AWS Security ChangesHomeSearch

AWS kms documentation change

Service: kms · 2026-04-19 · Documentation low

File: kms/latest/developerguide/multi-region-keys-overview.md

Summary

Clarified that Amazon S3 cross-Region replication re-encrypts data keys under the destination Region's KMS key, even for multi-Region keys.

Security assessment

Documentation clarification about how multi-Region keys behave in cross-region replication scenarios. No security issue addressed.

Diff

diff --git a/kms/latest/developerguide/multi-region-keys-overview.md b/kms/latest/developerguide/multi-region-keys-overview.md
index 0c4825518..c599d7f09 100644
--- a//kms/latest/developerguide/multi-region-keys-overview.md
+++ b//kms/latest/developerguide/multi-region-keys-overview.md
@@ -41 +41 @@ You can use multi-Region keys with client-side encryption libraries, such as the
-Most [AWS services that integrate with AWS KMS](https://aws.amazon.com/kms/features/) for encryption at rest or digital signatures currently treat multi-Region keys as though they were single-Region keys. They might re-wrap or re-encrypt data moved between Regions. For example, Amazon S3 cross-Region replication decrypts and re-encrypts data under a KMS key in the destination Region, even when replicating objects protected by a multi-Region key. Refer to service-specific documentation to understand how a service replicates encrypted data and if it treats multi-Region keys differently.
+Most [AWS services that integrate with AWS KMS](https://aws.amazon.com/kms/features/) for encryption at rest or digital signatures currently treat multi-Region keys as though they were single-Region keys. For example, Amazon S3 cross-Region replication decrypts and re-encrypts the data keys used to encrypt object data under the KMS key in the destination Region, even when the KMS key in both Regions is a related multi-Region key. Refer to service-specific documentation to understand how a service replicates encrypted data and if it treats multi-Region keys differently.