AWS AmazonS3 medium security documentation change
Summary
Added warning about SSE-KMS encryption causing inaccessible server access logs
Security assessment
Addresses a misconfiguration where KMS-encrypted server logs become inaccessible, impacting security monitoring and audit capabilities. Explicitly warns about loss of log access.
Diff
diff --git a/AmazonS3/latest/userguide/UsingKMSEncryption.md b/AmazonS3/latest/userguide/UsingKMSEncryption.md index 18edb5b84..c14786446 100644 --- a//AmazonS3/latest/userguide/UsingKMSEncryption.md +++ b//AmazonS3/latest/userguide/UsingKMSEncryption.md @@ -46 +46,6 @@ To successfully make a `PutObject` request to encrypt an object with an AWS KMS -Carefully review the permissions that are granted in your KMS key policies. Always restrict customer-managed KMS key policy permissions only to the IAM principals and AWS services that must access the relevant AWS KMS key action. For more information, see [Key policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html). + * Carefully review the permissions that are granted in your KMS key policies. Always restrict customer-managed KMS key policy permissions only to the IAM principals and AWS services that must access the relevant AWS KMS key action. For more information, see [Key policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html). + + * If a bucket is used as a destination for Amazon S3 server access logging, the destination bucket must use Amazon S3 managed keys (SSE-S3). If the destination bucket uses SSE-KMS default encryption, Amazon S3 might deliver log objects that are encrypted with a key that you can't access. To resolve this, change the destination bucket's default encryption to SSE-S3. For more information, see [Enabling Amazon S3 server access logging](./enable-server-access-logging.html). + + +