Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S3 input plugin is not reading AWS-KMS (CMK) encrypted bucket #216

Open
deepanshumarwah opened this issue Sep 22, 2020 · 2 comments
Open

S3 input plugin is not reading AWS-KMS (CMK) encrypted bucket #216

deepanshumarwah opened this issue Sep 22, 2020 · 2 comments
Labels
enhancement

Comments

@deepanshumarwah
Copy link

deepanshumarwah commented Sep 22, 2020
edited
Loading

I am running a logstash container with s3 pipeline as per below configuration:

input {
s3 {
id => "pipeline_s3_example_bucket_input"
bucket => "example-bucket"
region => "ap-southeast-1"
access_key_id => "#######################"
secret_access_key => "#######################"
codec => "json_lines"
sincedb_path => "/sincedbs/pipeline_s3_example_bucket.sincedb"
prefix => "folderA"
add_field => {
"type" => "example-bucket-logs"
"host" => "example-bucket"
}
}
}

My s3 bucket is encrypted with AWS-KMS using a custom managed key. I am using below IAM policy for user to read the bucket data :

"Version": "2012-10-17",
"Statement": [
{
"Sid": "IAMPolicy",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"kms:Decrypt",
"s3:GetBucketLogging",
"kms:GenerateDataKey",
"kms:DescribeKey",
"s3:GetObjectTagging",
"s3:ListBucket",
"s3:GetBucketVersioning",
"s3:GetBucketLocation",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:kms:ap-southeast-1:<account-id>:key/<Key-ID>",
"arn:aws:s3:::example-bucket",
"arn:aws:s3:::example-bucket/*"
]
}
]
}
I also added the user arn in the Key users, I tested the access using aws cli commands and that worked as well. However, logstash is not able to pull those logs and I cant see any error in container logs as well. Please help if anyone else has faced similar issue.

  • Version: 7.9.1
  • Operating System: docker container on centOS 7
  • Config File shared above
  • Sample Data: encrypted s3 bucket containing log files
  • Steps to Reproduce:

Link to elastic community : https://discuss.elastic.co/t/s3-input-plugin-is-not-reading-aws-kms-cmk-encrypted-bucket/249439
@kaisecheng
Copy link
Contributor

I marked it as an enhancement to support kms encrypted file
It requires extra headers

GET /example_image.jpg HTTP/1.1
Host: example-bucket.s3.amazonaws.com  
Accept: */*  
Authorization: 5d672d79c15b13162d9279b0855cfba6789a8edb4c82c400e06b5924a6f2b5d7
Date: Wed, 28 May 2014 19:31:11 +0000  
x-amz-server-side-encryption: aws:kms 
x-amz-server-side-encryption-aws-kms-key-id:arn:aws:kms:us-east-1:111122223333:key/0695f802-503c-40n2-d17d-16d702f79f01

@Z4ck404
Copy link

Z4ck404 commented Sep 11, 2023

Are there any updates about this issue ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Z4ck404 @deepanshumarwah @kaisecheng