Add AWS KMS key encryption/decryption for S3 buckets

Config format

Linking to because both this and that ticket concern extra S3 options.

Hi Pedro.

OK, that's going into the roadmap. It's not related to anything else so far, so it will just be another feature in the next major version (tentatively called 2.0). That will be implementing as the main thing though so it's not going to be complete so quick.

Akira

Hi Akira!

This sounds right and it is exactly what we are looking for  

Thanks a lot for your help on this!

Hi Pedro. OK, I've done a little reading now.

In the context of PBM, which uses the AWS golang SDK, I take to this to mean:

• PBM user would set a "storage.s3.serverSideEncryption" subsection in the PBM config. (Exact section name T.B.D.)

• That 'serverSideEncryption' YAML/JSON section would have properties such as SSEAlgorithm and KMSMasterKeyID (equivalents to the --sse and --sse-kms-key-id used by the CLI example above).

• If the 'serverSideEncryption' section is found with those two properties then s3 session will add the encryption for the bucket as a default by code similar to https://github.com/awsdocs/aws-doc-sdk-examples/blob/master/go/example_code/s3/s3_set_default_encryption.go.

• OR: The ServerSideEncryption and SSEKMSKeyId values are set in every PutObjectInput() or GetObjectInput() wherever they occur in PBM code

Do you think that sounds right?

Regards,

Akira