AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2026-05-07 · Documentation low

File: AmazonS3/latest/userguide/default-s3-c-encryption-setting-faq.md

Summary

Updated FAQ to reflect completion of SSE-C encryption disablement rollout, removed outdated rollout timeline details, and renumbered questions.

Security assessment

The changes document a completed security enhancement (SSE-C disabled by default) but do not indicate a response to a specific vulnerability. The update strengthens security posture by preventing accidental SSE-C usage, but lacks evidence of addressing an active exploit.

Diff

diff --git a/AmazonS3/latest/userguide/default-s3-c-encryption-setting-faq.md b/AmazonS3/latest/userguide/default-s3-c-encryption-setting-faq.md
index d9597c19e..d3527131b 100644
--- a//AmazonS3/latest/userguide/default-s3-c-encryption-setting-faq.md
+++ b//AmazonS3/latest/userguide/default-s3-c-encryption-setting-faq.md
@@ -11,3 +11 @@
-As [announced on November 19, 2025](https://aws.amazon.com/blogs/storage/advanced-notice-amazon-s3-to-disable-the-use-of-sse-c-encryption-by-default-for-all-new-buckets-and-select-existing-buckets-in-april-2026/), Amazon Simple Storage Service is deploying a new default bucket security setting that automatically disables server-side encryption with customer-provided keys (SSE-C) for all new general purpose buckets. For existing buckets in AWS accounts with no SSE-C encrypted objects, Amazon S3 will also disable SSE-C for all new write requests. For AWS accounts with SSE-C usage, Amazon S3 will not change the bucket encryption configuration on any of the existing buckets in those accounts. This deployment started on April 6, 2026, and will complete over the next few weeks in 37 AWS Regions, including the AWS China and AWS GovCloud (US) Regions.
-
-With these changes, applications that need SSE-C encryption must deliberately enable SSE-C by using the [PutBucketEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html) API operation after creating a new bucket.
+Amazon Simple Storage Service now applies a new default bucket security setting that automatically disables server-side encryption with customer-provided keys (SSE-C) for all new general purpose buckets. In April 2026, Amazon S3 deployed an update so all new general purpose buckets have SSE-C encryption disabled for all new write requests. For existing buckets in AWS accounts with no SSE-C encrypted objects, Amazon S3 also disabled SSE-C for all new write requests. With this change, applications that need SSE-C encryption must deliberately enable SSE-C by using the [PutBucketEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html) API operation after creating a new bucket.
@@ -17 +15 @@ The following sections answer questions about this update.
-**1\. In April 2026, will the new SSE-C setting take effect for all newly created buckets?**
+**1\. Does the new SSE-C setting take effect for all newly created buckets?**
@@ -19 +17 @@ The following sections answer questions about this update.
-Yes. This deployment started on April 6, 2026, and will complete over the next few weeks in 37 AWS Regions, including the AWS China and AWS GovCloud (US) Regions.
+Yes. This deployment completed in 37 AWS Regions, including the AWS China and AWS GovCloud (US) Regions, in April 2026.
@@ -23,9 +21 @@ Yes. This deployment started on April 6, 2026, and will complete over the next f
-After the deployment is complete, newly created buckets in all AWS Regions except Middle East (Bahrain) and Middle East (UAE) will have SSE-C disabled by default.
-
-**2\. How long will it take before this rollout covers all AWS Regions?**
-
-The deployment started on April 6, 2026, and will complete in a few weeks.
-
-**3\. How will I know that the update is complete?**
-
-You can easily determine if the change has completed in your AWS Region by creating a new bucket and calling the [GetBucketEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html) API operation to determine if SSE-C encryption is disabled. After the update is complete, all new general purpose buckets will automatically have SSE-C encryption disabled by default. You can adjust these settings after creating your S3 bucket by calling the [PutBucketEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html) API operation.
+All newly created buckets in all AWS Regions except Middle East (Bahrain) and Middle East (UAE) will have SSE-C disabled by default.
@@ -33 +23 @@ You can easily determine if the change has completed in your AWS Region by creat
-**4\. Will Amazon S3 update my existing bucket configurations?**
+**2\. Did Amazon S3 update my existing bucket configurations?**
@@ -35 +25 @@ You can easily determine if the change has completed in your AWS Region by creat
-If your AWS account does not have any SSE-C encrypted objects, AWS will disable SSE-C encryption on all of your existing buckets. If any bucket in your AWS account has SSE-C encrypted objects, AWS will not change the bucket configurations on any of your buckets in that account. After the `CreateBucket` change is complete for your AWS Region, the new default setting will apply to all new general purpose buckets. 
+If your AWS account did not have any SSE-C encrypted objects, then AWS disabled SSE-C encryption on all of your existing buckets. If any bucket in your AWS account had SSE-C encrypted objects, then AWS did not change the bucket configurations on any of your buckets in that account. The new default setting applies to all new general purpose buckets. 
@@ -37 +27 @@ If your AWS account does not have any SSE-C encrypted objects, AWS will disable
-**5\. Can I disable SSE-C encryption for my buckets before the update is complete?**
+**3\. Can I disable SSE-C encryption for my buckets?**
@@ -41 +31 @@ Yes. You can disable SSE-C encryption for any bucket by calling the [PutBucketEn
-**6\. Can I use SSE-C to encrypt data in my new buckets?**
+**4\. Can I use SSE-C to encrypt data in my new buckets?**
@@ -71 +61 @@ You must have the `s3:PutEncryptionConfiguration`permission to call the `PutBuck
-**7\. How does blocking SSE-C affect requests to my bucket?**
+**5\. How does blocking SSE-C affect requests to my bucket?**