-
Notifications
You must be signed in to change notification settings - Fork 464
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support aws:kms encryption in the s3 destination #4920
Labels
Comments
akunszt
added a commit
to akunszt/syslog-ng
that referenced
this issue
May 10, 2024
Adding the server-side-encryption() and kms-key() options to the s3() destination. The server-side-encryption() supports only aws:kms at the moment. Fixes syslog-ng#4920. Signed-off-by: Arpad Kunszt <[email protected]>
HofiOne
pushed a commit
to HofiOne/syslog-ng
that referenced
this issue
Jun 10, 2024
Adding the server-side-encryption() and kms-key() options to the s3() destination. The server-side-encryption() supports only aws:kms at the moment. Fixes syslog-ng#4920. Signed-off-by: Arpad Kunszt <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description of the problem
We are using in S3 bucket to archive our logs. To avoid any accidental access to the logs (which can contain very sensitive information too) we are encrypting the S3 objects by using SSE-KMS. It is also a compliance requirement, so we can't turn this off.
Currently we are using Vector for this as syslog-ng does not support this.
Proposed solution
Add
server-side-encryption()
andkms-key()
options to the s3 destination.The
server-side-encryption
now should be onlyaws:kms
.The
kms-key
could contain any of these (as these are supported in boto3 AFAIK):Alternatives
Vector now fully supports this.
Additional context
There are multiple server-side encryption support possibilities when using S3. You can read about them at: https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html
It also could be helpful to check the awscli s3api reference at: https://docs.aws.amazon.com/cli/latest/reference/s3api/put-object.html. Look for the
--server-side-encryption
and--ssekms-key-id
options.This FR is to support aws:kms and not about AES256 or aws:kms:dsse. Those can be added later easily too.
The text was updated successfully, but these errors were encountered: