From 92a621186aa08ae4c87757b42479723854a1b061 Mon Sep 17 00:00:00 2001
From: Attila Szakacs <attila.szakacs@axoflow.com>
Date: Tue, 4 Jun 2024 10:07:17 +0200
Subject: [PATCH] news: add entry for #127

Signed-off-by: Attila Szakacs <attila.szakacs@axoflow.com>
---
 news/feature-127.md | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 news/feature-127.md

diff --git a/news/feature-127.md b/news/feature-127.md
new file mode 100644
index 0000000000..2b898253fc
--- /dev/null
+++ b/news/feature-127.md
@@ -0,0 +1,31 @@
+`s3()`: Introduced server side encryption related options
+
+`server-side-encryption()` and `kms-key()` can be used to configure encryption.
+
+Currently only `server-side-encryption("aws:kms")` is supported.
+The `kms-key()` should be:
+  * an ID of a key
+  * an alias of a key, but in that case you have to add the alias/prefix
+  * an ARN of a key
+
+To be able to use the aws:kms encryption the AWS Role or User has to have the following
+permissions on the given key:
+  * `kms:Decrypt`
+  * `kms:Encrypt`
+  * `kms:GenerateDataKey`
+
+Check [this](https://repost.aws/knowledge-center/s3-large-file-encryption-kms-key) page on why the `kms:Decrypt` is mandatory.
+
+Example config:
+```
+destination d_s3 {
+  s3(
+    bucket("log-archive-bucket")
+    object-key("logs/syslog")
+    server-side-encryption("aws:kms")
+    kms-key("alias/log-archive")
+  );
+};
+```
+
+See the [S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html) documentation for more details.