AWS AmazonS3 medium security documentation change
Summary
Clarified encryption requirements for server access logging destination buckets. Explicitly stated that SSE-KMS encryption may cause inaccessible logs.
Security assessment
The change highlights a misconfiguration risk where logs become inaccessible due to improper encryption. This directly addresses a security visibility issue by warning about SSE-KMS limitations.
Diff
diff --git a/AmazonS3/latest/userguide/troubleshooting-server-access-logging.md b/AmazonS3/latest/userguide/troubleshooting-server-access-logging.md index e17a7774f..9ea6765ff 100644 --- a//AmazonS3/latest/userguide/troubleshooting-server-access-logging.md +++ b//AmazonS3/latest/userguide/troubleshooting-server-access-logging.md @@ -64 +64 @@ If the destination bucket uses the Bucket owner enforced setting for Object Owne - * **Amazon S3 managed keys (SSE-S3) is selected if default encryption is enabled on the destination bucket** – You can use default bucket encryption on the destination bucket only if you use server-side encryption with Amazon S3 managed keys (SSE-S3). Default server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS) is not supported for server access logging destination buckets. For more information about how to enable default encryption, see [Configuring default encryption](./default-bucket-encryption.html). + * **The destination bucket must use Amazon S3 managed keys (SSE-S3)** – If the destination bucket uses SSE-KMS default encryption, log objects might be created but encrypted with a key that you can't access.