AWS Security ChangesHomeSearch

AWS AmazonS3 medium security documentation change

Service: AmazonS3 · 2026-05-28 · Security-related medium

File: AmazonS3/latest/userguide/enable-server-access-logging.md

Summary

Added detailed instructions and KMS policy example for SSE-KMS encrypted logging buckets

Security assessment

Addresses potential security misconfiguration where inaccessible logs could impair security monitoring. Explicitly resolves the security risk of undeliverable/unreadable audit logs by providing required kms:GenerateDataKey and kms:Decrypt permissions.

Diff

diff --git a/AmazonS3/latest/userguide/enable-server-access-logging.md b/AmazonS3/latest/userguide/enable-server-access-logging.md
index e5c0fdc8c..196f6b2b7 100644
--- a//AmazonS3/latest/userguide/enable-server-access-logging.md
+++ b//AmazonS3/latest/userguide/enable-server-access-logging.md
@@ -40 +40,17 @@ To grant permissions to Amazon S3 for log delivery, you can use either a bucket
-Granting `s3:PutObject` to the logging service principal is not sufficient if the destination bucket uses SSE-KMS default encryption. The destination bucket must use Amazon S3 managed keys (SSE-S3). If the destination bucket uses SSE-KMS, Amazon S3 might deliver log objects that are encrypted with a key that you can't access.
+If the destination bucket uses SSE-KMS default encryption, you must also grant the logging service principal (`logging.s3.amazonaws.com`) the `kms:GenerateDataKey` and `kms:Decrypt` permissions in your AWS KMS key policy. The following example shows the required AWS KMS key policy statement:
+    
+    
+    {
+        "Sid": "Allow S3 logging service to use the KMS key",
+        "Effect": "Allow",
+        "Principal": {
+            "Service": "logging.s3.amazonaws.com"
+        },
+        "Action": [
+            "kms:GenerateDataKey",
+            "kms:Decrypt"
+        ],
+        "Resource": "*"
+    }
+
+If you don't grant these permissions, Amazon S3 might deliver log objects that are encrypted with a key that you can't access, or log delivery might fail.