AWS disables SSE‑C by default
AWS has disabled customer‑provided encryption keys (SSE‑C) by default on new S3 buckets across 37 regions to reduce misconfiguration risks that can permanently lock data. The change is aimed at preventing situations where lost keys make data irretrievable. (x.com)
Amazon Web Services has started turning off server-side encryption with customer-provided keys by default on new Amazon S3 buckets. The rollout began April 6 and spans 37 Amazon Web Services regions over several weeks. (aws.amazon.com) Amazon S3 is Amazon’s object storage service, and server-side encryption means Amazon encrypts data after it reaches the service. With the customer-provided option, called server-side encryption with customer-provided keys, the customer must send the encryption key with every request and Amazon does not store that key. (docs.aws.amazon.com) Amazon said the default change applies to all new general purpose buckets, and to existing buckets in accounts that do not already have any data encrypted with server-side encryption with customer-provided keys. Accounts that already use that feature keep their existing bucket settings unchanged. (aws.amazon.com) The company said customers that still need the feature can turn it back on after bucket creation with the PutBucketEncryption application programming interface. Amazon also said teams may need to update automation scripts, CloudFormation templates, and other infrastructure tools to do that explicitly. (docs.aws.amazon.com) Amazon framed the shift as a guardrail against permanent data loss. In its storage blog, the company said lost customer-provided keys can make objects encrypted with that method irretrievable, because Amazon cannot recover keys it never stores. (aws.amazon.com) The move extends a broader Amazon S3 push toward safer defaults around encryption. Amazon S3 has automatically encrypted all new object uploads with Amazon S3-managed keys since January 2023, and bucket encryption is now enabled by default for new objects in buckets. (docs.aws.amazon.com) Amazon added the bucket-level control in November 2025, before making the default flip in April 2026. That earlier update let administrators block or allow the customer-provided key method through the same bucket encryption settings used in the console, command line tools, software development kits, and application programming interface. (aws.amazon.com) For customers that want Amazon to manage keys but still need tighter access control, Amazon steers them to server-side encryption with Amazon Web Services Key Management Service instead. The new default does not remove the customer-provided option entirely, but it turns that path into an explicit opt-in instead of a silent default. (docs.aws.amazon.com)
