SOS: Block SSE-C Encryption per Bucket

You can now block specific server-side encryption types on your SOS buckets, starting with SSE-C (Server-Side Encryption with Customer-Provided Keys).

When SSE-C is blocked on a bucket, any upload request that includes a customer-provided encryption key is rejected. This gives bucket owners a way to enforce their encryption policy at the bucket level, for example to ensure all objects use SSE-SOS so that data remains readable through replication and other server-side features that are incompatible with SSE-C.

Starting in 30 days, all newly created SOS buckets will have SSE-C blocked by default. Existing SSE-C encrypted objects will still remain accessible for retrieval. If you want to re-encrypt them, you will have to upload them again with the new settings configured. It is always possible to block or unblock SSE-C by updating your bucket’s SSE configuration.

For configuration details, refer to the SOS documentation.