Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support encrypted CW log groups #4565

Open
HyperBrain opened this issue Dec 12, 2017 · 10 comments
Open

Support encrypted CW log groups #4565

HyperBrain opened this issue Dec 12, 2017 · 10 comments
Labels
cat/lambda enhancement needs feedback

Comments

@HyperBrain
Copy link
Member

This is a Feature Proposal

Description

AWS just announced encrypted CW logstreams (by using KMS) on a log group basis. As soon as this is supported in CloudFormation it would be great to have the functionality available in Serverless, i.e. that you can select encryption per function and reference a KMS key.

Reference: https://aws.amazon.com/about-aws/whats-new/2017/12/amazon-cloudwatch-logs-now-supports-kms-encryption/
@MichaelMitchellM
Copy link

Is there any update on this?

@et304383
Copy link
Contributor

et304383 commented Oct 4, 2019
edited
Loading

Damn, nearly 2 years later and not supported. :(

Edit: I suspect the reason it isn't present yet is because CloudFormation doesn't support this (STILL) and thus serverless cannot directly support it.

@medikoo
Copy link
Contributor

medikoo commented Apr 21, 2020

Features that are not supported in CloudFormation can still be handled via Custom resources. It should not longer be considered as blocker.

PR is welcome

@mascah
Copy link

mascah commented Jun 18, 2020

Features that are not supported in CloudFormation can still be handled via Custom resources. It should not longer be considered as blocker.

PR is welcome

FWIW, there is an open PR to add this to the CF provider, so ideally should be coming soon.

aws-cloudformation/aws-cloudformation-resource-providers-logs#27

Drives me a little nuts that Terraform has supported this 2017...

@isaacl
Copy link

isaacl commented Dec 14, 2020

FYI this is now live

@medikoo
Copy link
Contributor

medikoo commented Dec 15, 2020

In light of that, we're open for PR. Still first let's specify how it should be implemented (solved internally)

@rafaljanicki
Copy link

Hi,

This issue is becoming more important with any kind of external policies enforced on the account. If we're not able to enable KMS on the log groups created by Serverless.com, we have to create the log groups manually or inherit them e.g. Terraform. That makes the whole setup much more complex, so adding a kmsKeyArn for logs would be a great improvement

@pgrzesik
Copy link
Contributor

pgrzesik commented Feb 8, 2022

Hello @rafaljanicki - thanks for reporting. At the moment there are no immediate plans for pushing this initiative forward as we're focusing on different priorities.

@rafaljanicki
Copy link

Hey @pgrzesik , any news here? Or an idea of a workaround that is semi-automatic i.e. doesn't involve writing separate policies for each log group?

@rafaljanicki
Copy link

If one wants to tackle that issue, I've created a module for that: https://github.com/Kult-io/serverless-plugin-log-key-id

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cat/lambda enhancement needs feedback
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@medikoo @isaacl @MichaelMitchellM @horike37 @eahefnawy @et304383 @HyperBrain @mascah @rafaljanicki @pgrzesik