AWS Security ChangesHomeSearch

AWS AmazonS3 medium security documentation change

Service: AmazonS3 · 2025-08-13 · Security-related medium

File: AmazonS3/latest/userguide/configure-inventory.md

Summary

Added guidance to use GetBucketEncryption API for verifying bucket encryption settings when troubleshooting S3 Inventory access issues

Security assessment

The change addresses potential access issues caused by SSE-KMS encryption misconfigurations. It provides explicit security-related guidance about encryption key requirements, which helps prevent unintended data access issues.

Diff

diff --git a/AmazonS3/latest/userguide/configure-inventory.md b/AmazonS3/latest/userguide/configure-inventory.md
index e9634bc16..5011e933b 100644
--- a//AmazonS3/latest/userguide/configure-inventory.md
+++ b//AmazonS3/latest/userguide/configure-inventory.md
@@ -70 +70 @@ The destination bucket that stores the inventory list file can be owned by a dif
-If you can’t access your S3 Inventory report, check whether the destination bucket has the default SSE-KMS encryption enabled. If no KMS key ARN has been specified and the default encryption settings are being used, you won’t be able to access your S3 Inventory report. To access your inventory report, either provide a KMS key ARN in the S3 Inventory configuration or in the destination bucket’s encryption settings.
+If you can’t access your S3 Inventory report, use the [GetBucketEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html) API, and check whether the destination bucket has the default SSE-KMS encryption enabled. If no KMS key ARN has been specified and the default encryption settings are being used, you won’t be able to access your S3 Inventory report. To access S3 Inventory reports again, either provide a KMS key ARN in the S3 Inventory configuration or in the destination bucket’s encryption settings.