You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are using in S3 bucket to archive our logs. To avoid any accidental access to the logs (which can contain very sensitive information too) we are encrypting the S3 objects by using SSE-KMS. It is also a compliance requirement, so we can't turn this off.
Currently we are using Vector for this as syslog-ng does not support this.
Proposed solution
Add server-side-encryption() and kms-key() options to the s3 destination.
Adding the server-side-encryption() and kms-key() options to the s3()
destination.
The server-side-encryption() supports only aws:kms at the moment.
Fixessyslog-ng#4920.
Signed-off-by: Arpad Kunszt <akunszt@hiya.com>
Description of the problem
We are using in S3 bucket to archive our logs. To avoid any accidental access to the logs (which can contain very sensitive information too) we are encrypting the S3 objects by using SSE-KMS. It is also a compliance requirement, so we can't turn this off.
Currently we are using Vector for this as syslog-ng does not support this.
Proposed solution
Add
server-side-encryption()
andkms-key()
options to the s3 destination.The
server-side-encryption
now should be onlyaws:kms
.The
kms-key
could contain any of these (as these are supported in boto3 AFAIK):Alternatives
Vector now fully supports this.
Additional context
There are multiple server-side encryption support possibilities when using S3. You can read about them at: https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html
It also could be helpful to check the awscli s3api reference at: https://docs.aws.amazon.com/cli/latest/reference/s3api/put-object.html. Look for the
--server-side-encryption
and--ssekms-key-id
options.This FR is to support aws:kms and not about AES256 or aws:kms:dsse. Those can be added later easily too.
The text was updated successfully, but these errors were encountered: