diff --git a/doc/administration/audit_event_streaming/audit_event_types.md b/doc/administration/audit_event_streaming/audit_event_types.md
index fa89074ad53faf85dd113f783a540c98187ef935..b965daa35fe68420d409b5781b5df4e37a9e7785 100644
--- a/doc/administration/audit_event_streaming/audit_event_types.md
+++ b/doc/administration/audit_event_streaming/audit_event_types.md
@@ -56,6 +56,7 @@ Audit event types belong to the following product categories.
 | [`google_cloud_logging_configuration_deleted`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/122025) | Triggered when Google Cloud Logging configuration is deleted| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.1](https://gitlab.com/gitlab-org/gitlab/-/issues/409422) |
 | [`google_cloud_logging_configuration_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/122025) | Triggered when Google Cloud Logging configuration is updated| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.1](https://gitlab.com/gitlab-org/gitlab/-/issues/409422) |
 | [`instance_amazon_s3_configuration_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/137651) | Triggered when instance Amazon S3 configuration for audit events streaming is created| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.7](https://gitlab.com/gitlab-org/gitlab/-/issues/423235) |
+| [`instance_amazon_s3_configuration_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138310) | Triggered when instance-level Amazon S3 configuration for audit events streaming is updated| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.7](https://gitlab.com/gitlab-org/gitlab/-/issues/423235) |
 | [`instance_google_cloud_logging_configuration_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/130663) | Triggered when Instance level Google Cloud Logging configuration is created| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.4](https://gitlab.com/gitlab-org/gitlab/-/issues/423038) |
 | [`instance_google_cloud_logging_configuration_deleted`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131752) | Triggered when instance level Google Cloud Logging configuration is deleted.| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.5](https://gitlab.com/gitlab-org/gitlab/-/issues/423040) |
 | [`instance_google_cloud_logging_configuration_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131790) | Triggered when instance level Google Cloud Logging configuration is updated.| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.5](https://gitlab.com/gitlab-org/gitlab/-/issues/423039) |
diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md
index c826994474326d21f3cc463d04f2b38096c6b7c9..a3711787b3c8efd2683f9a2ddcb8d3b1ca8ee2f5 100644
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -1495,6 +1495,30 @@ Input type: `AuditEventsInstanceAmazonS3ConfigurationCreateInput`
 | <a id="mutationauditeventsinstanceamazons3configurationcreateerrors"></a>`errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. |
 | <a id="mutationauditeventsinstanceamazons3configurationcreateinstanceamazons3configuration"></a>`instanceAmazonS3Configuration` | [`InstanceAmazonS3ConfigurationType`](#instanceamazons3configurationtype) | Created instance Amazon S3 configuration. |
 
+### `Mutation.auditEventsInstanceAmazonS3ConfigurationUpdate`
+
+Input type: `AuditEventsInstanceAmazonS3ConfigurationUpdateInput`
+
+#### Arguments
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="mutationauditeventsinstanceamazons3configurationupdateaccesskeyxid"></a>`accessKeyXid` | [`String`](#string) | Access key ID of the Amazon S3 account. |
+| <a id="mutationauditeventsinstanceamazons3configurationupdateawsregion"></a>`awsRegion` | [`String`](#string) | AWS region where the bucket is created. |
+| <a id="mutationauditeventsinstanceamazons3configurationupdatebucketname"></a>`bucketName` | [`String`](#string) | Name of the bucket where the audit events would be logged. |
+| <a id="mutationauditeventsinstanceamazons3configurationupdateclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
+| <a id="mutationauditeventsinstanceamazons3configurationupdateid"></a>`id` | [`AuditEventsInstanceAmazonS3ConfigurationID!`](#auditeventsinstanceamazons3configurationid) | ID of the instance-level Amazon S3 configuration to update. |
+| <a id="mutationauditeventsinstanceamazons3configurationupdatename"></a>`name` | [`String`](#string) | Destination name. |
+| <a id="mutationauditeventsinstanceamazons3configurationupdatesecretaccesskey"></a>`secretAccessKey` | [`String`](#string) | Secret access key of the Amazon S3 account. |
+
+#### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="mutationauditeventsinstanceamazons3configurationupdateclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
+| <a id="mutationauditeventsinstanceamazons3configurationupdateerrors"></a>`errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. |
+| <a id="mutationauditeventsinstanceamazons3configurationupdateinstanceamazons3configuration"></a>`instanceAmazonS3Configuration` | [`InstanceAmazonS3ConfigurationType`](#instanceamazons3configurationtype) | Updated instance-level Amazon S3 configuration. |
+
 ### `Mutation.auditEventsStreamingDestinationEventsAdd`
 
 Input type: `AuditEventsStreamingDestinationEventsAddInput`
@@ -31497,6 +31521,12 @@ A `AuditEventsGoogleCloudLoggingConfigurationID` is a global ID. It is encoded a
 
 An example `AuditEventsGoogleCloudLoggingConfigurationID` is: `"gid://gitlab/AuditEvents::GoogleCloudLoggingConfiguration/1"`.
