AWS Security ChangesHomeSearch

AWS AmazonS3 medium security documentation change

Service: AmazonS3 · 2026-01-31 · Security-related medium

File: AmazonS3/latest/userguide/s3-batch-replication-batch.md

Summary

Added note about KMS permissions requirements for objects with updated encryption during batch replication

Security assessment

Documents specific permission requirements (kms:decrypt/encrypt) to prevent replication failures of re-encrypted objects. Directly addresses security configuration needs

Diff

diff --git a/AmazonS3/latest/userguide/s3-batch-replication-batch.md b/AmazonS3/latest/userguide/s3-batch-replication-batch.md
index 16d6de5d1..3d3198562 100644
--- a//AmazonS3/latest/userguide/s3-batch-replication-batch.md
+++ b//AmazonS3/latest/userguide/s3-batch-replication-batch.md
@@ -66,0 +67,2 @@ For more information about Batch Copy, see [Examples that use Batch Operations t
+  * If you use S3 Batch Replication to replicate datasets cross region and your objects previously had their server-side encryption type updated from SSE-S3 to SSE-KMS, you may need additional permissions. On the source region bucket, you must have `kms:decrypt` permissions. Then, you will need the `kms:decrypt` and `kms:encrypt` permissions for the bucket in the destination region. For more information, see [Replicating encrypted objects](./replication-config-for-kms-objects.html).
+