AWS cli documentation change
Summary
Restructured encryption documentation and added SSE-C blocking note with error details
Security assessment
Reorganizes security documentation around SSE-C requirements and adds the same blocking behavior note as in upload-part-copy.md. Improves clarity about security features but doesn't address a vulnerability.
Diff
diff --git a/cli/latest/reference/s3api/upload-part.md b/cli/latest/reference/s3api/upload-part.md index f1853200c..07a4093dc 100644 --- a//cli/latest/reference/s3api/upload-part.md +++ b//cli/latest/reference/s3api/upload-part.md @@ -15 +15 @@ - * [AWS CLI 2.31.39 Command Reference](../../index.html) » + * [AWS CLI 2.32.3 Command Reference](../../index.html) » @@ -101,4 +101 @@ Encryption - * **General purpose bucket** \- Server-side encryption is for data encryption at rest. Amazon S3 encrypts your data as it writes it to disks in its data centers and decrypts it when you access it. You have mutually exclusive options to protect data using server-side encryption in Amazon S3, depending on how you choose to manage the encryption keys. Specifically, the encryption key options are Amazon S3 managed keys (SSE-S3), Amazon Web Services KMS keys (SSE-KMS), and Customer-Provided Keys (SSE-C). Amazon S3 encrypts data with server-side encryption using Amazon S3 managed keys (SSE-S3) by default. You can optionally tell Amazon S3 to encrypt data at rest using server-side encryption with other key options. The option you use depends on whether you want to use KMS keys (SSE-KMS) or provide your own encryption key (SSE-C). Server-side encryption is supported by the S3 Multipart Upload operations. Unless you are using a customer-provided encryption key (SSE-C), you don’t need to specify the encryption parameters in each UploadPart request. Instead, you only need to specify the server-side encryption parameters in the initial Initiate Multipart request. For more information, see [CreateMultipartUpload](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html) . If you request server-side encryption using a customer-provided encryption key (SSE-C) in your initiate multipart upload request, you must provide identical encryption information in each part upload using the following request headers. - * x-amz-server-side-encryption-customer-algorithm - * x-amz-server-side-encryption-customer-key - * x-amz-server-side-encryption-customer-key-MD5 + * **General purpose bucket** \- Server-side encryption is for data encryption at rest. Amazon S3 encrypts your data as it writes it to disks in its data centers and decrypts it when you access it. You have mutually exclusive options to protect data using server-side encryption in Amazon S3, depending on how you choose to manage the encryption keys. Specifically, the encryption key options are Amazon S3 managed keys (SSE-S3), Amazon Web Services KMS keys (SSE-KMS), and Customer-Provided Keys (SSE-C). Amazon S3 encrypts data with server-side encryption using Amazon S3 managed keys (SSE-S3) by default. You can optionally tell Amazon S3 to encrypt data at rest using server-side encryption with other key options. The option you use depends on whether you want to use KMS keys (SSE-KMS) or provide your own encryption key (SSE-C). Server-side encryption is supported by the S3 Multipart Upload operations. Unless you are using a customer-provided encryption key (SSE-C), you don’t need to specify the encryption parameters in each UploadPart request. Instead, you only need to specify the server-side encryption parameters in the initial Initiate Multipart request. For more information, see [CreateMultipartUpload](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html) . @@ -107,0 +105,12 @@ Encryption +### Note + +> If you have server-side encryption with customer-provided keys (SSE-C) blocked for your general purpose bucket, you will get an HTTP 403 Access Denied error when you specify the SSE-C request headers while writing new data to your bucket. For more information, see [Blocking or unblocking SSE-C for a general purpose bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/blocking-unblocking-s3-c-encryption-gpb.html) . + +If you request server-side encryption using a customer-provided encryption key (SSE-C) in your initiate multipart upload request, you must provide identical encryption information in each part upload using the following request headers. + +> * x-amz-server-side-encryption-customer-algorithm +> * x-amz-server-side-encryption-customer-key +> * x-amz-server-side-encryption-customer-key-MD5 +> + + @@ -535 +544 @@ RequestCharged -> (string) - * [AWS CLI 2.31.39 Command Reference](../../index.html) » + * [AWS CLI 2.32.3 Command Reference](../../index.html) »