 
+### `AuditEventsInstanceAmazonS3ConfigurationID`
+
+A `AuditEventsInstanceAmazonS3ConfigurationID` is a global ID. It is encoded as a string.
+
+An example `AuditEventsInstanceAmazonS3ConfigurationID` is: `"gid://gitlab/AuditEvents::Instance::AmazonS3Configuration/1"`.
+
 ### `AuditEventsInstanceExternalAuditEventDestinationID`
 
 A `AuditEventsInstanceExternalAuditEventDestinationID` is a global ID. It is encoded as a string.
diff --git a/ee/app/graphql/ee/types/mutation_type.rb b/ee/app/graphql/ee/types/mutation_type.rb
index b5288431e0a2727e3ecd1df4b0c703061227221d..d6a6d65534f4c1346b7e5dddf49a4b3fa3551c3f 100644
--- a/ee/app/graphql/ee/types/mutation_type.rb
+++ b/ee/app/graphql/ee/types/mutation_type.rb
@@ -131,6 +131,7 @@ module MutationType
         mount_mutation ::Mutations::AuditEvents::AmazonS3Configurations::Delete
         mount_mutation ::Mutations::AuditEvents::AmazonS3Configurations::Update
         mount_mutation ::Mutations::AuditEvents::Instance::AmazonS3Configurations::Create
+        mount_mutation ::Mutations::AuditEvents::Instance::AmazonS3Configurations::Update
         mount_mutation ::Mutations::AuditEvents::Instance::GoogleCloudLoggingConfigurations::Create
         mount_mutation ::Mutations::Forecasting::BuildForecast, alpha: { milestone: '16.0' }
         mount_mutation ::Mutations::AuditEvents::Streaming::InstanceHeaders::Create
diff --git a/ee/app/graphql/mutations/audit_events/instance/amazon_s3_configurations/update.rb b/ee/app/graphql/mutations/audit_events/instance/amazon_s3_configurations/update.rb
new file mode 100644
index 0000000000000000000000000000000000000000..9a57067ffe8a15b1733a5655daf7e2c31190ed4e
--- /dev/null
+++ b/ee/app/graphql/mutations/audit_events/instance/amazon_s3_configurations/update.rb
@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+module Mutations
+  module AuditEvents
+    module Instance
+      module AmazonS3Configurations
+        class Update < Base
+          graphql_name 'AuditEventsInstanceAmazonS3ConfigurationUpdate'
+
+          include ::Audit::Changes
+
+          COLUMNS_TO_AUDIT = [:access_key_xid, :secret_access_key, :bucket_name, :aws_region, :name].freeze
+
+          argument :id, ::Types::GlobalIDType[::AuditEvents::Instance::AmazonS3Configuration],
+            required: true,
+            description: 'ID of the instance-level Amazon S3 configuration to update.'
+
+          argument :name, GraphQL::Types::String,
+            required: false,
+            description: 'Destination name.'
+
+          argument :access_key_xid, GraphQL::Types::String,
+            required: false,
+            description: 'Access key ID of the Amazon S3 account.'
+
+          argument :secret_access_key, GraphQL::Types::String,
+            required: false,
+            description: 'Secret access key of the Amazon S3 account.'
+
+          argument :bucket_name, GraphQL::Types::String,
+            required: false,
+            description: 'Name of the bucket where the audit events would be logged.'
+
+          argument :aws_region, GraphQL::Types::String,
+            required: false,
+            description: 'AWS region where the bucket is created.'
