diff --git a/.github/settings.yml b/.github/settings.yml
index 4326607..21f88c8 100644
--- a/.github/settings.yml
+++ b/.github/settings.yml
@@ -2,6 +2,6 @@
_extends: .github
repository:
name: terraform-aws-tfstate-backend
- description: Terraform module that provision an S3 bucket to store the `terraform.tfstate` file and a DynamoDB table to lock the state file to prevent concurrent modifications and state corruption.
+ description: Terraform module that provisions an S3 bucket to store the `terraform.tfstate` file and a DynamoDB table to lock the state file to prevent concurrent modifications and state corruption.
homepage: https://cloudposse.com/accelerate
topics: terraform, terraform-module, aws, tfstate, dynamodb, locking, aws-dynamodb, terraform-modules, dynamodb-table, s3-bucket, backend, terraform-state, remote-state, hcl2
diff --git a/README.md b/README.md
index 11b6672..af6947a 100644
--- a/README.md
+++ b/README.md
@@ -292,7 +292,7 @@ Available targets:
| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
| [permissions\_boundary](#input\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM replication role | `string` | `""` | no |
-| [prevent\_unencrypted\_uploads](#input\_prevent\_unencrypted\_uploads) | Prevent uploads of unencrypted objects to S3 | `bool` | `true` | no |
+| [prevent\_unencrypted\_uploads](#input\_prevent\_unencrypted\_uploads) | Enforce requirement to specify encryption key when uploading content to the S3 bucket.
The name of this variable is a little misleading. Since a default encryption key is created
for the bucket by this module, contents are always encrypted at rest.
Setting this variable to `true` (the default) will require that uploads to the bucket will need
to be initiated with a specific encryption key.
If this variable is set to `true` and an upload is attempted without specifying an encryption key
(including using the S3 Console), an "Access Denied" error will be thrown by AWS. | `bool` | `true` | no |
| [profile](#input\_profile) | AWS profile name as set in the shared credentials file | `string` | `""` | no |
| [read\_capacity](#input\_read\_capacity) | DynamoDB read capacity units when using provisioned mode | `number` | `5` | no |
| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index 8debad9..db21248 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -86,7 +86,7 @@
| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
| [permissions\_boundary](#input\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM replication role | `string` | `""` | no |
-| [prevent\_unencrypted\_uploads](#input\_prevent\_unencrypted\_uploads) | Prevent uploads of unencrypted objects to S3 | `bool` | `true` | no |
+| [prevent\_unencrypted\_uploads](#input\_prevent\_unencrypted\_uploads) | Enforce requirement to specify encryption key when uploading content to the S3 bucket.
The name of this variable is a little misleading. Since a default encryption key is created
for the bucket by this module, contents are always encrypted at rest.
Setting this variable to `true` (the default) will require that uploads to the bucket will need
to be initiated with a specific encryption key.
If this variable is set to `true` and an upload is attempted without specifying an encryption key
(including using the S3 Console), an "Access Denied" error will be thrown by AWS. | `bool` | `true` | no |
| [profile](#input\_profile) | AWS profile name as set in the shared credentials file | `string` | `""` | no |
| [read\_capacity](#input\_read\_capacity) | DynamoDB read capacity units when using provisioned mode | `number` | `5` | no |
| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
diff --git a/variables.tf b/variables.tf
index ddd4fee..16021bb 100644
--- a/variables.tf
+++ b/variables.tf
@@ -92,7 +92,15 @@ variable "restrict_public_buckets" {
variable "prevent_unencrypted_uploads" {
type = bool
default = true
- description = "Prevent uploads of unencrypted objects to S3"
+ description = <<-EOT
+ Enforce requirement to specify encryption key when uploading content to the S3 bucket.
+ The name of this variable is a little misleading. Since a default encryption key is created
+ for the bucket by this module, contents are always encrypted at rest.
+ Setting this variable to `true` (the default) will require that uploads to the bucket will need
+ to be initiated with a specific encryption key.
+ If this variable is set to `true` and an upload is attempted without specifying an encryption key
+ (including using the S3 Console), an "Access Denied" error will be thrown by AWS.
+ EOT
}
variable "profile" {