AWS AmazonS3 high security documentation change
Summary
Upgraded note to 'Important' and clarified SSE-S3 requirement for server access log buckets
Security assessment
Highlights critical requirement to prevent inaccessible security logs. Failure to use SSE-S3 risks complete loss of server access logs, compromising security auditing.
Diff
diff --git a/AmazonS3/latest/userguide/bucket-encryption.md b/AmazonS3/latest/userguide/bucket-encryption.md index 81f75e767..26e289022 100644 --- a//AmazonS3/latest/userguide/bucket-encryption.md +++ b//AmazonS3/latest/userguide/bucket-encryption.md @@ -39 +39 @@ You can also encrypt existing objects by using the `CopyObject` API operation or -###### Note +###### Important @@ -41 +41 @@ You can also encrypt existing objects by using the `CopyObject` API operation or -Amazon S3 buckets with default bucket encryption set to SSE-KMS cannot be used as destination buckets for [Logging requests with server access logging](./ServerLogs.html). Only SSE-S3 default encryption is supported for server access log destination buckets. +If your bucket is a target destination for server access log delivery, the bucket must use Amazon S3 managed keys (SSE-S3). If the destination bucket uses SSE-KMS default encryption, log objects might be created but encrypted with a key that you can't access.