AWS Security ChangesHomeSearch

AWS AmazonS3 medium security documentation change

Service: AmazonS3 · 2026-05-10 · Security-related medium

File: AmazonS3/latest/userguide/troubleshooting-server-access-logging.md

Summary

Clarified encryption requirements for server access logging destination buckets. Explicitly stated that SSE-KMS encryption may cause inaccessible logs.

Security assessment

The change highlights a misconfiguration risk where logs become inaccessible due to improper encryption. This directly addresses a security visibility issue by warning about SSE-KMS limitations.

Diff

diff --git a/AmazonS3/latest/userguide/troubleshooting-server-access-logging.md b/AmazonS3/latest/userguide/troubleshooting-server-access-logging.md
index e17a7774f..9ea6765ff 100644
--- a//AmazonS3/latest/userguide/troubleshooting-server-access-logging.md
+++ b//AmazonS3/latest/userguide/troubleshooting-server-access-logging.md
@@ -64 +64 @@ If the destination bucket uses the Bucket owner enforced setting for Object Owne
-  * **Amazon S3 managed keys (SSE-S3) is selected if default encryption is enabled on the destination bucket** – You can use default bucket encryption on the destination bucket only if you use server-side encryption with Amazon S3 managed keys (SSE-S3). Default server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS) is not supported for server access logging destination buckets. For more information about how to enable default encryption, see [Configuring default encryption](./default-bucket-encryption.html).
+  * **The destination bucket must use Amazon S3 managed keys (SSE-S3)** – If the destination bucket uses SSE-KMS default encryption, log objects might be created but encrypted with a key that you can't access.