[FEATURE] Support zero-config KMS encryption for static-website. #49
Assignees
Labels
Comments
agdimech
added
feature-request
|
This can be resolved once this is implemented and we move to OAC. |
|
This issue is now marked as stale because it hasn't seen activity for a while. Add a comment or it will be closed soon. If you wish to exclude this issue from being marked as stale, add the "backlog" label. |
|
Closing this issue as it hasn't seen activity for a while. Please add a comment @mentioning a maintainer to reopen. If you wish to exclude this issue from being marked as stale, add the "backlog" label. |
agdimech
added a commit
that referenced
this issue
Nov 23, 2023
agdimech
added a commit
that referenced
this issue
Nov 23, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the feature
Cloudfront OAI does not currently support KMS encryption on buckets and as such a user needs to use S3_MANAGED encryption or follow this guide: https://aws.amazon.com/blogs/networking-and-content-delivery/serving-sse-kms-encrypted-content-from-s3-using-cloudfront/.
Use Case
Highly regulated customers which mandate using customer managed keys i.e. banks.
Proposed Solution
A Lambda@Edge function will need to be associated to the distribution which will sign the request on OAI's behalf as per: https://aws.amazon.com/blogs/networking-and-content-delivery/serving-sse-kms-encrypted-content-from-s3-using-cloudfront/.
This lambda must exist in us-east-1 and as such a custom resource will need to be created such that it can be created agnostic of the host region. This lambda will need to intercept origin requests to S3, sign the request using it's own credentials (s3 ro access + kms decrypt).
Other Information
No response
Acknowledgements
PDK version used
N/A
What languages will this feature affect?
Typescript, Java, Python
Environment details (OS name and version, etc.)
N/A
The text was updated successfully, but these errors were encountered: