AWS AmazonS3 high security documentation change
Summary
Updated encryption requirements for server access logging destination buckets: removed instructions for SSE-KMS key policy permissions and mandated SSE-S3 encryption instead
Security assessment
Corrects critical misconfiguration guidance that could lead to inaccessible audit logs. Previous instructions for SSE-KMS could result in encrypted logs that owners cannot decrypt, violating security audit requirements. Mandating SSE-S3 ensures log accessibility.
Diff
diff --git a/AmazonS3/latest/userguide/enable-server-access-logging.md b/AmazonS3/latest/userguide/enable-server-access-logging.md index 196f6b2b7..e5c0fdc8c 100644 --- a//AmazonS3/latest/userguide/enable-server-access-logging.md +++ b//AmazonS3/latest/userguide/enable-server-access-logging.md @@ -40,17 +40 @@ To grant permissions to Amazon S3 for log delivery, you can use either a bucket -If the destination bucket uses SSE-KMS default encryption, you must also grant the logging service principal (`logging.s3.amazonaws.com`) the `kms:GenerateDataKey` and `kms:Decrypt` permissions in your AWS KMS key policy. The following example shows the required AWS KMS key policy statement: - - - { - "Sid": "Allow S3 logging service to use the KMS key", - "Effect": "Allow", - "Principal": { - "Service": "logging.s3.amazonaws.com" - }, - "Action": [ - "kms:GenerateDataKey", - "kms:Decrypt" - ], - "Resource": "*" - } - -If you don't grant these permissions, Amazon S3 might deliver log objects that are encrypted with a key that you can't access, or log delivery might fail. +Granting `s3:PutObject` to the logging service principal is not sufficient if the destination bucket uses SSE-KMS default encryption. The destination bucket must use Amazon S3 managed keys (SSE-S3). If the destination bucket uses SSE-KMS, Amazon S3 might deliver log objects that are encrypted with a key that you can't access.