S3 ServerSideEncryption with KMS key ID #20537
Joey92
announced in
Approved Requests
Replies: 2 comments 1 reply
-
Makes sense to me! I see this as a small improvement on top of the existing feature rather than a big new feature, so lets do it :) Wanna open a PR to add that in? |
Beta Was this translation helpful? Give feedback.
1 reply
-
This feature request has been accepted and is queued to be implemented! You can follow along with the progress here: #20541 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Summary
I would like to build on top of #15203. At my work we're forced to use customer provided KMS keys to encrypt our data at rest in S3. So in order to CRUD the S3 bucket we need to provide the KMS key ID. Basically we'd have to add
SSEKMSKeyId
to the AWS SDK Commands in the S3 storage driver. For e.g. here: https://github.com/directus/directus/blob/v10.8.2/packages/storage-driver-s3/src/index.ts#L172-L193.Basic Example
No response
Motivation
We would be able to handle more S3 KMS edge cases which are often the norm in bigger companies.
Detailed Design
Add
SSEKMSKeyId
|SSECustomerKey
to theDriverS3Config
and use that when communicating with S3, if defined andServerSideEncryption
== 'aws:kms'Requirements List
Must Have:
SSEKMSKeyId
andSSECustomerKey
attribute in the aws sdk CommandInputs when ServerSideEncryption is 'aws:kms'Could have:
Drawbacks
There are no drawbacks. We, and probably others, are barred from using the S3 storage driver due to KMS limitations.
Alternatives
The parameters we can provide to AWS are vast. Enabling the config to be dynamic, as in catching the extra config in a
...additionalConfig
, and mapping them to their AWS SDK Command inputs as extra params. This way we can define our own attributes we can provide.Adoption Strategy
There should be no breaking change since the extra config fields are optional. The AWS SDK would respond with "Access Denied" per default if the SSEKMSKeyId is required.
Unresolved Questions
No response
Beta Was this translation helpful? Give feedback.
All reactions