to: @ryandeivert
cc: @airbnb/binaryalert-maintainers
size: medium
Background
BinaryAlert may be processing and storing sensitive information (files scanned, YARA matches, etc). To better protect that data, we can use server-side encryption (SSE) to encrypt data at rest in all supported services (Dynamo, S3, and SQS)
Changes
Pins the python-dateutil library when building the downloader function to avoid a pip warning
CbEnterpriseResponseAPI has been deprecated by CarbonBlack in favor of CbResponseAPI
Create 2 new KMS keys for server-side encryption of S3 and SQS, respectively. (Dynamo uses its own AWS-managed key)
Add AWS account ID to the BinaryAlert config (it's required for creating a policy on the new KMS key)
WARNING: Enabling server-side encryption for the Dynamo table forces a new resource, meaning it will destroy your existing table
Testing
Verified end-to-end in a test account:
./manage.py configure # No CarbonBlack
./manage.py deploy
./manage.py live_test
./manage.py configure # Enable CarbonBlack
./manage.py deploy
./manage.py cb_copy_all # Test the downloader
./manage.py live_test
Coverage decreased (-0.003%) to 92.516% when pulling 14d61ac73a4b9903bcbbdeb113b993770cf41ece on austin-sse into 4337f765a46b97b6377e4fa5f1ef760045960ce2 on master.
to: @ryandeivert cc: @airbnb/binaryalert-maintainers size: medium
Background
BinaryAlert may be processing and storing sensitive information (files scanned, YARA matches, etc). To better protect that data, we can use server-side encryption (SSE) to encrypt data at rest in all supported services (Dynamo, S3, and SQS)
Changes
python-dateutil
library when building the downloader function to avoid apip
warningCbEnterpriseResponseAPI
has been deprecated by CarbonBlack in favor ofCbResponseAPI
WARNING: Enabling server-side encryption for the Dynamo table forces a new resource, meaning it will destroy your existing table
Testing
Verified end-to-end in a test account: