AWS Security ChangesHomeSearch

AWS AmazonS3 medium security documentation change

Service: AmazonS3 · 2026-05-10 · Security-related medium

File: AmazonS3/latest/userguide/default-bucket-encryption.md

Summary

Added explicit warning about SSE-KMS making server access logs inaccessible

Security assessment

Directly addresses security visibility gap by documenting that SSE-KMS breaks server logging access. Prevents misconfiguration that would blind security monitoring.

Diff

diff --git a/AmazonS3/latest/userguide/default-bucket-encryption.md b/AmazonS3/latest/userguide/default-bucket-encryption.md
index d72c2ecb4..8f9b71167 100644
--- a//AmazonS3/latest/userguide/default-bucket-encryption.md
+++ b//AmazonS3/latest/userguide/default-bucket-encryption.md
@@ -44,0 +45,2 @@ After you enable default encryption for a bucket, the following encryption behav
+  * If this bucket is used as a destination for server access logging, the destination bucket must use Amazon S3 managed keys (SSE-S3). If the destination bucket uses SSE-KMS default encryption, Amazon S3 might deliver log objects that are encrypted with a key that you can't access. To resolve this, change the destination bucket's default encryption to SSE-S3. For more information about server access logging, see [Logging requests with server access logging](./ServerLogs.html).
+