Default SSE-C setting for new buckets FAQ - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Default SSE-C setting for new buckets FAQ

Important

Starting in April 2026, Amazon will disable server-side encryption with customer-provided keys (SSE-C) for all new buckets. In addition, SSE-C encryption will be disabled for all existing buckets in Amazon Web Services accounts that do not have any SSE-C encrypted data. With these changes, the few applications that need SSE-C encryption must deliberately enable the use SSE-C via the PutBucketEncryption API after creating the bucket. In these cases, you might need to update automation scripts, Amazon CloudFormation templates, or other infrastructure configuration tools to configure these settings. For more information, see the Amazon Storage Blog post.

The following sections answer questions about this update.

1. In April 2026, will the new SSE-C setting take effect for all newly created buckets?

Yes. During April 2026, the new default setting will gradually be rolled out across all Amazon Regions.

2. How long will it take before this rollout covers all Amazon Regions?

This update will take several weeks to roll out. We will publish a What's New post when we start to deploy this update.

3. How will I know that the update is complete?

You can easily determine if the change has completed in your Amazon Region by creating a new bucket and calling the GetBucketEncryption API operation to determine if SSE-C encryption is disabled. After the update is complete, all new general purpose buckets will automatically have SSE-C encryption disabled by default. You can adjust these settings after creating your S3 bucket by calling the PutBucketEncryption API operation.

4. Will Amazon S3 update my existing bucket configurations?

If your Amazon account does not have any SSE-C encrypted objects, Amazon will disable SSE-C encryption on all of your existing buckets. If any bucket in your Amazon account has SSE-C encrypted objects, Amazon will not change the bucket configurations on any of your buckets in that account. After the CreateBucket change is complete for your Amazon Region, the new default setting will apply to all new general purpose buckets.

5. Can I disable SSE-C encryption for my buckets before the update is complete?

Yes. You can disable SSE-C encryption for any bucket by calling the PutBucketEncryption API operation and specifying the new BlockedEncryptionTypes header.

6. Can I use SSE-C to encrypt data in my new buckets?

Yes. Most modern use cases in Amazon S3 no longer use SSE-C because it lacks the flexibility of server-side encryption is with Amazon S3 managed keys (SSE-S3) or server-side encryption with Amazon KMS keys (SSE-KMS). If you need to use SSE-C encryption in a new bucket, you can create the new bucket and then enable the use of SSE-C encryption in a separate PutBucketEncryption request.

Example


aws s3api create-bucket \  
bucket amzn-s3-demo-bucket \ 
region us-east-1 \ 
  
aws s3api put-bucket-encryption \  
-- bucket amzn-s3-demo-bucket \
-- server-side-encryption-configuration \
'{ \Rules\: [{   
   {   
   \ApplyServerSideEncryptionByDefault\: {   
     \SSEAlgorithm\: \AES256\,  
    },   
   \BlockedEncryptionTypes\: [  
     \EncryptionType\:\NONE\]   
   }   
   }]   
}'
Note

You must have the s3:PutEncryptionConfigurationpermission to call the PutBucketEncryption API.

7. How does blocking SSE-C affect requests to my bucket?

When SSE-C is blocked for a bucket, any PutObject, CopyObject, PostObject, or Multipart Upload or replication requests that specify SSE-C encryption will be rejected with an HTTP 403 AccessDenied error.