AWS Security ChangesHomeSearch

AWS AmazonS3 medium security documentation change

Service: AmazonS3 · 2026-05-10 · Security-related medium

File: AmazonS3/latest/userguide/UsingKMSEncryption.md

Summary

Added warning about SSE-KMS encryption causing inaccessible server access logs

Security assessment

Addresses a misconfiguration where KMS-encrypted server logs become inaccessible, impacting security monitoring and audit capabilities. Explicitly warns about loss of log access.

Diff

diff --git a/AmazonS3/latest/userguide/UsingKMSEncryption.md b/AmazonS3/latest/userguide/UsingKMSEncryption.md
index 18edb5b84..c14786446 100644
--- a//AmazonS3/latest/userguide/UsingKMSEncryption.md
+++ b//AmazonS3/latest/userguide/UsingKMSEncryption.md
@@ -46 +46,6 @@ To successfully make a `PutObject` request to encrypt an object with an AWS KMS
-Carefully review the permissions that are granted in your KMS key policies. Always restrict customer-managed KMS key policy permissions only to the IAM principals and AWS services that must access the relevant AWS KMS key action. For more information, see [Key policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html).
+  * Carefully review the permissions that are granted in your KMS key policies. Always restrict customer-managed KMS key policy permissions only to the IAM principals and AWS services that must access the relevant AWS KMS key action. For more information, see [Key policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html).
+
+  * If a bucket is used as a destination for Amazon S3 server access logging, the destination bucket must use Amazon S3 managed keys (SSE-S3). If the destination bucket uses SSE-KMS default encryption, Amazon S3 might deliver log objects that are encrypted with a key that you can't access. To resolve this, change the destination bucket's default encryption to SSE-S3. For more information, see [Enabling Amazon S3 server access logging](./enable-server-access-logging.html).
+
+
+