Preventing unintended encryption of Amazon S3 objects

Security Blog

AWS has identified an increase in unauthorized encryption activities targeting Amazon S3 buckets using server-side encryption with customer-provided keys (SSE-C). Malicious actors with valid credentials are re-encrypting customer data, potentially compromising data integrity.

AWS recommends four security best practices to mitigate risks:
Block SSE-C encryption if not required by applications
Implement data recovery procedures like S3 versioning and backups
Monitor AWS resources for unexpected access patterns
Use short-term credentials instead of long-term credentials

AWS has implemented automatic mitigations to prevent unauthorized encryption, but recommends customers actively protect their S3 resources through proactive security measures.

Go to article

The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.

Dec 1
2024

Introducing default data integrity protections for new objects in Amazon S3

Jan 30
2026

Change the server-side encryption type of Amazon S3 objects

Dec 1
2024

Amazon S3 adds new default data integrity protections

May 14
2025

Understanding Amazon S3 client-side encryption options

The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.

Preventing unintended encryption of Amazon S3 objects

Related articles