AWS AWSCloudFormation documentation change
Summary
Added BlockedEncryptionTypes property documentation for preventing SSE-C encrypted object uploads
Security assessment
Documents new security control feature to block SSE-C encryption but doesn't address specific vulnerabilities
Diff
diff --git a/AWSCloudFormation/latest/TemplateReference/aws-properties-s3-bucket-serversideencryptionrule.md b/AWSCloudFormation/latest/TemplateReference/aws-properties-s3-bucket-serversideencryptionrule.md index ed3732a78..afbe9b780 100644 --- a//AWSCloudFormation/latest/TemplateReference/aws-properties-s3-bucket-serversideencryptionrule.md +++ b//AWSCloudFormation/latest/TemplateReference/aws-properties-s3-bucket-serversideencryptionrule.md @@ -27,0 +28 @@ To declare this entity in your CloudFormation template, use the following syntax + "BlockedEncryptionTypes" : [BlockedEncryptionTypes](./aws-properties-s3-bucket-blockedencryptiontypes.html), @@ -35,0 +37,2 @@ To declare this entity in your CloudFormation template, use the following syntax + BlockedEncryptionTypes: + [BlockedEncryptionTypes](./aws-properties-s3-bucket-blockedencryptiontypes.html) @@ -42,0 +46,15 @@ To declare this entity in your CloudFormation template, use the following syntax +`BlockedEncryptionTypes` + + +A bucket-level setting for Amazon S3 general purpose buckets used to prevent the upload of new objects encrypted with the specified server-side encryption type. For example, blocking an encryption type will block `PutObject`, `CopyObject`, `PostObject`, multipart upload, and replication requests to the bucket for objects with the specified encryption type. However, you can continue to read and list any pre-existing objects already encrypted with the specified encryption type. For more information, see [Blocking or unblocking SSE-C for a general purpose bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/blocking-unblocking-s3-c-encryption-gpb.html). + +###### Note + +Currently, this parameter only supports blocking or unblocking server-side encryption with customer-provided keys (SSE-C). For more information about SSE-C, see [Using server-side encryption with customer-provided keys (SSE-C)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html). + +_Required_ : No + + _Type_ : [BlockedEncryptionTypes](./aws-properties-s3-bucket-blockedencryptiontypes.html) + + _Update requires_ : [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) +