AWS Security ChangesHomeSearch

AWS AmazonS3 medium security documentation change

Service: AmazonS3 · 2026-01-31 · Security-related medium

File: AmazonS3/latest/userguide/replication-config-for-kms-objects.md

Summary

Added important note about KMS permissions requirements for cross-region replication of re-encrypted objects

Security assessment

Addresses potential permission misconfiguration that could block encryption operations during replication. Explicitly mentions required kms:decrypt/encrypt permissions for security-sensitive scenarios

Diff

diff --git a/AmazonS3/latest/userguide/replication-config-for-kms-objects.md b/AmazonS3/latest/userguide/replication-config-for-kms-objects.md
index 89dc1cccf..211e9e5ee 100644
--- a//AmazonS3/latest/userguide/replication-config-for-kms-objects.md
+++ b//AmazonS3/latest/userguide/replication-config-for-kms-objects.md
@@ -166,0 +167,4 @@ We recommend that you use the `s3:GetObjectVersionForReplication` action instead
+###### Important
+
+If you use S3 Batch Replication to replicate datasets cross region and your objects previously had their server-side encryption type updated from SSE-S3 to SSE-KMS, you may need additional permissions. On the source region bucket, you must have `kms:decrypt` permissions. Then, you will need the `kms:decrypt` and `kms:encrypt` permissions for the bucket in the destination region. 
+