Enable server-side encryption for Dynamo, S3, and SQS

austinbyers commented 6 years ago

to: @ryandeivert cc: @airbnb/binaryalert-maintainers size: medium

Background

BinaryAlert may be processing and storing sensitive information (files scanned, YARA matches, etc). To better protect that data, we can use server-side encryption (SSE) to encrypt data at rest in all supported services (Dynamo, S3, and SQS)

Changes

Pins the python-dateutil library when building the downloader function to avoid a pip warning
CbEnterpriseResponseAPI has been deprecated by CarbonBlack in favor of CbResponseAPI
Create 2 new KMS keys for server-side encryption of S3 and SQS, respectively. (Dynamo uses its own AWS-managed key)
Add AWS account ID to the BinaryAlert config (it's required for creating a policy on the new KMS key)

WARNING: Enabling server-side encryption for the Dynamo table forces a new resource, meaning it will destroy your existing table

Testing

Verified end-to-end in a test account:

./manage.py configure  # No CarbonBlack
./manage.py deploy
./manage.py live_test
./manage.py configure  # Enable CarbonBlack
./manage.py deploy
./manage.py cb_copy_all  # Test the downloader
./manage.py live_test

coveralls commented 6 years ago

Coverage decreased (-0.003%) to 92.516% when pulling 14d61ac73a4b9903bcbbdeb113b993770cf41ece on austin-sse into 4337f765a46b97b6377e4fa5f1ef760045960ce2 on master.

kittrCZ commented 6 years ago

Wow @austinbyers , this is very nice feature! I love binaryalert!

austinbyers commented 6 years ago

Thanks! Glad to hear it!

airbnb / binaryalert