AWS AmazonS3 medium security documentation change
Summary
Added documentation about Blocked Encryption Types causing 403 errors when SSE-C is blocked in bucket encryption configuration
Security assessment
The change explicitly documents how blocking SSE-C encryption types can lead to access denials, which is a security control mechanism. It describes a security feature (blocking specific encryption methods) and its implications, indicating proactive security measures.
Diff
diff --git a/AmazonS3/latest/userguide/troubleshoot-403-errors.md b/AmazonS3/latest/userguide/troubleshoot-403-errors.md index 1d9dbff47..f4afc2dd3 100644 --- a//AmazonS3/latest/userguide/troubleshoot-403-errors.md +++ b//AmazonS3/latest/userguide/troubleshoot-403-errors.md @@ -75 +75 @@ When a policy explicitly denies access because the policy contains a `Deny` stat -For information about the policy evaluation logic that determines whether a cross-account access request is allowed or denied, see [ Cross-account policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic-cross-account.html) in the _IAM User Guide_. For a walkthrough that shows how to grant cross-account access, see [Example 2: Bucket owner granting cross-account bucket permissions](./example-walkthroughs-managing-access-example2.html). +For information about the policy evaluation logic that determines whether a cross-account access request is allowed or denied, see [ Cross-account policy evaluation logic](https://docs.aws.amazon.com//IAM/latest/UserGuide/reference_policies_evaluation-logic-cross-account.html) in the _IAM User Guide_. For a walkthrough that shows how to grant cross-account access, see [Example 2: Bucket owner granting cross-account bucket permissions](./example-walkthroughs-managing-access-example2.html). @@ -95,0 +96,20 @@ The following examples show the format for different types of access denied erro +### Access denied due to Blocked Encryption Type + +To limit the server-side encryption types you can use in your general purpose buckets, you can choose to block SSE-C write requests by updating your default encryption configuration for your buckets. This bucket-level configuration blocks requests to upload objects that specify SSE-C. When SSE-C is blocked for a bucket, any `PutObject`, `CopyObject`, `PostObject`, or Multipart Upload or replication requests that specify SSE-C encryption will be rejected with an HTTP 403 `AccessDenied` error. + +This setting is a parameter on the `PutBucketEncryption` API and can also be updated using the S3 Console, AWS CLI, and AWS SDKs, if you have the `s3:PutEncryptionConfiguration` permission. Valid values are `SSE-C`, which blocks SSE-C encryption for the general purpose bucket, and `NONE`, which allows the use SSE-C for writes to the bucket. + +For example, when access is denied for a `PutObject` request because the `BlockedEncryptionTypes` setting blocks write requests specifying SSE-C, you receive the following message: + + + An error occurred (AccessDenied) when calling the PutObject operation: + User: arn:aws:iam::123456789012:user/MaryMajor is not + authorized to perform: s3:PutObject on resource: + "arn:aws:s3:::amzn-s3-demo-bucket1/object-name" because this + bucket has blocked upload requests that specify + Server Side Encryption with Customer provided keys (SSE-C). + Please specify a different server-side encryption type + + +For more information about this setting, see [Blocking or unblocking SSE-C for a general purpose bucket](./blocking-unblocking-s3-c-encryption-gpb.html). +