AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2026-05-25 · Documentation low

File: AmazonS3/latest/userguide/UsingServerSideEncryption.md

Summary

Added note clarifying relationship between s3:x-amz-server-side-encryption condition key and HTTP header, including potential impact on services like ELB/CloudFront.

Security assessment

Clarifies encryption-related policy behavior but doesn't address specific vulnerabilities. Enhances documentation of existing security feature (server-side encryption).

Diff

diff --git a/AmazonS3/latest/userguide/UsingServerSideEncryption.md b/AmazonS3/latest/userguide/UsingServerSideEncryption.md
index 8b5efe13f..319252491 100644
--- a//AmazonS3/latest/userguide/UsingServerSideEncryption.md
+++ b//AmazonS3/latest/userguide/UsingServerSideEncryption.md
@@ -53,0 +54,4 @@ Server-side encryption encrypts only the object data, not the object metadata.
+###### Note
+
+The `s3:x-amz-server-side-encryption` condition key used in bucket policies is an IAM condition key namespace and differs from the `x-amz-server-side-encryption` HTTP header shown in CloudTrail logs. Both refer to the same encryption setting, but use different formats. Additionally, this Deny policy might block writes from (such as Elastic Load Balancing access logs or Amazon CloudFront logs) that deliver objects to your bucket without specifying the encryption header.
+