Starting on April 6, 2026, we will be changing how server-side encryption with customer-provided keys (SSE-C) is enabled for Amazon S3 buckets. With this change, SSE-C will be disabled by default on all new S3 general purpose buckets. Furthermore, SSE-C will also be disabled for all existing buckets in Amazon Web Services (AWS) Accounts that do not have any SSE-C encrypted data. This change will start on April 6, 2026 and will be rolled out to all AWS Regions within weeks.
When this change has been rolled out to a Region, all new buckets in the Region will have SSE-C encryption disabled. With this change, the few applications that need SSE-C encryption must enable the use of SSE-C on the desired buckets through the PutBucketEncryption API and then continue to include the necessary SSE-C request headers to their PutObject requests. As a result of this change, you may need to update automation scripts, AWS CloudFormation templates, or other infrastructure…