Support aws:kms encryption in the s3 destination

[akunszt]

Description of the problem

We are using in S3 bucket to archive our logs. To avoid any accidental access to the logs (which can contain very sensitive information too) we are encrypting the S3 objects by using SSE-KMS. It is also a compliance requirement, so we can't turn this off.

Currently we are using Vector for this as syslog-ng does not support this.

Proposed solution

Add server-side-encryption() and kms-key() options to the s3 destination.

destination d_s3 {
    s3(
        bucket( "my_bucket" )
        object-key( "my_logs" )
        server-side-encryption( "aws:kms" )
        kms-key( "..." )
    )
};

The server-side-encryption now should be only aws:kms.

The kms-key could contain any of these (as these are supported in boto3 AFAIK):

• ARN of a Customer managed KMS key.
• An ID of a Customer managed KMS key.
• An alias of a Customer managed KMS key.

Alternatives

Vector now fully supports this.

Additional context

There are multiple server-side encryption support possibilities when using S3. You can read about them at: https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html

It also could be helpful to check the awscli s3api reference at: https://docs.aws.amazon.com/cli/latest/reference/s3api/put-object.html. Look for the --server-side-encryption and --ssekms-key-id options.

This FR is to support aws:kms and not about AES256 or aws:kms:dsse. Those can be added later easily too.