AWS Security ChangesHomeSearch

AWS AmazonS3 medium security documentation change

Service: AmazonS3 · 2026-05-10 · Security-related medium

File: AmazonS3/latest/userguide/enable-server-access-logging.md

Summary

Added note about SSE-S3 requirement for log destination buckets

Security assessment

Documents critical limitation where KMS permissions don't resolve log access issues. Prevents security blind spots by mandating SSE-S3 for functional logging.

Diff

diff --git a/AmazonS3/latest/userguide/enable-server-access-logging.md b/AmazonS3/latest/userguide/enable-server-access-logging.md
index f2b5f95e9..e5c0fdc8c 100644
--- a//AmazonS3/latest/userguide/enable-server-access-logging.md
+++ b//AmazonS3/latest/userguide/enable-server-access-logging.md
@@ -37,0 +38,4 @@ To grant permissions to Amazon S3 for log delivery, you can use either a bucket
+###### Note
+
+Granting `s3:PutObject` to the logging service principal is not sufficient if the destination bucket uses SSE-KMS default encryption. The destination bucket must use Amazon S3 managed keys (SSE-S3). If the destination bucket uses SSE-KMS, Amazon S3 might deliver log objects that are encrypted with a key that you can't access.
+