AWS AmazonS3 high security documentation change
Summary
Added notice about SSE-C encryption being disabled by default for new buckets in 2026, requiring explicit enablement via PutBucketEncryption API
Security assessment
The change directly addresses encryption configuration defaults and requires explicit action to maintain SSE-C functionality, indicating a security-related policy update to reduce default exposure of encryption methods. This impacts security by deprecating a less secure default configuration.
Diff
diff --git a/AmazonS3/latest/userguide/serv-side-encryption.md b/AmazonS3/latest/userguide/serv-side-encryption.md index 5081f00e8..785876a14 100644 --- a//AmazonS3/latest/userguide/serv-side-encryption.md +++ b//AmazonS3/latest/userguide/serv-side-encryption.md @@ -8,0 +9,4 @@ +Starting in April 2026, AWS will disable server-side encryption with customer-provided keys (SSE-C) for all new buckets. In addition, SSE-C encryption will be disabled for all existing buckets in AWS accounts that do not have any SSE-C encrypted data. With these changes, the few applications that need SSE-C encryption must deliberately enable the use SSE-C via the [PutBucketEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html) API after creating the bucket. In these cases, you might need to update automation scripts, CloudFormation templates, or other infrastructure configuration tools to configure these settings. For more information, see the [AWS Storage Blog post](https://aws.amazon.com/blogs/storage/advanced-notice-amazon-s3-to-disable-the-use-of-sse-c-encryption-by-default-for-all-new-buckets-and-select-existing-buckets-in-april-2026/). + +###### Important +