AWS AmazonS3 medium security documentation change
Summary
Added encryption behavior details for annotations: SSE-C encrypted objects don't support annotations, annotations inherit parent object encryption, and S3 Bucket Key support for SSE-KMS annotations.
Security assessment
Explicitly documents security limitations of SSE-C encryption and encryption inheritance rules for annotations. Clarifies security boundaries for encrypted metadata.
Diff
diff --git a/AmazonS3/latest/userguide/serv-side-encryption.md b/AmazonS3/latest/userguide/serv-side-encryption.md index 00c4455e9..5a61f54ba 100644 --- a//AmazonS3/latest/userguide/serv-side-encryption.md +++ b//AmazonS3/latest/userguide/serv-side-encryption.md @@ -52,0 +53,4 @@ With server-side encryption with customer-provided keys (SSE-C), you manage the +Objects encrypted with SSE-C do not support annotations. Attempting to add an annotation to an SSE-C encrypted object returns an error. For all other encryption types, annotations inherit the encryption configuration of the parent object. S3 Bucket Keys are supported for annotations on SSE-KMS encrypted objects. + +###### Note +