+
+          field :instance_amazon_s3_configuration, ::Types::AuditEvents::Instance::AmazonS3ConfigurationType,
+            null: true,
+            description: 'Updated instance-level Amazon S3 configuration.'
+
+          def resolve(id:, access_key_xid: nil, secret_access_key: nil, bucket_name: nil, aws_region: nil, name: nil)
+            config = authorized_find!(id: id)
+            config_attributes = {
+              access_key_xid: access_key_xid,
+              secret_access_key: secret_access_key,
+              bucket_name: bucket_name,
+              aws_region: aws_region,
+              name: name
+            }.compact
+
+            if config.update(config_attributes)
+              audit_update(config)
+              { instance_amazon_s3_configuration: config, errors: [] }
+            else
+              { instance_amazon_s3_configuration: nil, errors: Array(config.errors) }
+            end
+          end
+
+          private
+
+          def audit_update(config)
+            COLUMNS_TO_AUDIT.each do |column|
+              audit_changes(
+                column,
+                as: column.to_s,
+                entity: Gitlab::Audit::InstanceScope.new,
+                model: config,
+                event_type: 'instance_amazon_s3_configuration_updated'
+              )
+            end
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/ee/config/audit_events/types/instance_amazon_s3_configuration_updated.yml b/ee/config/audit_events/types/instance_amazon_s3_configuration_updated.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ab8df42d0eecac107d561495872c09967251cd2d
--- /dev/null
+++ b/ee/config/audit_events/types/instance_amazon_s3_configuration_updated.yml
@@ -0,0 +1,9 @@
+---
+name: instance_amazon_s3_configuration_updated
+description: Triggered when instance-level Amazon S3 configuration for audit events streaming is updated
+introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/423235
+introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138310
+feature_category: audit_events
+milestone: '16.7'
+saved_to_database: true
+streamed: true
diff --git a/ee/spec/requests/api/graphql/mutations/audit_events/amazon_s3_configurations/update_spec.rb b/ee/spec/requests/api/graphql/mutations/audit_events/amazon_s3_configurations/update_spec.rb
index 9eed9da5579453c50c785bb49d065a96d47b888b..a81bbeefb56ddcfc4aa115df6f3ff99c842ff0c2 100644
--- a/ee/spec/requests/api/graphql/mutations/audit_events/amazon_s3_configurations/update_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/audit_events/amazon_s3_configurations/update_spec.rb
@@ -7,7 +7,6 @@
 
   let_it_be_with_reload(:config) { create(:amazon_s3_configuration) }
   let_it_be(:group) { config.group }
-  # let_it_be(:owner) { create(:user) }
   let_it_be(:current_user) { create(:user) }
   let_it_be(:updated_access_key_xid) { 'AKIA1234RANDOM5678' }
   let_it_be(:updated_secret_access_key) { 'TEST/SECRET/XYZ/PQR' }
diff --git a/ee/spec/requests/api/graphql/mutations/audit_events/instance/amazon_s3_configurations/update_spec.rb b/ee/spec/requests/api/graphql/mutations/audit_events/instance/amazon_s3_configurations/update_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..a1b278d4ee28cac6402827c767a3afd6539bbaf9
--- /dev/null
+++ b/ee/spec/requests/api/graphql/mutations/audit_events/instance/amazon_s3_configurations/update_spec.rb
@@ -0,0 +1,152 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Update instance Amazon S3 configuration', feature_category: :audit_events do
+  include GraphqlHelpers
+
+  let_it_be_with_reload(:config) { create(:instance_amazon_s3_configuration) }
+  let_it_be(:current_user) { create(:admin) }
+  let_it_be(:updated_access_key_xid) { 'AKIA1234RANDOM5678' }
+  let_it_be(:updated_secret_access_key) { 'TEST/SECRET/XYZ/PQR' }
+  let_it_be(:updated_bucket_name) { 'test-rspec-bucket' }
+  let_it_be(:updated_aws_region) { 'us-east-2' }
+  let_it_be(:updated_destination_name) { 'updated_destination_name' }
+  let_it_be(:config_gid) { global_id_of(config) }
+
+  let(:mutation) { graphql_mutation(:audit_events_instance_amazon_s3_configuration_update, input) }
+  let(:mutation_response) { graphql_mutation_response(:audit_events_instance_amazon_s3_configuration_update) }
+
+  let(:input) do
