AWS Security ChangesHomeSearch

AWS AmazonS3 high security documentation change

Service: AmazonS3 · 2026-06-07 · Security-related high

File: AmazonS3/latest/userguide/troubleshooting-server-access-logging.md

Summary

Updated troubleshooting guidance to require SSE-S3 encryption for destination buckets instead of SSE-KMS

Security assessment

Addresses same critical log accessibility issue as the previous file. Ensures users don't follow deprecated SSE-KMS configuration that could compromise audit capabilities.

Diff

diff --git a/AmazonS3/latest/userguide/troubleshooting-server-access-logging.md b/AmazonS3/latest/userguide/troubleshooting-server-access-logging.md
index 0bc3f64a9..9ea6765ff 100644
--- a//AmazonS3/latest/userguide/troubleshooting-server-access-logging.md
+++ b//AmazonS3/latest/userguide/troubleshooting-server-access-logging.md
@@ -64 +64 @@ If the destination bucket uses the Bucket owner enforced setting for Object Owne
-  * **If the destination bucket uses SSE-KMS, grant the logging service principal access to the AWS KMS key** – If the destination bucket uses SSE-KMS default encryption, you must grant the logging service principal (`logging.s3.amazonaws.com`) the `kms:GenerateDataKey` and `kms:Decrypt` permissions in your AWS KMS key policy. Otherwise, log objects might be created but encrypted with a key that you can't access, or log delivery might fail.
+  * **The destination bucket must use Amazon S3 managed keys (SSE-S3)** – If the destination bucket uses SSE-KMS default encryption, log objects might be created but encrypted with a key that you can't access.