AWS Security ChangesHomeSearch

AWS AmazonS3 high security documentation change

Service: AmazonS3 · 2025-11-22 · Security-related high

File: AmazonS3/latest/userguide/security-best-practices.md

Summary

Added section about disabling SSE-C and encryption best practices

Security assessment

Provides new security guidance about limiting SSE-C usage and configuring bucket encryption policies to block insecure practices.

Diff

diff --git a/AmazonS3/latest/userguide/security-best-practices.md b/AmazonS3/latest/userguide/security-best-practices.md
index ddba610bd..d71c81a87 100644
--- a//AmazonS3/latest/userguide/security-best-practices.md
+++ b//AmazonS3/latest/userguide/security-best-practices.md
@@ -8,0 +9,4 @@ Amazon S3 security best practicesAmazon S3 monitoring and auditing best practice
+###### Important
+
+Starting in April 2026, AWS will disable server-side encryption with customer-provided keys (SSE-C) for all new buckets. In addition, SSE-C encryption will be disabled for all existing buckets in AWS accounts that do not have any SSE-C encrypted data. With these changes, the few applications that need SSE-C encryption must deliberately enable the use SSE-C via the [PutBucketEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html) API after creating the bucket. In these cases, you might need to update automation scripts, CloudFormation templates, or other infrastructure configuration tools to configure these settings. For more information, see the [AWS Storage Blog post](https://aws.amazon.com/blogs/storage/advanced-notice-amazon-s3-to-disable-the-use-of-sse-c-encryption-by-default-for-all-new-buckets-and-select-existing-buckets-in-april-2026/).
+
@@ -99,0 +104,11 @@ For more information, see [Identity and Access Management for Amazon S3](./secur
+Disable server-side encryption with customer-provided keys (SSE-C) to your buckets**
+    
+
+Most modern use cases in Amazon S3 no longer use SSE-C because it lacks the flexibility of server-side encryption with Amazon S3 managed keys (SSE-S3) or server-side encryption with AWS KMS keys (SSE-KMS). SSE-C's requirement to provide the encryption key each time you interact with your SSE-C encrypted data makes it impractical to share your SSE-C key with other users, roles, or AWS services who read data from your S3 buckets in order to operate on your data.
+
+To limit the server-side encryption types you can use in your general purpose buckets, you can choose to block SSE-C write requests by updating your default encryption configuration for your buckets. This bucket-level configuration blocks requests to upload objects that specify SSE-C. When SSE-C is blocked for a bucket, any `PutObject`, `CopyObject`, `PostObject`, or Multipart Upload or replication requests that specify SSE-C encryption will be rejected with an `HTTP 403 AccessDenied` error. 
+
+To learn more about blocking SSE-C, see [Blocking or unblocking SSE-C for a general purpose bucket](./blocking-unblocking-s3-c-encryption-gpb.html).
+
+**
+
@@ -312 +327 @@ When you create a trail, you can configure CloudTrail to log data events. Data e
-AWS Config provides a managed rule (`cloudtrail-s3-dataevents-enabled`) that you can use to confirm that at least one CloudTrail trail is logging data events for your S3 buckets. For more information, see [cloudtrail-s3-dataevents-enabled](https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-s3-dataevents-enabled.html) in the _AWS Config Developer Guide_.
+AWS Config provides a managed rule (`cloudtrail-s3-dataevents-enabled`) that you can use to confirm that at least one CloudTrail trail is logging data events for your S3 buckets. For more information, see [cloudtrail-s3-dataevents-enabled](https://docs.aws.amazon.com//config/latest/developerguide/cloudtrail-s3-dataevents-enabled.html) in the _AWS Config Developer Guide_.
@@ -334 +349 @@ Using AWS Config can help you simplify compliance auditing, security analysis, c
-AWS Config managed rules only supports general purpose buckets when evaluating Amazon S3 resources. AWS Config doesn’t record configuration changes for directory buckets. For more information, see [AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html) and [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html) in the _AWS Config Developer Guide_.
+AWS Config managed rules only supports general purpose buckets when evaluating Amazon S3 resources. AWS Config doesn’t record configuration changes for directory buckets. For more information, see [AWS Config Managed Rules](https://docs.aws.amazon.com//config/latest/developerguide/evaluate-config_use-managed-rules.html) and [List of AWS Config Managed Rules](https://docs.aws.amazon.com//config/latest/developerguide/managed-rules-by-aws-config.html) in the _AWS Config Developer Guide_.