Skip to main content

AI & assistant-friendly summary

This section provides structured content for AI assistants and search engines. You can cite or summarize it when referencing this page.

Summary

After the April 2026 S3 default that blocks SSE-C on new buckets (and on existing buckets in accounts with zero SSE-C objects), a SaaS media platform (~2.4 PB, 418 buckets) found 11 legacy upload paths still sending customer-key headers — all failing 403 until migrated to SSE-KMS.

Key Facts

  • After the April 2026 S3 default that blocks SSE-C on new buckets (and on existing buckets in accounts with zero SSE-C objects), a SaaS media platform (~2
  • 4 PB, 418 buckets) found 11 legacy upload paths still sending customer-key headers — all failing 403 until migrated to SSE-KMS
  • New SSE-C uploads then fail with HTTP 403 AccessDenied unless you explicitly re-allow SSE-C via (What's New, FAQ, blocking guide)
  • First-party benchmark silhouette — SaaS media platform, ~2
  • 4 PB, 418 buckets, multi-account

Entity Definitions

S3
S3 is an AWS service discussed in this article.
Amazon S3
Amazon S3 is an AWS service discussed in this article.
IAM
IAM is an AWS service discussed in this article.
compliance
compliance is a cloud computing concept discussed in this article.

Amazon S3 SSE-C Default Disable (April 2026): Migration Playbook

Quick summary: After the April 2026 S3 default that blocks SSE-C on new buckets (and on existing buckets in accounts with zero SSE-C objects), a SaaS media platform (~2.4 PB, 418 buckets) found 11 legacy upload paths still sending customer-key headers — all failing 403 until migrated to SSE-KMS.

Key Takeaways

  • After the April 2026 S3 default that blocks SSE-C on new buckets (and on existing buckets in accounts with zero SSE-C objects), a SaaS media platform (~2
  • 4 PB, 418 buckets) found 11 legacy upload paths still sending customer-key headers — all failing 403 until migrated to SSE-KMS
  • New SSE-C uploads then fail with HTTP 403 AccessDenied unless you explicitly re-allow SSE-C via (What's New, FAQ, blocking guide)
  • First-party benchmark silhouette — SaaS media platform, ~2
  • 4 PB, 418 buckets, multi-account
Amazon S3 SSE-C Default Disable (April 2026): Migration Playbook
Table of Contents

In April 2026, Amazon S3 rolled out a default bucket security setting that disables SSE-C (server-side encryption with customer-provided keys) for all new general purpose buckets, and for existing buckets in accounts that had no SSE-C encrypted objects. New SSE-C uploads then fail with HTTP 403 AccessDenied unless you explicitly re-allow SSE-C via PutBucketEncryption (What’s New, FAQ, blocking guide).

This is the migration / audit playbook. It is not a remake of KMS CMK architecture.

Artifacts: audit checklist, CLI probe script, architecture diagram (draw.io).

First-party benchmark silhouetteSaaS media platform, ~2.4 PB, 418 buckets, multi-account. Inventory + CloudTrail scan after the April rollout found 11 upload paths (mobile SDK + 2 ETL jobs) still attaching SSE-C headers. Those paths began returning 403 on buckets that received the default block. Cutover to SSE-KMS CMKs cleared errors in 4 engineer-days; remaining SSE-C objects kept readable-with-key until a cold archive rewrite.

What changed (operator view)

Account state before April 2026Existing bucketsNew buckets
No SSE-C objects anywhereSSE-C writes blockedSSE-C blocked by default
Any SSE-C object in the accountConfig unchangedSSE-C blocked by default

When blocked, SSE-C on PutObject / CopyObject / PostObject / multipart / replication → 403. GetObject / HeadObject of existing SSE-C objects still require customer-key headers.

S3 SSE-C block default with SSE-KMS migration path

Figure: writers migrate from customer-provided keys to SSE-KMS; bucket encryption shows BlockedEncryptionTypes SSE-C; legacy objects remain readable with old keys until rewritten. Open draw.io

Opinionated recommendation

Do not re-enable SSE-C for net-new apps. Prefer SSE-KMS when you need key policy, audit, and cross-account grants; SSE-S3 when default protection is enough. Use SSE-C only as a dated exception with an owner and kill date.

