AWS Security ChangesHomeSearch

AWS AmazonS3 high security documentation change

Service: AmazonS3 · 2026-06-07 · Security-related high

File: AmazonS3/latest/userguide/enable-server-access-logging.md

Summary

Updated encryption requirements for server access logging destination buckets: removed instructions for SSE-KMS key policy permissions and mandated SSE-S3 encryption instead

Security assessment

Corrects critical misconfiguration guidance that could lead to inaccessible audit logs. Previous instructions for SSE-KMS could result in encrypted logs that owners cannot decrypt, violating security audit requirements. Mandating SSE-S3 ensures log accessibility.

Diff

diff --git a/AmazonS3/latest/userguide/enable-server-access-logging.md b/AmazonS3/latest/userguide/enable-server-access-logging.md
index 196f6b2b7..e5c0fdc8c 100644
--- a//AmazonS3/latest/userguide/enable-server-access-logging.md
+++ b//AmazonS3/latest/userguide/enable-server-access-logging.md
@@ -40,17 +40 @@ To grant permissions to Amazon S3 for log delivery, you can use either a bucket
-If the destination bucket uses SSE-KMS default encryption, you must also grant the logging service principal (`logging.s3.amazonaws.com`) the `kms:GenerateDataKey` and `kms:Decrypt` permissions in your AWS KMS key policy. The following example shows the required AWS KMS key policy statement:
-    
-    
-    {
-        "Sid": "Allow S3 logging service to use the KMS key",
-        "Effect": "Allow",
-        "Principal": {
-            "Service": "logging.s3.amazonaws.com"
-        },
-        "Action": [
-            "kms:GenerateDataKey",
-            "kms:Decrypt"
-        ],
-        "Resource": "*"
-    }
-
-If you don't grant these permissions, Amazon S3 might deliver log objects that are encrypted with a key that you can't access, or log delivery might fail.
+Granting `s3:PutObject` to the logging service principal is not sufficient if the destination bucket uses SSE-KMS default encryption. The destination bucket must use Amazon S3 managed keys (SSE-S3). If the destination bucket uses SSE-KMS, Amazon S3 might deliver log objects that are encrypted with a key that you can't access.