AWS Security ChangesHomeSearch

AWS AmazonS3 high security documentation change

Service: AmazonS3 · 2026-05-10 · Security-related high

File: AmazonS3/latest/userguide/bucket-encryption.md

Summary

Upgraded note to 'Important' and clarified SSE-S3 requirement for server access log buckets

Security assessment

Highlights critical requirement to prevent inaccessible security logs. Failure to use SSE-S3 risks complete loss of server access logs, compromising security auditing.

Diff

diff --git a/AmazonS3/latest/userguide/bucket-encryption.md b/AmazonS3/latest/userguide/bucket-encryption.md
index 81f75e767..26e289022 100644
--- a//AmazonS3/latest/userguide/bucket-encryption.md
+++ b//AmazonS3/latest/userguide/bucket-encryption.md
@@ -39 +39 @@ You can also encrypt existing objects by using the `CopyObject` API operation or
-###### Note
+###### Important
@@ -41 +41 @@ You can also encrypt existing objects by using the `CopyObject` API operation or
-Amazon S3 buckets with default bucket encryption set to SSE-KMS cannot be used as destination buckets for [Logging requests with server access logging](./ServerLogs.html). Only SSE-S3 default encryption is supported for server access log destination buckets.
+If your bucket is a target destination for server access log delivery, the bucket must use Amazon S3 managed keys (SSE-S3). If the destination bucket uses SSE-KMS default encryption, log objects might be created but encrypted with a key that you can't access.