AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2026-01-31 · Documentation low

File: AmazonS3/latest/userguide/using-with-s3-policy-actions.md

Summary

Added documentation for UpdateObjectEncryption API requirements including KMS permissions and cross-account access policies. Fixed minor typos.

Security assessment

New documentation explains required permissions for encryption key rotation and cross-account KMS access, which are security features. No evidence this addresses a specific vulnerability; it proactively documents encryption management best practices.

Diff

diff --git a/AmazonS3/latest/userguide/using-with-s3-policy-actions.md b/AmazonS3/latest/userguide/using-with-s3-policy-actions.md
index fab6905b8..ac1c18227 100644
--- a//AmazonS3/latest/userguide/using-with-s3-policy-actions.md
+++ b//AmazonS3/latest/userguide/using-with-s3-policy-actions.md
@@ -280,0 +281,6 @@ API operations | Policy actions | Description of policy actions
+[UpdateObjectEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/API_UpdateObjectEncryption.html) | (Required) `s3:UpdateObjectEncryption`, `s3:PutObject`, `kms:Encrypt`, `kms:Decrypt`, `kms:GenerateDataKey`, `kms:ReEncrypt*` | Required if you want to change encrypted objects between server-side encryption with Amazon S3 managed encryption (SSE-S3) and server-side encryption with AWS Key Management Service (AWS KMS) encryption keys (SSE-KMS). You can also use the `UpdateObjectEncryption` operation to apply S3 Bucket Keys to reduce AWS KMS request costs or change the customer-managed KMS key that's used to encrypt your data so that you can comply with custom key-rotation standards.  
+| (Conditionally required) `organizations:DescribeAccount` | If you're using AWS Organizations, to use the `UpdateObjectEncryption` operation with customer-managed KMS keys from other AWS accounts within your organization, you must have the `organizations:DescribeAccount` permission. 
+
+###### Note
+
+You must also request the ability to use AWS KMS keys owned by other member accounts within your organization by contacting AWS Support.  
@@ -425 +431 @@ API operations | Policy actions | Description of policy actions
-[GetAccessGrantsInstanceResourcePolicy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetAccessGrantsInstanceResourcePolicy.html) |  (Required) `s3:GetAccessGrantsInstanceResourcePolicy` |  Requred to return the resource policy of your S3 Access Grants instance.  
+[GetAccessGrantsInstanceResourcePolicy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_GetAccessGrantsInstanceResourcePolicy.html) |  (Required) `s3:GetAccessGrantsInstanceResourcePolicy` |  Required to return the resource policy of your S3 Access Grants instance.