+    {
+      id: config_gid,
+      accessKeyXid: updated_access_key_xid,
+      secretAccessKey: updated_secret_access_key,
+      bucketName: updated_bucket_name,
+      awsRegion: updated_aws_region,
+      name: updated_destination_name
+    }
+  end
+
+  subject(:mutate) { post_graphql_mutation(mutation, current_user: current_user) }
+
+  shared_examples 'a mutation that does not update the instance Amazon S3 configuration' do
+    it 'does not update the configuration' do
+      expect { mutate }.not_to change { config.reload.attributes }
+    end
+
+    it 'does not create audit event' do
+      expect { mutate }.not_to change { AuditEvent.count }
+    end
+  end
+
+  context 'when feature is licensed' do
+    before do
+      stub_licensed_features(external_audit_events: true)
+    end
+
+    context 'when current user is instance admin' do
+      before do
+        allow(Gitlab::Audit::Auditor).to receive(:audit)
+      end
+
+      it 'updates the configuration' do
+        mutate
+
+        config.reload
+
+        expect(config.access_key_xid).to eq(updated_access_key_xid)
+        expect(config.secret_access_key).to eq(updated_secret_access_key)
+        expect(config.bucket_name).to eq(updated_bucket_name)
+        expect(config.aws_region).to eq(updated_aws_region)
+        expect(config.name).to eq(updated_destination_name)
+      end
+
+      it 'audits the update' do
+        Mutations::AuditEvents::Instance::AmazonS3Configurations::Update::COLUMNS_TO_AUDIT.each do |column|
+          message = if column == :secret_access_key
+                      "Changed #{column}"
+                    else
+                      "Changed #{column} from #{config[column]} to #{input[column.to_s.camelize(:lower).to_sym]}"
+                    end
+
+          expected_hash = {
+            name: 'instance_amazon_s3_configuration_updated',
+            author: current_user,
+            scope: an_instance_of(Gitlab::Audit::InstanceScope),
+            target: config,
+            message: message
+          }
+
+          expect(Gitlab::Audit::Auditor).to receive(:audit).once.ordered.with(hash_including(expected_hash))
+        end
+
+        mutate
+      end
+
+      context 'when the fields are updated with existing values' do
+        let(:input) do
+          {
+            id: config_gid,
+            accessKeyXid: config.access_key_xid,
+            name: config.name
+          }
+        end
+
+        it 'does not audit the event' do
+          expect(Gitlab::Audit::Auditor).not_to receive(:audit)
+
+          mutate
+        end
+      end
+
+      context 'when no fields are provided for update' do
+        let(:input) do
+          {
+            id: config_gid
+          }
+        end
+
+        it_behaves_like 'a mutation that does not update the instance Amazon S3 configuration'
+      end
+
+      context 'when there is error while updating' do
+        before do
+          allow_next_instance_of(Mutations::AuditEvents::Instance::AmazonS3Configurations::Update) do |mutation|
+            allow(mutation).to receive(:authorized_find!).with(id: config_gid).and_return(config)
+          end
+
+          allow(config).to receive(:update).and_return(false)
+
+          errors = ActiveModel::Errors.new(config).tap { |e| e.add(:base, 'error message') }
+          allow(config).to receive(:errors).and_return(errors)
+        end
+
+        it 'does not update the configuration and returns the error' do
+          mutate
+
+          expect(mutation_response).to include(
+            'instanceAmazonS3Configuration' => nil,
+            'errors' => ['error message']
+          )
+        end
+      end
+    end
+
+    context 'when current user is not instance admin' do
+      let_it_be(:current_user) { create(:user) }
+
+      it_behaves_like 'a mutation on an unauthorized resource'
+      it_behaves_like 'a mutation that does not update the instance Amazon S3 configuration'
+    end
+  end
+
+  context 'when feature is unlicensed' do
+    before do
+      stub_licensed_features(external_audit_events: false)
+    end
+
+    it_behaves_like 'a mutation on an unauthorized resource'
+    it_behaves_like 'a mutation that does not update the instance Amazon S3 configuration'
+  end
+end