Description
The problem
I have a service control policy (SCP) on my AWS account which prevents uploads to S3 buckets that do not specify an AWS-native encryption mechanism. I would like to configure the aws_s3 integration such that uploads are performed using server-side encryption with Amazon S3 managed keys (SSE-S3).
What version of Home Assistant Core has the issue?
core-2025.5.3
What was the last working version of Home Assistant Core?
No response
What type of installation are you running?
Home Assistant OS
Integration causing the issue
aws_s3
Link to integration documentation on our website
https://www.home-assistant.io/integrations/aws_s3
Diagnostics information
No response
Example YAML snippet
Anything in the logs that might be useful for us?
Logger: homeassistant.components.backup
Source: components/backup/manager.py:575
integration: Backup (documentation, issues)
First occurred: 5:50:33 PM (1 occurrence)
Last logged: 5:50:33 PM
Unexpected error for aws_s3.01JWMDPKYMSFPMJ9M4XZKH6XMT: An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: User: arn:aws:iam::XXXXXXX:user/redacted-backup-user is not authorized to perform: s3:PutObject on resource: "arn:aws:s3:::redacted-bucket-name/Automatic_backup_2025.5.3_2025-05-31_17.50_22114348.tar" with an explicit deny in a service control policy
Traceback (most recent call last):
File "/usr/src/homeassistant/homeassistant/components/backup/manager.py", line 575, in upload_backup_to_agent
await self.backup_agents[agent_id].async_upload_backup(
...<2 lines>...
)
File "/usr/src/homeassistant/homeassistant/components/aws_s3/backup.py", line 138, in async_upload_backup
await self._upload_multipart(tar_filename, open_stream)
File "/usr/src/homeassistant/homeassistant/components/aws_s3/backup.py", line 186, in _upload_multipart
multipart_upload = await self._client.create_multipart_upload(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
...<2 lines>...
)
^
File "/usr/local/lib/python3.13/site-packages/aiobotocore/client.py", line 412, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: User: arn:aws:iam::XXXXXXX:user/redacted-backup-user is not authorized to perform: s3:PutObject on resource: "arn:aws:s3:::redacted-bucket-name/Automatic_backup_2025.5.3_2025-05-31_17.50_22114348.tar" with an explicit deny in a service control policyAdditional information
The service control policy (SCP) I have on my account looks similar to this one from the S3 documentation:
{
"Effect": "Deny",
"Action": "s3:PutObject",
"Resource": "*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}