AWS Security ChangesHomeSearch

AWS AmazonRDS low security documentation change

Service: AmazonRDS · 2025-10-25 · Security-related low

File: AmazonRDS/latest/UserGuide/SQLServer.Procedural.Importing.md

Summary

Updated limitations section to clarify SSE-KMS support through S3 bucket default encryption when using @enable_bucket_default_encryption=1

Security assessment

Explicitly documents support for SSE-KMS encryption when using bucket default encryption configuration, clarifying encryption options for backups. This helps users properly configure encryption for regulatory compliance.

Diff

diff --git a/AmazonRDS/latest/UserGuide/SQLServer.Procedural.Importing.md b/AmazonRDS/latest/UserGuide/SQLServer.Procedural.Importing.md
index 3eb675404..8b678a024 100644
--- a//AmazonRDS/latest/UserGuide/SQLServer.Procedural.Importing.md
+++ b//AmazonRDS/latest/UserGuide/SQLServer.Procedural.Importing.md
@@ -179 +179,5 @@ The following are some limitations to using native backup and restore:
-  * Amazon S3 server-side encryption with AWS KMS (SSE-KMS) is currently not supported. When you provide a KMS key to a stored procedure, any native backup and restores are encrypted and decrypted on the client-side with the KMS key. AWS stores the backups in the S3 bucket with SSE-S3.
+  * Amazon S3 server-side encryption with AWS KMS (SSE-KMS) is supported through your S3 bucket's default encryption configuration when you pass `@enable_bucket_default_encryption=1` to the backup stored procedure. By default, the restore supports the S3 object's server-side encryption.
+
+When you provide a KMS key to a stored procedure, any native backup and restores are encrypted and decrypted on the client-side with the KMS key. AWS stores the backups in the S3 bucket with SSE-S3 when `@enable_bucket_default_encryption=0` or with your S3 bucket's configured default encryption key when `@enable_bucket_default_encryption=1`.
+
+  * When using S3 Access Points, the access point cannot be configured to use an RDS internal VPC.