Amazon S3 starts rolling out new security best practice to new and existing buckets by default
As announced on November 19, 2025, Amazon S3 is now deploying a new default bucket security setting which will automatically disable server-side encryption with customer-provided keys (SSE-C) for all new general purpose buckets. For existing buckets in Amazon Web Services accounts with no SSE-C encrypted objects, S3 will also disable SSE-C for all new write requests. For Amazon Web Services accounts with SSE-C usage, S3 will not change the bucket encryption configuration on any of the existing buckets in those accounts. To learn more about this change, visit the S3 User Guide.
Amazon S3 will deploy this new default to both new and existing general purpose buckets in 37 Amazon Web Services Regions, including the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) Region, operated by NWCD, over the next few weeks.