AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2026-04-07 · Documentation medium

File: AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.md

Summary

Updated timeline and details about SSE-C encryption being disabled by default for new buckets, noting deployment started on April 6, 2026, and providing updated guidance for enabling SSE-C.

Security assessment

This change documents a security configuration change where SSE-C encryption is being disabled by default for new buckets, which is a security hardening measure. It updates deployment timeline and provides guidance but doesn't indicate a specific security vulnerability being addressed.

Diff

diff --git a/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.md b/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.md
index 0ee3ce343..c7b6b2e0f 100644
--- a//AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.md
+++ b//AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.md
@@ -19 +19,3 @@ There are no additional charges for using SSE-C. However, requests to configure
-Starting in April 2026, AWS will disable server-side encryption with customer-provided keys (SSE-C) for all new buckets. In addition, SSE-C encryption will be disabled for all existing buckets in AWS accounts that do not have any SSE-C encrypted data. With these changes, the few applications that need SSE-C encryption must deliberately enable the use SSE-C via the [PutBucketEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html) API after creating the bucket. In these cases, you might need to update automation scripts, CloudFormation templates, or other infrastructure configuration tools to configure these settings. For more information, see the [AWS Storage Blog post](https://aws.amazon.com/blogs/storage/advanced-notice-amazon-s3-to-disable-the-use-of-sse-c-encryption-by-default-for-all-new-buckets-and-select-existing-buckets-in-april-2026/).
+As [announced on November 19, 2025](https://aws.amazon.com/blogs/storage/advanced-notice-amazon-s3-to-disable-the-use-of-sse-c-encryption-by-default-for-all-new-buckets-and-select-existing-buckets-in-april-2026/), Amazon Simple Storage Service is deploying a new default bucket security setting that automatically disables server-side encryption with customer-provided keys (SSE-C) for all new general purpose buckets. For existing buckets in AWS accounts with no SSE-C encrypted objects, Amazon S3 will also disable SSE-C for all new write requests. For AWS accounts with SSE-C usage, Amazon S3 will not change the bucket encryption configuration on any of the existing buckets in those accounts. This deployment started on April 6, 2026, and will complete over the next few weeks in 37 AWS Regions, including the AWS China and AWS GovCloud (US) Regions.
+
+With these changes, applications that need SSE-C encryption must deliberately enable SSE-C by using the [PutBucketEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html) API operation after creating a new bucket. For more information about this change, see [Default SSE-C setting for new buckets FAQ](./default-s3-c-encryption-setting-faq.html).