Amazon S3 starts rolling out new security best practice to new and existing buckets by default
As announced on November 19, 2025, Amazon S3 is now deploying a new default bucket security setting which will automatically disable server-side encryption with customer-provided keys (SSE-C) for all new general purpose buckets. For existing buckets in AWS accounts with no SSE-C encrypted objects, S3 will also disable SSE-C for all new write requests. For AWS accounts with SSE-C usage, S3 will not change the bucket encryption configuration on any of the existing buckets in those accounts. To learn more about this change, visit the S3 User Guide.
Amazon S3 will deploy this new default to both new and existing general purpose buckets in 37 AWS Regions including the AWS China and AWS GovCloud (US) Regions over the next few weeks.