Advanced notice: Amazon S3 to disable the use of SSE-C encryption by default for all new buckets and select existing buckets in April 2026
Storage Blog
This article announces that AWS will disable SSE-C (server-side encryption with customer-provided keys) by default for Amazon S3 buckets starting April 6, 2026.
- SSE-C will be disabled by default on all new S3 general purpose buckets
- SSE-C will be disabled on existing buckets in accounts with no SSE-C encrypted data
- Applications requiring SSE-C must explicitly enable it via PutBucketEncryption API
- AWS KMS provides superior alternative with granular access control and CloudTrail logging
- SSE-C lacks flexibility for sharing keys with other users, roles, or AWS services
- Client-side encryption recommended for unique encryption requirements SSE-KMS cannot meet
- Customers should audit current SSE-C usage and update automation scripts and CloudFormation templates
AWS is deprecating SSE-C in favor of SSE-KMS, which offers better security, auditability, and integration with AWS services. Customers using SSE-C must prepare for this change.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
Nov 20
2025
2025
Amazon S3 adds new bucket-level setting to standardize encryption types used in your buckets
Apr 6
2026
2026
Amazon S3 starts rolling out new security best practice to new and existing buckets by default
Dec 1
2024
2024
Amazon S3 adds new default data integrity protections
Apr 16
2025
2025
Amazon S3 Tables now support server-side encryption using AWS KMS with customer-managed keys
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.