AWS AmazonS3 documentation change
Summary
Clarified process for updating default encryption configuration and added guidance about retroactively encrypting existing objects using S3 Batch Operations when switching to SSE-KMS
Security assessment
The change adds documentation about maintaining encryption consistency when changing default configurations, specifically addressing how to re-encrypt existing objects after switching to SSE-KMS. While this improves security practices by ensuring comprehensive encryption coverage, there is no evidence of addressing a specific existing vulnerability.
Diff
diff --git a/AmazonS3/latest/userguide/specifying-s3-encryption.md b/AmazonS3/latest/userguide/specifying-s3-encryption.md index 650415c88..f569f25cd 100644 --- a//AmazonS3/latest/userguide/specifying-s3-encryption.md +++ b//AmazonS3/latest/userguide/specifying-s3-encryption.md @@ -7 +7 @@ -All Amazon S3 buckets have encryption configured by default, and all new objects that are uploaded to an S3 bucket are automatically encrypted at rest. Server-side encryption with Amazon S3 managed keys (SSE-S3) is the default encryption configuration for every bucket in Amazon S3. To use a different type of encryption, you can either specify the type of server-side encryption to use in your S3 `PUT` requests, or you can set the default encryption configuration in the destination bucket. +All Amazon S3 buckets have encryption configured by default, and all new objects that are uploaded to an S3 bucket are automatically encrypted at rest. Server-side encryption with Amazon S3 managed keys (SSE-S3) is the default encryption configuration for every bucket in Amazon S3. To use a different type of encryption, you can either specify the type of server-side encryption to use in your S3 `PUT` requests, or you can update the default encryption configuration in the destination bucket. @@ -10,0 +11,4 @@ If you want to specify a different encryption type in your `PUT` requests, you c +For more information about changing the default encryption configuration for your general purpose buckets, see [Configuring default encryption](./default-bucket-encryption.html). + +When you change the default encryption configuration of your bucket to SSE-KMS, the encryption type of the existing Amazon S3 objects in the bucket is not changed. To change the encryption type of your pre-existing objects after updating the default encryption configuration to SSE-KMS, you can use Amazon S3 Batch Operations. You provide S3 Batch Operations with a list of objects, and Batch Operations calls the respective API operation. You can use the [Copy objects](./batch-ops-copy-object.html) action to copy existing objects, which writes them back to the same bucket as SSE-KMS encrypted objects. A single Batch Operations job can perform the specified operation on billions of objects. For more information, see [Performing object operations in bulk with Batch Operations](./batch-ops.html) and the _AWS Storage Blog_ post [How to retroactively encrypt existing objects in Amazon S3 using S3 Inventory, Amazon Athena, and S3 Batch Operations](https://aws.amazon.com/blogs/security/how-to-retroactively-encrypt-existing-objects-in-amazon-s3-using-s3-inventory-amazon-athena-and-s3-batch-operations/). +