AWS AmazonS3 medium security documentation change
Summary
Added identical note about KMS permissions for cross-region replication of re-encrypted objects
Security assessment
Reiterates critical permissions requirements in troubleshooting context, preventing potential security operation failures. Concrete evidence in required kms permissions
Diff
diff --git a/AmazonS3/latest/userguide/replication-troubleshoot.md b/AmazonS3/latest/userguide/replication-troubleshoot.md index 009f8eab4..5fb5e57f0 100644 --- a//AmazonS3/latest/userguide/replication-troubleshoot.md +++ b//AmazonS3/latest/userguide/replication-troubleshoot.md @@ -152,0 +153,4 @@ In addition to the permissions granted by the KMS key policy, the source account +###### Important + +If you use S3 Batch Replication to replicate datasets cross region and your objects previously had their server-side encryption type updated from SSE-S3 to SSE-KMS, you may need additional permissions. On the source region bucket, you must have `kms:decrypt` permissions. Then, you will need the `kms:decrypt` and `kms:encrypt` permissions for the bucket in the destination region. +