peternied
commented
1 week ago [Triage - attendees 1 2 3] @itrich Thanks for creating this issue, what do you think about creating a pull request to add this functionality to [repository-s3]?
Open itrich opened 1 week ago
peternied
commented
1 week ago [Triage - attendees 1 2 3] @itrich Thanks for creating this issue, what do you think about creating a pull request to add this functionality to [repository-s3]?
harishbhakuni
commented
1 week ago @itrich thanks for creating this issue. One other solution i can think of for this is to use a default kms key at bucket level which will enforce the encryption for all the requests. however, it would not work if the use case is to use different kms keys for different s3 repositories which might be using same s3 bucket.
Is your feature request related to a problem? Please describe
We're currently creating regular snapshots of our OpenSearch cluster in an AWS S3 bucket. We have enabled
server_side_encryption, which perfectly works.However, our internal policies require us to enforce server-side encryption with customer managed keys (see https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#require-sse-kms).
At the moment, this is not possible with the S3 repository plugin, as no KMS key ID can be configured and S3-managed keys are used.
Describe the solution you'd like
I'd like the possibility to configure a KMS key ID (e.g.
server_side_encryption_kms_key_idin the S3 repository plugin which sets thex-amz-server-side-encryption-aws-kms-key-idheader for uploading snapshots to the particular S3 repository.Related component
Plugins
Describe alternatives you've considered
We're currently dismissing the alert that the violated policy created, but we need to find a solution sooner or later.
Additional context
No response