feat(s3): add blockedEncryptionTypes field to s3.Bucket

[ysthakur]

Issue

Closes #36988.

Reason for this change

S3 recently added a new BlockedEncryptionTypes field to server-side encryption rules (docs). This field allows users to explicitly block or unblock SSE-C encryption on their bucket.

Users should be able to set this field through CDK. This will become especially important when SSE-C starts being blocked by default in April (blog post).

Description of changes

Added a blockedEncryptionTypes field to the L2 s3.Bucket construct.

• If blockedEncryptionTypes is not set, behavior is same as before. No default blockedEncryptionTypes value will be chosen (this is important, we want to let S3 choose what default to apply).
• If blockedEncryptionTypes is set and encryptionType is BucketEncryption.UNENCRYPTED, a server-side encryption configuration will be added with just blockedEncryptionTypes
  • This happens even if bucketKeyEnabled is explicitly set. Please confirm that this is behavior you want. I went with it because bucketKeyEnabled is already ignored when encryptionType is BucketEncryption.UNENCRYPTED.

Describe any new or updated permissions being added

N/A

Description of how you validated changes

Ran unit tests, added integ tests.

• Verified that the MySsecBlockedBucket bucket has SSE-C blocked (and no default server-side encryption type explicitly set)
• Verified that the MyKmsBucket bucket has no encryption types blocked

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[ysthakur]

Yes, this isn't a particularly helpful comment, but I wrote this because the default is going to change soon. Right now, no encryption types are blocked by default, but in April, SSE-C will start being blocked by default. When that happens, we can update this to say @default - SSE-C is blocked by default.

An alternative is to say @default - no encryption types are blocked, but SSE-C will start being blocked in April 2026, but putting times in doc comments feels wrong.

[alvazjor]

Is there any documentation for this at the moment? Like a link we can add here so the users can see which types will be blocked by default by S3? IF there is, you could add a

@see <LINK TO OFFICIAL DOC>

[ysthakur]

Any idea why the PR Linter workflow is failing with "Bad credentials"?

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results	24 ran	24 passed

Test	Result
No test annotations available

• View Security Guardian Results

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results with resolved templates	24 ran	24 passed

Test	Result
No test annotations available

• View Security Guardian Results with resolved templates

[aws-cdk-automation]

(This review is outdated)

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[nikhil1699]

LGTM !

Pull request has been modified.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-03-19 11:29 UTC · Rule: default-squash
• ✅ Checks started · in-place · dashboard
• 🟠 Running checks
• ⏳ Merge · ETA: 2026-03-19 16:34 UTC 🚀

Required conditions to merge

• any of [🛡 GitHub branch protection]:
  • check-neutral = build
  • check-skipped = build
  • check-success = build
• #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • feat(s3): add blockedEncryptionTypes field to s3.Bucket #37047
• #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • feat(s3): add blockedEncryptionTypes field to s3.Bucket #37047
• any of [🛡 GitHub branch protection]:
  • check-success = validate-pr
  • check-neutral = validate-pr
  • check-skipped = validate-pr

Required conditions to stay in the queue

• -closed [📌 queue requirement]
• -conflict [📌 queue requirement]
• -draft [📌 queue requirement]
• any of [📌 queue -> configuration change requirements]:
  • -mergify-configuration-changed
  • check-success = Configuration changed
• any of [📌 queue requirement]:
  • check-neutral = Mergify Merge Protections
  • check-skipped = Mergify Merge Protections
  • check-success = Mergify Merge Protections
• any of [🔀 queue conditions]:
  • all of [📌 queue conditions of queue default-squash]:
    • #approved-reviews-by >= 1 [🛡 GitHub branch protection]
    • #approved-reviews-by>=1
    • #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
    • #changes-requested-reviews-by=0
    • -approved-reviews-by~=author
    • -closed
    • -label~=(blocked|do-not-merge|no-squash|priority-pr)
    • -merged
    • -title~=(WIP|wip)
    • base!=release
    • check-success=build
    • check-success=validate-pr
    • any of:
      • -label~=pr/needs-integration-tests-deployment
      • check-success=Deploy integration test snapshots (requires pr/needs-integration-tests-deployment label)
    • any of [🛡 GitHub branch protection]:
      • check-success = validate-pr
      • check-neutral = validate-pr
      • check-skipped = validate-pr
    • any of [🛡 GitHub branch protection]:
      • check-success = build
      • check-neutral = build
      • check-skipped = build
  • all of [📌 queue conditions of queue default-merge]:
    • label~=no-squash
    • #approved-reviews-by >= 1 [🛡 GitHub branch protection]
    • #approved-reviews-by>=1
    • #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
    • #changes-requested-reviews-by=0
    • -approved-reviews-by~=author
    • -closed
    • -label~=(blocked|do-not-merge)
    • -merged
    • -title~=(WIP|wip)
    • check-success=build
    • check-success=validate-pr
    • any of:
      • -label~=pr/needs-integration-tests-deployment
      • check-success=Deploy integration test snapshots (requires pr/needs-integration-tests-deployment label)
    • any of [🛡 GitHub branch protection]:
      • check-success = validate-pr
      • check-neutral = validate-pr
      • check-skipped = validate-pr
    • any of [🛡 GitHub branch protection]:
      • check-success = build
      • check-neutral = build
      • check-skipped = build
  • all of [📌 queue conditions of queue priority-squash]:
    • label~=priority-pr
    • #approved-reviews-by >= 1 [🛡 GitHub branch protection]
    • #approved-reviews-by>=1
    • #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
    • #changes-requested-reviews-by=0
    • -approved-reviews-by~=author
    • -closed
    • -label~=(blocked|do-not-merge|no-squash)
    • -merged
    • -title~=(WIP|wip)
    • base!=release
    • check-success=build
    • check-success=validate-pr
    • any of:
      • -label~=pr/needs-integration-tests-deployment
      • check-success=Deploy integration test snapshots (requires pr/needs-integration-tests-deployment label)
    • any of [🛡 GitHub branch protection]:
      • check-success = validate-pr
      • check-neutral = validate-pr
      • check-skipped = validate-pr
    • any of [🛡 GitHub branch protection]:
      • check-success = build
      • check-neutral = build
      • check-skipped = build

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.