✨ allow to set the header to AES256 when uploading files to S3
#172
Conversation
|
This looks great, @drieshooghe – just doing some testing on my end and will get it merged. |
|
@timkelty any news on this? |
Glad you asked, working on it today! Should be merged shortly. |
|
@drieshooghe tested and everything seems to be working as expected. However, I'm a bit dubious about adding this as an option without another encryption method other than Including this as an option is likely to confuse people into thinking they're opting into something more secure, when they really aren't changing the behavior from the default. The only thing explicitly sending the header/param gets you is the ability to restrict things with a bucket policy, which isn't really meaningful if there isn't another encryption method option (kms). I'm curious to hear your use-case, or if I'm missing something, though. |
|
@timkelty you're right, it purely a fix for bucket policy enforcements. Our buckets all have a requirement that the The copy is indeed a bit misleading, it should explain that this doesn't enable SSE but only adds the header. |
|
@drieshooghe well, I'm thinking maybe we should just ditch the setting all together, and just change the behavior to send the encryption header, since that aligns with the default, but allows bucket policies like you want. I feel like that might make more sense unless we support If that makes sense to you, let me know and I can make that change. |
|
@timkelty that makes sense 👍🏻 |
|
@drieshooghe in that case I'm going to close this in favor of #174
Thanks, @drieshooghe! |
Description
Allows to specify
AES256(the default S3 encryption) as the server-side encryption method for storing objects in S3.Considerations
Implemented this as this has become a common security practice to prevent the upload of unencrypted objects to S3.
📙 How to prevent uploads of unencrypted objects to amazon s3
Does not add support for
aws:kmsencryption.Related issues
Ability to use server side encryption #154