AWS Security ChangesHomeSearch

AWS AmazonS3 medium security documentation change

Service: AmazonS3 · 2026-05-28 · Security-related medium

File: AmazonS3/latest/userguide/troubleshooting-server-access-logging.md

Summary

Added requirement to grant KMS permissions for SSE-KMS encrypted access logs.

Security assessment

Addresses a misconfiguration where inaccessible logs could compromise security monitoring. Explicitly requires kms:GenerateDataKey and kms:Decrypt for logging service principal to prevent log delivery failures.

Diff

diff --git a/AmazonS3/latest/userguide/troubleshooting-server-access-logging.md b/AmazonS3/latest/userguide/troubleshooting-server-access-logging.md
index 9ea6765ff..0bc3f64a9 100644
--- a//AmazonS3/latest/userguide/troubleshooting-server-access-logging.md
+++ b//AmazonS3/latest/userguide/troubleshooting-server-access-logging.md
@@ -64 +64 @@ If the destination bucket uses the Bucket owner enforced setting for Object Owne
-  * **The destination bucket must use Amazon S3 managed keys (SSE-S3)** – If the destination bucket uses SSE-KMS default encryption, log objects might be created but encrypted with a key that you can't access.
+  * **If the destination bucket uses SSE-KMS, grant the logging service principal access to the AWS KMS key** – If the destination bucket uses SSE-KMS default encryption, you must grant the logging service principal (`logging.s3.amazonaws.com`) the `kms:GenerateDataKey` and `kms:Decrypt` permissions in your AWS KMS key policy. Otherwise, log objects might be created but encrypted with a key that you can't access, or log delivery might fail.