Merge pull request hashicorp#45105 from hashicorp/f-s3lockout

s3lockout

Author: YakDriver

.changelog/45105.txt

@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/aws_s3_bucket_server_side_encryption_configuration: Add `rule.blocked_encryption_types` argument
+```
+
+```release-note:note
+resource/aws_s3_bucket_server_side_encryption_configuration: Starting in March 2026, Amazon S3 will introduce a new default bucket security setting by automatically disabling server-side encryption with customer-provided keys (SSE-C) for all new buckets. Use the `blocked_encryption_types` argument to manage this behavior for specific buckets.
+```

internal/service/s3/bucket_server_side_encryption_configuration.go

@@ -74,6 +74,14 @@ func resourceBucketServerSideEncryptionConfiguration() *schema.Resource {
 								},
 							},
 						},
+						"blocked_encryption_types": {
+							Type:     schema.TypeList,
+							Optional: true,
+							Elem: &schema.Schema{
+								Type:             schema.TypeString,
+								ValidateDiagFunc: enum.Validate[types.EncryptionType](),
+							},
+						},
 						"bucket_key_enabled": {
 							Type:     schema.TypeBool,
 							Optional: true,
@@ -294,6 +302,10 @@ func expandServerSideEncryptionRules(l []any) []types.ServerSideEncryptionRule {
 			rule.ApplyServerSideEncryptionByDefault = expandServerSideEncryptionByDefault(v)
 		}
 
+		if v, ok := tfMap["blocked_encryption_types"].([]any); ok && len(v) > 0 {
+			rule.BlockedEncryptionTypes = expandBlockedEncryptionTypes(v)
+		}
+
 		if v, ok := tfMap["bucket_key_enabled"].(bool); ok {
 			rule.BucketKeyEnabled = aws.Bool(v)
 		}
@@ -314,6 +326,12 @@ func flattenServerSideEncryptionRules(rules []types.ServerSideEncryptionRule) []
 			m["apply_server_side_encryption_by_default"] = flattenServerSideEncryptionByDefault(rule.ApplyServerSideEncryptionByDefault)
 		}
 
+		if rule.BlockedEncryptionTypes != nil {
+			if flattened := flattenBlockedEncryptionTypes(rule.BlockedEncryptionTypes); flattened != nil {
+				m["blocked_encryption_types"] = flattened
+			}
+		}
+
 		if rule.BucketKeyEnabled != nil {
 			m["bucket_key_enabled"] = aws.ToBool(rule.BucketKeyEnabled)
 		}
@@ -339,3 +357,31 @@ func flattenServerSideEncryptionByDefault(sse *types.ServerSideEncryptionByDefau
 
 	return []any{m}
 }
+
+func expandBlockedEncryptionTypes(l []any) *types.BlockedEncryptionTypes {
+	if len(l) == 0 {
+		return nil
+	}
+
+	var encryptionTypes []types.EncryptionType
+	for _, v := range l {
+		encryptionTypes = append(encryptionTypes, types.EncryptionType(v.(string)))
+	}
+
+	return &types.BlockedEncryptionTypes{
+		EncryptionType: encryptionTypes,
+	}
+}
+
+func flattenBlockedEncryptionTypes(bet *types.BlockedEncryptionTypes) []any {
+	if bet == nil || len(bet.EncryptionType) == 0 {
+		return nil
+	}
+
+	var result []any
+	for _, et := range bet.EncryptionType {
+		result = append(result, string(et))
+	}
+
+	return result
+}

internal/service/s3/bucket_server_side_encryption_configuration_test.go

@@ -53,6 +53,47 @@ func TestAccS3BucketServerSideEncryptionConfiguration_basic(t *testing.T) {
 	})
 }
 
+func TestAccS3BucketServerSideEncryptionConfiguration_blockedEncryptionTypes(t *testing.T) {
+	ctx := acctest.Context(t)
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_s3_bucket_server_side_encryption_configuration.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.S3ServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             acctest.CheckDestroyNoop,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccBucketServerSideEncryptionConfigurationConfig_blockedEncryptionTypes(rName, `["SSE-C"]`),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckBucketServerSideEncryptionConfigurationExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, acctest.CtRulePound, "1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.blocked_encryption_types.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.blocked_encryption_types.0", "SSE-C"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateVerifyIgnore: []string{
+					"rule.0.bucket_key_enabled",
+				},
+			},
+			{
+				Config: testAccBucketServerSideEncryptionConfigurationConfig_blockedEncryptionTypes(rName, `["NONE"]`),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckBucketServerSideEncryptionConfigurationExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, acctest.CtRulePound, "1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.blocked_encryption_types.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "rule.0.blocked_encryption_types.0", "NONE"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccS3BucketServerSideEncryptionConfiguration_ApplySEEByDefault_AES256(t *testing.T) {
 	ctx := acctest.Context(t)
 	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
@@ -634,6 +675,32 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "test" {
 `, rName, enabled)
 }
 
+func testAccBucketServerSideEncryptionConfigurationConfig_blockedEncryptionTypes(rName, blockedTypes string) string {
+	return fmt.Sprintf(`
+resource "aws_kms_key" "test" {
+  description             = "KMS Key for Bucket %[1]s"
+  deletion_window_in_days = 10
+}
+
+resource "aws_s3_bucket" "test" {
+  bucket = %[1]q
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "test" {
+  bucket = aws_s3_bucket.test.bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.test.id
+      sse_algorithm     = "aws:kms"
+    }
+    bucket_key_enabled       = true
+    blocked_encryption_types = %[2]s
+  }
+}
+`, rName, blockedTypes)
+}
+
 func testAccBucketServerSideEncryptionConfigurationConfig_migrateNoChange(rName string) string {
 	return fmt.Sprintf(`
 resource "aws_s3_bucket" "test" {

website/docs/r/s3_bucket_server_side_encryption_configuration.html.markdown

@@ -36,6 +36,32 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
 }
 ```
 
+### Blocking SSE-C Uploads
+
+```terraform
+resource "aws_kms_key" "mykey" {
+  description             = "This key is used to encrypt bucket objects"
+  deletion_window_in_days = 10
+}
+
+resource "aws_s3_bucket" "mybucket" {
+  bucket = "mybucket"
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
+  bucket = aws_s3_bucket.mybucket.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.mykey.arn
+      sse_algorithm     = "aws:kms"
+    }
+    bucket_key_enabled       = true
+    blocked_encryption_types = ["SSE-C"]
+  }
+}
+```
+
 ## Argument Reference
 
 This resource supports the following arguments:
@@ -50,6 +76,7 @@ This resource supports the following arguments:
 The `rule` configuration block supports the following arguments:
 
 * `apply_server_side_encryption_by_default` - (Optional) Single object for setting server-side encryption by default. [See below](#apply_server_side_encryption_by_default).
+* `blocked_encryption_types` - (Optional) List of server-side encryption types to block for object uploads. Valid values are `SSE-C` (blocks uploads using server-side encryption with customer-provided keys) and `NONE` (unblocks all encryption types). Starting in March 2026, Amazon S3 will automatically block SSE-C uploads for all new buckets.
 * `bucket_key_enabled` - (Optional) Whether or not to use [Amazon S3 Bucket Keys](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html) for SSE-KMS.
 
 ### apply_server_side_encryption_by_default