AWS Security ChangesHomeSearch

AWS AmazonS3 high security documentation change

Service: AmazonS3 · 2025-08-28 · Security-related high

File: AmazonS3/latest/userguide/s3-express-UsingKMSEncryption.md

Summary

Removed a JSON bucket policy example enforcing SSE-KMS encryption for directory buckets

Security assessment

The deleted policy explicitly enforced encryption (via Deny rule if SSE-KMS is not used). Removing this example could lead to insecure configurations where objects are stored without encryption, constituting a security risk. The removal eliminates guidance for a critical security control.

Diff

diff --git a/AmazonS3/latest/userguide/s3-express-UsingKMSEncryption.md b/AmazonS3/latest/userguide/s3-express-UsingKMSEncryption.md
index 8dd49fe54..956ec3578 100644
--- a//AmazonS3/latest/userguide/s3-express-UsingKMSEncryption.md
+++ b//AmazonS3/latest/userguide/s3-express-UsingKMSEncryption.md
@@ -78,28 +77,0 @@ To require SSE-KMS of all objects in a particular directory bucket, you can use
-JSON
-    
-
-****
-    
-    
-    
-    {
-       "Version":"2012-10-17",
-       "Id":"UploadObjectPolicy",
-       "Statement":[{
-             "Sid":"DenyObjectsThatAreNotSSEKMS",
-             "Effect":"Deny",
-             "Principal":"*",
-             "Action":"s3express:CreateSession",
-             "Resource":"arn:aws:s3express:aws-region:111122223333:bucket/amzn-s3-demo-bucket--usw2-az1--x-s3/*",
-             "Condition":{
-                "Null":{
-                   "s3express:x-amz-server-side-encryption-aws-kms-key-id":"true"
-                }
-             }
-          }
-       ]
-    }
-    
-    
-    
-