Merge pull request #45161 from hashicorp/d-s3-docs-encryption

YakDriver · web-flow · commit eadfd3a40000 · 2025-11-20T11:07:46.000-05:00
docs/s3: Add notes about upcoming SSE-C encryption policy changes
diff --git a/website/docs/r/s3_bucket.html.markdown b/website/docs/r/s3_bucket.html.markdown
@@ -265,6 +265,8 @@ The `sse_kms_encrypted_objects` configuration block supports the following argum
 
 ~> **NOTE:** Currently, changes to the `server_side_encryption_configuration` configuration of *existing* resources cannot be automatically detected by Terraform. To manage changes in encryption of an S3 bucket, use the `aws_s3_bucket_server_side_encryption_configuration` resource instead. If you use `server_side_encryption_configuration` on an `aws_s3_bucket`, Terraform will assume management over the encryption configuration for the S3 bucket, treating additional encryption changes as drift. For this reason, `server_side_encryption_configuration` cannot be mixed with the external `aws_s3_bucket_server_side_encryption_configuration` resource for a given S3 bucket.
 
+~> **NOTE:** [Starting in March 2026](https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-s3-c-encryption-setting-faq.html), Amazon S3 will automatically block server-side encryption with customer-provided keys (SSE-C) for all new buckets. The `blocked_encryption_types` argument is not available in this deprecated configuration block. Use the [`aws_s3_bucket_server_side_encryption_configuration`](/docs/providers/aws/r/s3_bucket_server_side_encryption_configuration.html) resource to manage this behavior for specific buckets.
+
 The `server_side_encryption_configuration` configuration block supports the following argument:
 
 * `rule` - (Required) Single object for server-side encryption by default configuration. (documented below)
diff --git a/website/docs/r/s3_bucket_server_side_encryption_configuration.html.markdown b/website/docs/r/s3_bucket_server_side_encryption_configuration.html.markdown
@@ -12,6 +12,8 @@ Provides a S3 bucket server-side encryption configuration resource.
 
 ~> **NOTE:** Destroying an `aws_s3_bucket_server_side_encryption_configuration` resource resets the bucket to [Amazon S3 bucket default encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-encryption-faq.html).
 
+~> **NOTE:** Starting in March 2026, Amazon S3 will automatically block server-side encryption with customer-provided keys (SSE-C) for all new buckets. Use the `blocked_encryption_types` argument to manage this behavior. For more information, see the [SSE-C changes FAQ](https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-s3-c-encryption-setting-faq.html).
+
 ## Example Usage
 
 ```terraform
