AWS AmazonS3 documentation change
Summary
Updated terminology from 'set' to 'update' and added instructions for retroactive SSE-KMS encryption of existing objects via S3 Batch Operations
Security assessment
The documentation now explicitly explains how to enforce stronger encryption (SSE-KMS) on existing objects, which enhances security documentation but does not indicate remediation of a specific security flaw. This provides operational guidance for improved data protection.
Diff
diff --git a/AmazonS3/latest/userguide/specifying-kms-encryption.md b/AmazonS3/latest/userguide/specifying-kms-encryption.md index 1617b5f7a..d4f8b73b6 100644 --- a//AmazonS3/latest/userguide/specifying-kms-encryption.md +++ b//AmazonS3/latest/userguide/specifying-kms-encryption.md @@ -7 +7 @@ -All Amazon S3 buckets have encryption configured by default, and all new objects that are uploaded to an S3 bucket are automatically encrypted at rest. Server-side encryption with Amazon S3 managed keys (SSE-S3) is the default encryption configuration for every bucket in Amazon S3. To use a different type of encryption, you can either specify the type of server-side encryption to use in your S3 `PUT` requests, or you can set the default encryption configuration in the destination bucket. +All Amazon S3 buckets have encryption configured by default, and all new objects that are uploaded to an S3 bucket are automatically encrypted at rest. Server-side encryption with Amazon S3 managed keys (SSE-S3) is the default encryption configuration for every bucket in Amazon S3. To use a different type of encryption, you can either specify the type of server-side encryption to use in your S3 `PUT` requests, or you can update the default encryption configuration in the destination bucket. @@ -11 +11,3 @@ If you want to specify a different encryption type in your `PUT` requests, you c -You can apply encryption when you are either uploading a new object or copying an existing object. +For more information about changing the default encryption configuration for your general purpose buckets, see [Configuring default encryption](./default-bucket-encryption.html). + +When you change the default encryption configuration of your bucket to SSE-KMS, the encryption type of the existing Amazon S3 objects in the bucket is not changed. To change the encryption type of your pre-existing objects after updating the default encryption configuration to SSE-KMS, you can use Amazon S3 Batch Operations. You provide S3 Batch Operations with a list of objects, and Batch Operations calls the respective API operation. You can use the [Copy objects](./batch-ops-copy-object.html) action to copy existing objects, which writes them back to the same bucket as SSE-KMS encrypted objects. A single Batch Operations job can perform the specified operation on billions of objects. For more information, see [Performing object operations in bulk with Batch Operations](./batch-ops.html) and the _AWS Storage Blog_ post [How to retroactively encrypt existing objects in Amazon S3 using S3 Inventory, Amazon Athena, and S3 Batch Operations](https://aws.amazon.com/blogs/security/how-to-retroactively-encrypt-existing-objects-in-amazon-s3-using-s3-inventory-amazon-athena-and-s3-batch-operations/).