AWS Security ChangesHomeSearch

AWS AmazonS3 medium security documentation change

Service: AmazonS3 · 2025-11-22 · Security-related medium

File: AmazonS3/latest/userguide/troubleshoot-403-errors.md

Summary

Added documentation about Blocked Encryption Types causing 403 errors when SSE-C is blocked in bucket encryption configuration

Security assessment

The change explicitly documents how blocking SSE-C encryption types can lead to access denials, which is a security control mechanism. It describes a security feature (blocking specific encryption methods) and its implications, indicating proactive security measures.

Diff

diff --git a/AmazonS3/latest/userguide/troubleshoot-403-errors.md b/AmazonS3/latest/userguide/troubleshoot-403-errors.md
index 1d9dbff47..f4afc2dd3 100644
--- a//AmazonS3/latest/userguide/troubleshoot-403-errors.md
+++ b//AmazonS3/latest/userguide/troubleshoot-403-errors.md
@@ -75 +75 @@ When a policy explicitly denies access because the policy contains a `Deny` stat
-For information about the policy evaluation logic that determines whether a cross-account access request is allowed or denied, see [ Cross-account policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic-cross-account.html) in the _IAM User Guide_. For a walkthrough that shows how to grant cross-account access, see [Example 2: Bucket owner granting cross-account bucket permissions](./example-walkthroughs-managing-access-example2.html). 
+For information about the policy evaluation logic that determines whether a cross-account access request is allowed or denied, see [ Cross-account policy evaluation logic](https://docs.aws.amazon.com//IAM/latest/UserGuide/reference_policies_evaluation-logic-cross-account.html) in the _IAM User Guide_. For a walkthrough that shows how to grant cross-account access, see [Example 2: Bucket owner granting cross-account bucket permissions](./example-walkthroughs-managing-access-example2.html). 
@@ -95,0 +96,20 @@ The following examples show the format for different types of access denied erro
+### Access denied due to Blocked Encryption Type
+
+To limit the server-side encryption types you can use in your general purpose buckets, you can choose to block SSE-C write requests by updating your default encryption configuration for your buckets. This bucket-level configuration blocks requests to upload objects that specify SSE-C. When SSE-C is blocked for a bucket, any `PutObject`, `CopyObject`, `PostObject`, or Multipart Upload or replication requests that specify SSE-C encryption will be rejected with an HTTP 403 `AccessDenied` error.
+
+This setting is a parameter on the `PutBucketEncryption` API and can also be updated using the S3 Console, AWS CLI, and AWS SDKs, if you have the `s3:PutEncryptionConfiguration` permission. Valid values are `SSE-C`, which blocks SSE-C encryption for the general purpose bucket, and `NONE`, which allows the use SSE-C for writes to the bucket.
+
+For example, when access is denied for a `PutObject` request because the `BlockedEncryptionTypes` setting blocks write requests specifying SSE-C, you receive the following message:
+    
+    
+    An error occurred (AccessDenied) when calling the PutObject operation:   
+    User: arn:aws:iam::123456789012:user/MaryMajor  is not   
+    authorized to perform: s3:PutObject on resource:   
+    "arn:aws:s3:::amzn-s3-demo-bucket1/object-name" because this   
+    bucket has blocked upload requests that specify   
+    Server Side Encryption with Customer provided keys (SSE-C).   
+    Please specify a different server-side encryption type
+    
+
+For more information about this setting, see [Blocking or unblocking SSE-C for a general purpose bucket](./blocking-unblocking-s3-c-encryption-gpb.html).
+