GenerateDataKey*` actions) at the destination bucket.