Description
Description of the problem
We are using in S3 bucket to archive our logs. To avoid any accidental access to the logs (which can contain very sensitive information too) we are encrypting the S3 objects by using SSE-KMS. It is also a compliance requirement, so we can't turn this off.
Currently we are using Vector for this as syslog-ng does not support this.
Proposed solution
Add server-side-encryption() and kms-key() options to the s3 destination.
destination d_s3 {
s3(
bucket( "my_bucket" )
object-key( "my_logs" )
server-side-encryption( "aws:kms" )
kms-key( "..." )
)
};
The server-side-encryption now should be only aws:kms.
The kms-key could contain any of these (as these are supported in boto3 AFAIK):
- ARN of a Customer managed KMS key.
- An ID of a Customer managed KMS key.
- An alias of a Customer managed KMS key.
Alternatives
Vector now fully supports this.
Additional context
There are multiple server-side encryption support possibilities when using S3. You can read about them at: https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html
It also could be helpful to check the awscli s3api reference at: https://docs.aws.amazon.com/cli/latest/reference/s3api/put-object.html. Look for the --server-side-encryption and --ssekms-key-id options.
This FR is to support aws:kms and not about AES256 or aws:kms:dsse. Those can be added later easily too.