Skip to content

s3lockout #45105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Nov 19, 2025
Merged

s3lockout #45105

merged 12 commits into from
Nov 19, 2025
+147 −0

Conversation

@YakDriver
Copy link
Member

@YakDriver YakDriver commented Nov 17, 2025
edited
Loading

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the library.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

Description

S3 Lockout introduces a new default security setting that blocks uploads using server-side encryption with customer-provided keys (SSE-C) for all new S3 buckets. Upload requests (PutObject, CopyObject, MultipartUpload) that specify SSE-C will now fail with HTTP 403 AccessDenied. This behavior is configurable through a new parameter in the PutBucketEncryption API.

Relations

Closes #0000

References

Output from Acceptance Testing

make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 f-s3lockout 🌿...
TF_ACC=1 go1.24.10 test ./internal/service/s3/... -v -count 1 -parallel 20  -run=TestAccS3BucketServerSideEncryptionConfiguration -timeout 360m -vet=off
2025/11/19 15:28:02 Creating Terraform AWS Provider (SDKv2-style)...
2025/11/19 15:28:02 Initializing Terraform AWS Provider (SDKv2-style)...
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_Identity_Basic
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_Identity_Basic
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_Identity_RegionOverride
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_Identity_RegionOverride
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_Identity_ExistingResource
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_Identity_ExistingResource
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_Identity_ExistingResource_NoRefresh_NoChange
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_Identity_ExistingResource_NoRefresh_NoChange
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_basic
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_basic
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_blockedEncryptionTypes
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_blockedEncryptionTypes
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_ApplySEEByDefault_AES256
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_ApplySEEByDefault_AES256
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMS
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMS
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMSDSSE
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMSDSSE
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_UpdateSSEAlgorithm
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_UpdateSSEAlgorithm
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMSWithMasterKeyARN
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMSWithMasterKeyARN
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMSWithMasterKeyID
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMSWithMasterKeyID
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_BucketKeyEnabled
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_BucketKeyEnabled
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_BucketKeyEnabled
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_BucketKeyEnabled
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_migrate_noChange
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_migrate_noChange
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_migrate_withChange
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_migrate_withChange
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_directoryBucket
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_directoryBucket
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_Identity_Basic
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_UpdateSSEAlgorithm
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_BucketKeyEnabled
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_blockedEncryptionTypes
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_ApplySEEByDefault_AES256
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_BucketKeyEnabled
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_migrate_withChange
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_directoryBucket
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMS
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMSDSSE
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMSWithMasterKeyARN
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_Identity_ExistingResource_NoRefresh_NoChange
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_basic
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_migrate_noChange
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_Identity_ExistingResource
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_Identity_RegionOverride
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMSWithMasterKeyID
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_ApplySEEByDefault_AES256 (25.68s)
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMS (30.08s)
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_basic (30.30s)
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMSDSSE (30.35s)
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMSWithMasterKeyARN (31.26s)
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMSWithMasterKeyID (31.33s)
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_Identity_RegionOverride (33.90s)
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_directoryBucket (33.99s)
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_migrate_noChange (35.73s)
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_migrate_withChange (37.41s)
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_Identity_Basic (40.39s)
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_blockedEncryptionTypes (40.79s)
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_UpdateSSEAlgorithm (44.10s)
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_BucketKeyEnabled (44.20s)
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_Identity_ExistingResource_NoRefresh_NoChange (44.47s)
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_BucketKeyEnabled (44.97s)
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_Identity_ExistingResource (50.08s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/s3	56.435s

@YakDriver
Add support for S3 bucket blocked_encryption_types_list
4058545 
- Add blocked_encryption_types_list field to bucket server-side encryption configuration
- Support blocking SSE-C uploads (SSE-C) or unblocking all types (NONE)
- Add acceptance test for blocking/unblocking encryption types
- Update documentation with example usage
- Add replace directives for local AWS SDK Go v2 with S3 Lockout support
@YakDriver
Fix formatting in test
0bbd430
@YakDriver
s3: rename blocked_encryption_types_list to blocked_encryption_types
09d05fb 
Removes the '_list' suffix from the attribute name to follow Terraform's
convention of using plural names for list attributes without the suffix.
@YakDriver
s3: update test names to match renamed blocked_encryption_types attri…
55d00a4 
…bute
@YakDriver
s3: add changelog entry for blocked_encryption_types attribute
029cc22
@YakDriver
s3: fix blocked_encryption_types appearing in plan when empty
10b09ca 
Only set blocked_encryption_types in state when there are actual values
to prevent empty lists from appearing in the plan unexpectedly.
@YakDriver YakDriver requested a review from a team as a code owner November 17, 2025 21:39
@github-actions
Copy link
Contributor

github-actions bot commented Nov 17, 2025

Community Guidelines

This comment is added to every new Pull Request to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

  • Please vote on this Pull Request by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
  • Please see our prioritization guide for additional information on how the maintainers handle prioritization.
  • Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Pull Request and do not help prioritize the request.

Pull Request Authors

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions github-actions bot added prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. documentation Introduces or discusses updates to documentation. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. service/s3 Issues and PRs that pertain to the s3 service. size/L Managed by automation to categorize the size of a PR. and removed prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. labels Nov 17, 2025
@github-actions github-actions bot added the size/M Managed by automation to categorize the size of a PR. label Nov 17, 2025
@YakDriver YakDriver marked this pull request as draft November 17, 2025 21:46
@YakDriver
Copy link
Member Author

YakDriver commented Nov 17, 2025

This is waiting for aws-sdk-go v2 s3 update that includes the new feature.

