AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2025-06-10 · Documentation low

File: AmazonS3/latest/userguide/serv-side-encryption.md

Summary

Updated terminology from 'set' to 'update' regarding encryption configuration and added guidance about retroactively encrypting existing objects with SSE-KMS using S3 Batch Operations

Security assessment

The change adds documentation about using S3 Batch Operations to re-encrypt existing objects with SSE-KMS, which improves security posture but does not address a specific disclosed vulnerability. The update clarifies security best practices for encryption management.

Diff

diff --git a/AmazonS3/latest/userguide/serv-side-encryption.md b/AmazonS3/latest/userguide/serv-side-encryption.md
index 14bce6822..715cdd61a 100644
--- a//AmazonS3/latest/userguide/serv-side-encryption.md
+++ b//AmazonS3/latest/userguide/serv-side-encryption.md
@@ -13 +13 @@ Server-side encryption is the encryption of data at its destination by the appli
-All Amazon S3 buckets have encryption configured by default, and all new objects that are uploaded to an S3 bucket are automatically encrypted at rest. Server-side encryption with Amazon S3 managed keys (SSE-S3) is the default encryption configuration for every bucket in Amazon S3. To use a different type of encryption, you can either specify the type of server-side encryption to use in your S3 `PUT` requests, or you can set the default encryption configuration in the destination bucket. 
+All Amazon S3 buckets have encryption configured by default, and all new objects that are uploaded to an S3 bucket are automatically encrypted at rest. Server-side encryption with Amazon S3 managed keys (SSE-S3) is the default encryption configuration for every bucket in Amazon S3. To use a different type of encryption, you can either specify the type of server-side encryption to use in your S3 `PUT` requests, or you can update the default encryption configuration in the destination bucket. 
@@ -16,0 +17,4 @@ If you want to specify a different encryption type in your `PUT` requests, you c
+For more information about changing the default encryption configuration for your general purpose buckets, see [Configuring default encryption](./default-bucket-encryption.html). 
+
+When you change the default encryption configuration of your bucket to SSE-KMS, the encryption type of the existing Amazon S3 objects in the bucket is not changed. To change the encryption type of your pre-existing objects after updating the default encryption configuration to SSE-KMS, you can use Amazon S3 Batch Operations. You provide S3 Batch Operations with a list of objects, and Batch Operations calls the respective API operation. You can use the [Copy objects](./batch-ops-copy-object.html) action to copy existing objects, which writes them back to the same bucket as SSE-KMS encrypted objects. A single Batch Operations job can perform the specified operation on billions of objects. For more information, see [Performing object operations in bulk with Batch Operations](./batch-ops.html) and the _AWS Storage Blog_ post [How to retroactively encrypt existing objects in Amazon S3 using S3 Inventory, Amazon Athena, and S3 Batch Operations](https://aws.amazon.com/blogs/security/how-to-retroactively-encrypt-existing-objects-in-amazon-s3-using-s3-inventory-amazon-athena-and-s3-batch-operations/). 
+