airbnb / binaryalert

BinaryAlert: Serverless, Real-time & Retroactive Malware Detection.

https://binaryalert.io

Apache License 2.0

1.4k stars 187 forks source link

Use SSE-S3 instead of SSE-KMS for access logs #122

Closed austinbyers closed 6 years ago

austinbyers commented 6 years ago

to: @ryandeivert cc: @airbnb/binaryalert-maintainers size: small

Background

121 enabled server-side encryption with KMS for both BinaryAlert S3 buckets. However, access logs could no longer be delivered after this change.

I'm sure there's a permission error, but I couldn't find it - even granting kms:* to Service: s3.amazonaws.com for the KMS key didn't work.

Changes

Use the default S3 encryption for the access logs bucket instead of KMS. KMS is still used to encrypt the primary bucket (for uploads)

Testing

Access logs delivered successfully after this change

coveralls commented 6 years ago

Coverage remained the same at 92.516% when pulling e28b2e7a45a36e364a55d1790294d670327a859c on austin-access-logs-sse into 29e339ae6c5abe207e31646c346108ccb74d6bbe on master.