AWS is changing default behavior for S3 buckets (with customer managed keys). We need to check whether these changes will affect us and if action is needed. 

Specifically, we need to check whether we allow customer managed keys to encrypt bootstrap ignition and whether this change affects those.

Here's the relevant email, which includes links with more info:

Starting on April 6, 2026, we will be changing how [ server-side encryption with customer-provided keys (SSE-C)|https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html] is enabled for [ Amazon S3|https://aws.amazon.com/s3/] buckets. With this change, SSE-C will be disabled by default on all new S3 general purpose buckets. Furthermore, SSE-C will also be disabled for all existing buckets in Amazon Web Services (AWS) Accounts that do not have any SSE-C encrypted data. This change will start on April 6, 2026 and will be rolled out to all [ AWS Regions|https://aws.amazon.com/about-aws/global-infrastructure/regions_az/] within weeks.

Following blog has more details about this change:

https://aws.amazon.com/blogs/storage/advanced-notice-amazon-s3-to-disable-the-use-of-sse-c-encryption-by-default-for-all-new-buckets-and-select-existing-buckets-in-april-2026/

AWS S3 Service team asked account team to communicate this upcoming change to Red Hat as we had a major issue last time with OpenShift installer due to this S3 [ change|https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/] in 2023.