AWS Security ChangesHomeSearch

AWS AmazonS3 high security documentation change

Service: AmazonS3 · 2025-11-22 · Security-related high

File: AmazonS3/latest/userguide/serv-side-encryption.md

Summary

Added notice about SSE-C encryption being disabled by default for new buckets in 2026, requiring explicit enablement via PutBucketEncryption API

Security assessment

The change directly addresses encryption configuration defaults and requires explicit action to maintain SSE-C functionality, indicating a security-related policy update to reduce default exposure of encryption methods. This impacts security by deprecating a less secure default configuration.

Diff

diff --git a/AmazonS3/latest/userguide/serv-side-encryption.md b/AmazonS3/latest/userguide/serv-side-encryption.md
index 5081f00e8..785876a14 100644
--- a//AmazonS3/latest/userguide/serv-side-encryption.md
+++ b//AmazonS3/latest/userguide/serv-side-encryption.md
@@ -8,0 +9,4 @@
+Starting in April 2026, AWS will disable server-side encryption with customer-provided keys (SSE-C) for all new buckets. In addition, SSE-C encryption will be disabled for all existing buckets in AWS accounts that do not have any SSE-C encrypted data. With these changes, the few applications that need SSE-C encryption must deliberately enable the use SSE-C via the [PutBucketEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html) API after creating the bucket. In these cases, you might need to update automation scripts, CloudFormation templates, or other infrastructure configuration tools to configure these settings. For more information, see the [AWS Storage Blog post](https://aws.amazon.com/blogs/storage/advanced-notice-amazon-s3-to-disable-the-use-of-sse-c-encryption-by-default-for-all-new-buckets-and-select-existing-buckets-in-april-2026/).
+
+###### Important
+