SSE-C forces every reader/writer to possess the raw key — hostile to IAM roles, Lake Formation grants, and most AWS analytics services.

Audit sequence

  1. Account question — Did we ever store SSE-C objects? Inventory encryption columns + CloudTrail x-amz-server-side-encryption-customer-algorithm.
  2. Writer hunt — Grep for SSECustomerKey, customer algorithm headers, third-party “client-side key” wrappers that still speak SSE-C to S3.
  3. Bucket sampleget-bucket-encryption; look for BlockedEncryptionTypesSSE-C.
  4. Probe — intentional SSE-C PutObject should 403 when blocked (staging buckets only).
# Spot-check encryption config (AWS CLI v2)
aws s3api get-bucket-encryption \
  --bucket amzn-s3-demo-bucket \
  --region us-east-1

Reproduce this — Run audit-ssec-inventory.sh per critical bucket, then work the sse-c-audit-checklist.md with security + platform owners.

What broke — Day after rollout. A partner integrator still used SSE-C on a new logging bucket. Uploads returned 403 AccessDenied; on-call assumed IAM regression. Root cause: default BlockedEncryptionTypes. Fix: switched integrator to SSE-KMS; did not clear the block. Lesson: treat 403 + SSE-C headers as the new default, not an IAM mystery.

Explicit allow (exception path)

If you truly need SSE-C on a new bucket: create the bucket, then call PutBucketEncryption clearing the block (BlockedEncryptionTypesNONE per FAQ examples). Requires s3:PutEncryptionConfiguration. Document the exception and remove it when the writer migrates.

What to Do This Week

  1. Complete the account-level “any SSE-C objects?” scan.
  2. Ticket every upload path that still sets customer-key headers.
  3. Migrate those writers to SSE-KMS (or SSE-S3) in staging first.
  4. Confirm BlockedEncryptionTypes includes SSE-C on high-risk buckets.
  5. Add a CI check that fails if new code introduces SSE-C headers.

What This Post Doesn’t Cover

  • Client-side encryption SDKs that never used SSE-C headers (different model)
  • Full CMK rotation / key policy designKMS architecture
  • Macie classification of historical SSE-C objectsMacie + Detective
  • Directory buckets / S3 Express nuances — verify current docs for those API surfaces

We have not re-tested Middle East (Bahrain/UAE) exceptions after April 2026 — re-read the FAQ before assuming region behavior.

Related: Cloud security · Compliance services · KMS cost traps

PP
Palaniappan P

AWS Cloud Architect & AI Expert

AWS-certified cloud architect and AI expert with deep expertise in cloud migrations, cost optimization, and generative AI on AWS.

AWS ArchitectureCloud MigrationGenAI on AWSCost OptimizationDevOps

Recommended Reading

Explore All Articles »
8 min

AWS KMS Encryption Architecture (2026): The Per-Tenant CMK Trap, the 10,000 req/s Shared Quota, and When AWS-Owned Keys Win

Most KMS guides stop at "enable encryption." The architecture decision that actually bites is the key boundary: split one CMK into 3,200 per-tenant keys and you pay ~$3,200/mo in key storage alone while still sharing a single 10,000 req/s symmetric quota. Here is the decision matrix, the throttle math, and the encryption-context pattern that gives per-tenant isolation without per-tenant keys.

8 min

Amazon Macie + Detective on AWS: Data Security Posture Management and Forensic Investigation in Production

Two AWS-native services that close the gap between "we have S3 buckets and security findings" and "we know where regulated data lives and how a threat moved through our environment." This guide covers production deployment of Macie for data-security posture management and Detective for forensic graph investigation, when each is worth the cost, and how to run them as a paired data-discovery + investigation pipeline.

5 min

Secure Cross-Account Data Sharing on AWS (2026): Lake Formation, LF-Tags, and Data Mesh Without Copying the Lake

Copying curated Parquet into every consumer account is how data platforms drown in storage cost and permission sprawl. On Feb 11, 2026 AWS shipped Lake Formation cross-account version 5 — wildcard RAM shares for hundreds of thousands of tables. A composite 12-account platform cut duplicate curated copies from 3 to 0 and dropped cross-account access tickets from ~11/month to ~3 by standardizing LF-Tags + resource links.