Skip to content

docs/s3: Add notes about upcoming SSE-C encryption policy changes #45161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
YakDriver merged 2 commits into from
Nov 20, 2025
Merged

docs/s3: Add notes about upcoming SSE-C encryption policy changes #45161

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d1a9b84
docs/s3: Add notes about upcoming SSE-C encryption policy changes
YakDriver Nov 20, 2025
6583c64
Add link
YakDriver Nov 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions website/docs/r/s3_bucket.html.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -265,6 +265,8 @@ The `sse_kms_encrypted_objects` configuration block supports the following argum

~> **NOTE:** Currently, changes to the `server_side_encryption_configuration` configuration of *existing* resources cannot be automatically detected by Terraform. To manage changes in encryption of an S3 bucket, use the `aws_s3_bucket_server_side_encryption_configuration` resource instead. If you use `server_side_encryption_configuration` on an `aws_s3_bucket`, Terraform will assume management over the encryption configuration for the S3 bucket, treating additional encryption changes as drift. For this reason, `server_side_encryption_configuration` cannot be mixed with the external `aws_s3_bucket_server_side_encryption_configuration` resource for a given S3 bucket.

~> **NOTE:** [Starting in March 2026](https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-s3-c-encryption-setting-faq.html), Amazon S3 will automatically block server-side encryption with customer-provided keys (SSE-C) for all new buckets. The `blocked_encryption_types` argument is not available in this deprecated configuration block. Use the [`aws_s3_bucket_server_side_encryption_configuration`](/docs/providers/aws/r/s3_bucket_server_side_encryption_configuration.html) resource to manage this behavior for specific buckets.

The `server_side_encryption_configuration` configuration block supports the following argument:

* `rule` - (Required) Single object for server-side encryption by default configuration. (documented below)
Expand Down
2 changes: 2 additions & 0 deletions website/docs/r/s3_bucket_server_side_encryption_configuration.html.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ Provides a S3 bucket server-side encryption configuration resource.

~> **NOTE:** Destroying an `aws_s3_bucket_server_side_encryption_configuration` resource resets the bucket to [Amazon S3 bucket default encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-encryption-faq.html).

~> **NOTE:** Starting in March 2026, Amazon S3 will automatically block server-side encryption with customer-provided keys (SSE-C) for all new buckets. Use the `blocked_encryption_types` argument to manage this behavior. For more information, see the [SSE-C changes FAQ](https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-s3-c-encryption-setting-faq.html).

## Example Usage

```terraform
Expand Down
Loading