AWS AmazonS3 medium security documentation change
Summary
Added requirement to grant KMS permissions for SSE-KMS encrypted access logs.
Security assessment
Addresses a misconfiguration where inaccessible logs could compromise security monitoring. Explicitly requires kms:GenerateDataKey and kms:Decrypt for logging service principal to prevent log delivery failures.
Diff
diff --git a/AmazonS3/latest/userguide/troubleshooting-server-access-logging.md b/AmazonS3/latest/userguide/troubleshooting-server-access-logging.md index 9ea6765ff..0bc3f64a9 100644 --- a//AmazonS3/latest/userguide/troubleshooting-server-access-logging.md +++ b//AmazonS3/latest/userguide/troubleshooting-server-access-logging.md @@ -64 +64 @@ If the destination bucket uses the Bucket owner enforced setting for Object Owne - * **The destination bucket must use Amazon S3 managed keys (SSE-S3)** – If the destination bucket uses SSE-KMS default encryption, log objects might be created but encrypted with a key that you can't access. + * **If the destination bucket uses SSE-KMS, grant the logging service principal access to the AWS KMS key** – If the destination bucket uses SSE-KMS default encryption, you must grant the logging service principal (`logging.s3.amazonaws.com`) the `kms:GenerateDataKey` and `kms:Decrypt` permissions in your AWS KMS key policy. Otherwise, log objects might be created but encrypted with a key that you can't access, or log delivery might fail.