AWS AmazonS3 medium security documentation change
Summary
Added explicit warning about SSE-KMS making server access logs inaccessible
Security assessment
Directly addresses security visibility gap by documenting that SSE-KMS breaks server logging access. Prevents misconfiguration that would blind security monitoring.
Diff
diff --git a/AmazonS3/latest/userguide/default-bucket-encryption.md b/AmazonS3/latest/userguide/default-bucket-encryption.md index d72c2ecb4..8f9b71167 100644 --- a//AmazonS3/latest/userguide/default-bucket-encryption.md +++ b//AmazonS3/latest/userguide/default-bucket-encryption.md @@ -44,0 +45,2 @@ After you enable default encryption for a bucket, the following encryption behav + * If this bucket is used as a destination for server access logging, the destination bucket must use Amazon S3 managed keys (SSE-S3). If the destination bucket uses SSE-KMS default encryption, Amazon S3 might deliver log objects that are encrypted with a key that you can't access. To resolve this, change the destination bucket's default encryption to SSE-S3. For more information about server access logging, see [Logging requests with server access logging](./ServerLogs.html). +