AWS AmazonS3 medium security documentation change
Summary
Added note about SSE-S3 requirement for log destination buckets
Security assessment
Documents critical limitation where KMS permissions don't resolve log access issues. Prevents security blind spots by mandating SSE-S3 for functional logging.
Diff
diff --git a/AmazonS3/latest/userguide/enable-server-access-logging.md b/AmazonS3/latest/userguide/enable-server-access-logging.md index f2b5f95e9..e5c0fdc8c 100644 --- a//AmazonS3/latest/userguide/enable-server-access-logging.md +++ b//AmazonS3/latest/userguide/enable-server-access-logging.md @@ -37,0 +38,4 @@ To grant permissions to Amazon S3 for log delivery, you can use either a bucket +###### Note + +Granting `s3:PutObject` to the logging service principal is not sufficient if the destination bucket uses SSE-KMS default encryption. The destination bucket must use Amazon S3 managed keys (SSE-S3). If the destination bucket uses SSE-KMS, Amazon S3 might deliver log objects that are encrypted with a key that you can't access. +