news: add entry for axoflow#127

Signed-off-by: Attila Szakacs <attila.szakacs@axoflow.com>
alltilla · Jun 4, 2024 · 92a6211 · 92a6211
1 parent 335d100
commit 92a6211
Showing 1 changed file with 31 additions and 0 deletions.
diff --git a/news/feature-127.md b/news/feature-127.md
@@ -0,0 +1,31 @@
+`s3()`: Introduced server side encryption related options
+
+`server-side-encryption()` and `kms-key()` can be used to configure encryption.
+
+Currently only `server-side-encryption("aws:kms")` is supported.
+The `kms-key()` should be:
+  * an ID of a key
+  * an alias of a key, but in that case you have to add the alias/prefix
+  * an ARN of a key
+
+To be able to use the aws:kms encryption the AWS Role or User has to have the following
+permissions on the given key:
+  * `kms:Decrypt`
+  * `kms:Encrypt`
+  * `kms:GenerateDataKey`
+
+Check [this](https://repost.aws/knowledge-center/s3-large-file-encryption-kms-key) page on why the `kms:Decrypt` is mandatory.
+
+Example config:
+```
+destination d_s3 {
+  s3(
+    bucket("log-archive-bucket")
+    object-key("logs/syslog")
+    server-side-encryption("aws:kms")
+    kms-key("alias/log-archive")
+  );
+};
+```
+
+See the [S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html) documentation for more details.