S3 Buckets Get Hardened

Amazon Web Services is quietly changing one of the easiest ways to make a storage mistake. Starting April 6, 2026, Amazon Simple Storage Service began disabling customer-provided encryption keys by default on all new general purpose buckets, and it is also applying that change to many existing buckets that do not already store data encrypted that way. (aws.amazon.com) Amazon Simple Storage Service, usually called Amazon S3, is the part of Amazon Web Services that stores files, backups, logs, videos, and software packages. A bucket is the top-level container in Amazon S3, like a folder with its own lock, sharing rules, and encryption settings. (docs.aws.amazon.com) Most Amazon S3 breaches do not come from hackers cracking encryption. Most come from someone leaving the wrong door open, like a bucket policy that grants public access or an old access control list that keeps working long after a team forgot it existed. (docs.aws.amazon.com) Amazon has spent years trying to make those doors harder to leave open. In April 2023, Amazon S3 started automatically turning on Block Public Access and disabling access control lists for all new buckets, so new storage started with tighter rules before anyone clicked a setting. (aws.amazon.com) Block Public Access is Amazon’s master safety switch for public exposure. When it is enabled, it overrides policies and permissions that would otherwise make a bucket or object readable by anyone on the internet. (docs.aws.amazon.com) Access control lists are the older permission system in Amazon S3. Amazon now sets Object Ownership to “bucket owner enforced” by default on new buckets, which turns those lists off and makes the bucket policy the single place to decide who gets access. (docs.aws.amazon.com) Encryption is the other half of the picture, but Amazon S3 already made that mostly automatic. All Amazon S3 buckets now have encryption configured by default, and new objects are automatically encrypted at rest with Amazon S3 managed keys unless a customer chooses another supported option. (docs.aws.amazon.com) That is why this week’s change is narrower than it first sounds. Amazon is not announcing encryption for the first time; it is removing the default availability of one specific method called server-side encryption with customer-provided keys, where the customer sends the encryption key with each request instead of letting Amazon manage it. (aws.amazon.com) Customer-provided keys give companies maximum control, but they also create more ways to fail. If an application loses the key, rotates it incorrectly, or sends the wrong headers, the data can become unreadable or uploads can break, which is why Amazon has been steering customers toward Amazon-managed keys and Amazon Web Services Key Management Service keys instead. (docs.aws.amazon.com) Under the new rollout, every new general purpose bucket gets customer-provided key encryption disabled by default. Existing buckets are split into two groups: accounts with no customer-provided-key-encrypted objects get the safer default applied automatically, while accounts that already use that feature keep their current bucket encryption configuration unchanged. (docs.aws.amazon.com) Amazon says the deployment started on April 6, 2026 and will finish over the next few weeks across 37 Amazon Web Services Regions, including the China Regions and GovCloud United States Regions. After the rollout reaches a Region, customers can still turn customer-provided key encryption back on for a bucket by calling the PutBucketEncryption application programming interface after bucket creation. (docs.aws.amazon.com 1) (docs.aws.amazon.com 2) The pattern across all of these changes is simple: Amazon is moving bucket security from “available if you remember to configure it” to “on unless you deliberately opt out.” For teams running thousands of buckets across multiple accounts, that shift turns fewer security reviews into scavenger hunts for one forgotten exception. (aws.amazon.com) (docs.aws.amazon.com) The practical result is not that Amazon S3 becomes impossible to misconfigure. The practical result is that a new bucket created in a hurry in April 2026 starts with public access blocked, access control lists disabled, automatic encryption at rest enabled, and customer-provided key encryption turned off unless someone makes a conscious decision to change that. (aws.amazon.com) (docs.aws.amazon.com 1) (docs.aws.amazon.com 2) (docs.aws.amazon.com 3)