AWS Security ChangesHomeSearch

AWS AmazonS3 medium security documentation change

Service: AmazonS3 · 2026-06-19 · Security-related medium

File: AmazonS3/latest/userguide/serv-side-encryption.md

Summary

Added encryption behavior details for annotations: SSE-C encrypted objects don't support annotations, annotations inherit parent object encryption, and S3 Bucket Key support for SSE-KMS annotations.

Security assessment

Explicitly documents security limitations of SSE-C encryption and encryption inheritance rules for annotations. Clarifies security boundaries for encrypted metadata.

Diff

diff --git a/AmazonS3/latest/userguide/serv-side-encryption.md b/AmazonS3/latest/userguide/serv-side-encryption.md
index 00c4455e9..5a61f54ba 100644
--- a//AmazonS3/latest/userguide/serv-side-encryption.md
+++ b//AmazonS3/latest/userguide/serv-side-encryption.md
@@ -52,0 +53,4 @@ With server-side encryption with customer-provided keys (SSE-C), you manage the
+Objects encrypted with SSE-C do not support annotations. Attempting to add an annotation to an SSE-C encrypted object returns an error. For all other encryption types, annotations inherit the encryption configuration of the parent object. S3 Bucket Keys are supported for annotations on SSE-KMS encrypted objects.
+
+###### Note
+