@ewbankkit
Copy link
Contributor

ewbankkit commented Nov 19, 2025
edited
Loading

Requires AWS SDK for Go v2 Release 2025-11-19: #45144.

@YakDriver YakDriver marked this pull request as ready for review November 19, 2025 20:30
@ewbankkit ewbankkit added the enhancement Requests to existing resources that expand the functionality or scope. label Nov 19, 2025
@YakDriver
Copy link
Member Author

YakDriver commented Nov 19, 2025

Thanks @ewbankkit 🎉

@ewbankkit ewbankkit self-assigned this Nov 19, 2025
@github-actions github-actions bot added the prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. label Nov 19, 2025
ewbankkit
ewbankkit approved these changes Nov 19, 2025
View reviewed changes
Copy link
Contributor

@ewbankkit ewbankkit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀.

% make testacc TESTARGS='-run=TestAccS3BucketServerSideEncryptionConfiguration_' PKG=s3 ACCTEST_PARALLELISM=4
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 f-s3lockout 🌿...
TF_ACC=1 go1.24.10 test ./internal/service/s3/... -v -count 1 -parallel 4  -run=TestAccS3BucketServerSideEncryptionConfiguration_ -timeout 360m -vet=off
2025/11/19 16:13:15 Creating Terraform AWS Provider (SDKv2-style)...
2025/11/19 16:13:15 Initializing Terraform AWS Provider (SDKv2-style)...
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_Identity_Basic
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_Identity_Basic
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_Identity_RegionOverride
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_Identity_RegionOverride
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_Identity_ExistingResource
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_Identity_ExistingResource
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_Identity_ExistingResource_NoRefresh_NoChange
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_Identity_ExistingResource_NoRefresh_NoChange
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_basic
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_basic
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_blockedEncryptionTypes
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_blockedEncryptionTypes
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_ApplySEEByDefault_AES256
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_ApplySEEByDefault_AES256
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMS
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMS
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMSDSSE
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMSDSSE
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_UpdateSSEAlgorithm
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_UpdateSSEAlgorithm
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMSWithMasterKeyARN
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMSWithMasterKeyARN
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMSWithMasterKeyID
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMSWithMasterKeyID
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_BucketKeyEnabled
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_BucketKeyEnabled
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_BucketKeyEnabled
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_BucketKeyEnabled
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_migrate_noChange
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_migrate_noChange
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_migrate_withChange
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_migrate_withChange
=== RUN   TestAccS3BucketServerSideEncryptionConfiguration_directoryBucket
=== PAUSE TestAccS3BucketServerSideEncryptionConfiguration_directoryBucket
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_Identity_Basic
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_UpdateSSEAlgorithm
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_blockedEncryptionTypes
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMS
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMS (18.94s)
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMSDSSE
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_Identity_Basic (30.44s)
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_ApplySEEByDefault_AES256
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_blockedEncryptionTypes (31.27s)
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_BucketKeyEnabled
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_UpdateSSEAlgorithm (34.29s)
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_directoryBucket
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMSDSSE (19.09s)
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_migrate_withChange
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_ApplySEEByDefault_AES256 (17.48s)
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_migrate_noChange
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_directoryBucket (21.27s)
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMSWithMasterKeyID
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_migrate_withChange (25.26s)
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_BucketKeyEnabled
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_BucketKeyEnabled (33.98s)
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_Identity_ExistingResource_NoRefresh_NoChange
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_migrate_noChange (32.72s)
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_basic
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMSWithMasterKeyID (29.14s)
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMSWithMasterKeyARN
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_basic (28.98s)
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_Identity_ExistingResource
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_BucketKeyEnabled (50.26s)
=== CONT  TestAccS3BucketServerSideEncryptionConfiguration_Identity_RegionOverride
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_ApplySSEByDefault_KMSWithMasterKeyARN (29.35s)
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_Identity_ExistingResource_NoRefresh_NoChange (60.59s)
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_Identity_RegionOverride (23.40s)
--- PASS: TestAccS3BucketServerSideEncryptionConfiguration_Identity_ExistingResource (53.73s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/s3	169.307s

@YakDriver YakDriver merged commit 4fb725a into main Nov 19, 2025
67 checks passed
@YakDriver YakDriver deleted the f-s3lockout branch November 19, 2025 22:39
@github-actions
Copy link
Contributor

github-actions bot commented Nov 19, 2025

Warning

This Issue has been closed, meaning that any additional comments are much easier for the maintainers to miss. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

@github-actions github-actions bot added this to the v6.22.0 milestone Nov 19, 2025
terraform-aws-provider bot pushed a commit that referenced this pull request Nov 19, 2025
Update CHANGELOG.md for #45105
546cd5a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ewbankkit ewbankkit ewbankkit approved these changes

@johnsonaj johnsonaj johnsonaj approved these changes

Assignees

@ewbankkit ewbankkit

Labels

documentation Introduces or discusses updates to documentation. enhancement Requests to existing resources that expand the functionality or scope. prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. service/s3 Issues and PRs that pertain to the s3 service. size/L Managed by automation to categorize the size of a PR. size/M Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.

Projects

None yet

Milestone

v6.22.0

Development

Successfully merging this pull request may close these issues.

3 participants

@YakDriver @ewbankkit @johnsonaj