Amazon S3 encrypts new objects by default

[ewbankkit]

Starting today, Amazon Simple Storage Service (Amazon S3) encrypts all new objects by default. Now, S3 automatically applies server-side encryption (SSE-S3) for each new object, unless you specify a different encryption option.

Announcement.
Blog post.

Relates #28353.

Once this new default server-side encryption capability is enabled in an account, this simple configuration

resource "aws_s3_bucket" "bucket" {
  bucket = "tf-test-bucket-5888573260763529678"
}

will show drift when terraform plan is run using Terraform AWS Provider v3.x and v2.x:

% make testacc TESTARGS='-run=TestAccS3Bucket_Basic_basic' PKG=s3
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/s3/... -v -count 1 -parallel 20  -run=TestAccS3Bucket_Basic_basic -timeout 180m
=== RUN   TestAccS3Bucket_Basic_basic
=== PAUSE TestAccS3Bucket_Basic_basic
=== CONT  TestAccS3Bucket_Basic_basic
    bucket_test.go:52: Step 1/2 error: After applying this test step, the plan was not empty.
        stdout:
        
        
        Terraform used the selected providers to generate the following execution
        plan. Resource actions are indicated with the following symbols:
          ~ update in-place
        
        Terraform will perform the following actions:
        
          # aws_s3_bucket.bucket will be updated in-place
          ~ resource "aws_s3_bucket" "bucket" {
                id                          = "tf-test-bucket-5888573260763529678"
                # (11 unchanged attributes hidden)
        
              - server_side_encryption_configuration {
                  - rule {
                      - bucket_key_enabled = false -> null
        
                      - apply_server_side_encryption_by_default {
                          - sse_algorithm = "AES256" -> null
                        }
                    }
                }
        
                # (1 unchanged block hidden)
            }
        
        Plan: 0 to add, 1 to change, 0 to destroy.
--- FAIL: TestAccS3Bucket_Basic_basic (17.94s)

Practitioners using Terraform AWS Provider v4.x are not affected as the server_side_encryption_configuration argument is already Computed (as it has been deprecated).

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[ewbankkit]

Available in Terraform AWS Provider

• v4.49.0
• v3.76.1
• v2.70.2

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.