# S3 SSE-C default-disable audit checklist (April 2026)

Anchors: [Default SSE-C FAQ](https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-s3-c-encryption-setting-faq.html), [Blocking / unblocking SSE-C](https://docs.aws.amazon.com/AmazonS3/latest/userguide/blocking-unblocking-s3-c-encryption-gpb.html), [What's New Apr 2026](https://aws.amazon.com/about-aws/whats-new/2026/04/s3-default-bucket-security-setting/).

## Account scope

- [ ] Confirm whether **any** object in the account used SSE-C before April 2026 (if yes, existing buckets may still allow SSE-C writes).
- [ ] List all new buckets created after the rollout — they should show `BlockedEncryptionTypes` including `SSE-C` by default (37 regions; note Mid East Bahrain/UAE exclusions per FAQ).

## Discovery

- [ ] Query **S3 Inventory** for encryption metadata; filter `SSE-C`.
- [ ] CloudTrail data events: `PutObject` / Multipart with `x-amz-server-side-encryption-customer-algorithm`.
- [ ] Scan CI / SDKs for `SSECustomerKey`, `x-amz-server-side-encryption-customer-key`.

## Decide per workload

| Finding | Action |
|---------|--------|
| No SSE-C objects, no client headers | Leave blocked; document SSE-S3 / SSE-KMS default |
| Legacy readers still send SSE-C headers | Migrate to SSE-KMS **before** blocking; dual-write if needed |
| Regulatory "customer-held key" requirement | Prefer **SSE-KMS CMK** + key policy; unblock SSE-C only as last resort via `PutBucketEncryption` |
| New bucket still needs SSE-C | Create bucket, then **explicitly** clear block with `PutBucketEncryption` (`BlockedEncryptionTypes` → `NONE`) — never assume default allows SSE-C |

## Validation

- [ ] Attempt synthetic SSE-C `PutObject` → expect **403 AccessDenied** when blocked.
- [ ] Confirm existing SSE-C objects remain readable with customer key headers (`GetObject` / `HeadObject`).
- [ ] IAM: call sites need `s3:PutEncryptionConfiguration` to change block state.
