AWS AmazonS3 documentation change
Summary
Added guidance about retroactive encryption of existing objects when changing default encryption to SSE-KMS using Batch Operations
Security assessment
The change provides operational documentation about encryption management but does not address a specific security vulnerability. It enhances security documentation by explaining how to enforce stronger encryption standards.
Diff
diff --git a/AmazonS3/latest/userguide/UsingEncryption.md b/AmazonS3/latest/userguide/UsingEncryption.md index ce8f2cfbb..83d106d30 100644 --- a//AmazonS3/latest/userguide/UsingEncryption.md +++ b//AmazonS3/latest/userguide/UsingEncryption.md @@ -15 +15 @@ Data protection refers to protecting data while it's in transit (as it travels t -All Amazon S3 buckets have encryption configured by default, and all new objects that are uploaded to an S3 bucket are automatically encrypted at rest. Server-side encryption with Amazon S3 managed keys (SSE-S3) is the default encryption configuration for every bucket in Amazon S3. To use a different type of encryption, you can either specify the type of server-side encryption to use in your S3 `PUT` requests, or you can set the default encryption configuration in the destination bucket. +All Amazon S3 buckets have encryption configured by default, and all new objects that are uploaded to an S3 bucket are automatically encrypted at rest. Server-side encryption with Amazon S3 managed keys (SSE-S3) is the default encryption configuration for every bucket in Amazon S3. To use a different type of encryption, you can either specify the type of server-side encryption to use in your S3 `PUT` requests, or you can update the default encryption configuration in the destination bucket. @@ -18,0 +19,4 @@ If you want to specify a different encryption type in your `PUT` requests, you c +For more information about changing the default encryption configuration for your general purpose buckets, see [Configuring default encryption](./default-bucket-encryption.html). + +When you change the default encryption configuration of your bucket to SSE-KMS, the encryption type of the existing Amazon S3 objects in the bucket is not changed. To change the encryption type of your pre-existing objects after updating the default encryption configuration to SSE-KMS, you can use Amazon S3 Batch Operations. You provide S3 Batch Operations with a list of objects, and Batch Operations calls the respective API operation. You can use the [Copy objects](./batch-ops-copy-object.html) action to copy existing objects, which writes them back to the same bucket as SSE-KMS encrypted objects. A single Batch Operations job can perform the specified operation on billions of objects. For more information, see [Performing object operations in bulk with Batch Operations](./batch-ops.html) and the _AWS Storage Blog_ post [How to retroactively encrypt existing objects in Amazon S3 using S3 Inventory, Amazon Athena, and S3 Batch Operations](https://aws.amazon.com/blogs/security/how-to-retroactively-encrypt-existing-objects-in-amazon-s3-using-s3-inventory-amazon-athena-and-s3-batch-operations/). +