serverless icon indicating copy to clipboard operation
serverless copied to clipboard

Published 20 hours ago verified publisher icon serverless

Support encrypted CW log groups

Open HyperBrain opened this issue 7 years ago • 10 comments

This is a Feature Proposal

Description

AWS just announced encrypted CW logstreams (by using KMS) on a log group basis. As soon as this is supported in CloudFormation it would be great to have the functionality available in Serverless, i.e. that you can select encryption per function and reference a KMS key.

Reference: https://aws.amazon.com/about-aws/whats-new/2017/12/amazon-cloudwatch-logs-now-supports-kms-encryption/

HyperBrain avatar Dec 12 '17 15:12 HyperBrain

Is there any update on this?

MichaelMitchellM avatar May 17 '19 19:05 MichaelMitchellM

Damn, nearly 2 years later and not supported. :(

Edit: I suspect the reason it isn't present yet is because CloudFormation doesn't support this (STILL) and thus serverless cannot directly support it.

et304383 avatar Oct 04 '19 17:10 et304383

Features that are not supported in CloudFormation can still be handled via Custom resources. It should not longer be considered as blocker.

PR is welcome

medikoo avatar Apr 21 '20 13:04 medikoo

Features that are not supported in CloudFormation can still be handled via Custom resources. It should not longer be considered as blocker.

PR is welcome

FWIW, there is an open PR to add this to the CF provider, so ideally should be coming soon.

https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-logs/pull/27

Drives me a little nuts that Terraform has supported this 2017...

mascah avatar Jun 18 '20 00:06 mascah

FYI this is now live

isaacl avatar Dec 14 '20 20:12 isaacl

In light of that, we're open for PR. Still first let's specify how it should be implemented (solved internally)

medikoo avatar Dec 15 '20 11:12 medikoo

Hi,

This issue is becoming more important with any kind of external policies enforced on the account. If we're not able to enable KMS on the log groups created by Serverless.com, we have to create the log groups manually or inherit them e.g. Terraform. That makes the whole setup much more complex, so adding a kmsKeyArn for logs would be a great improvement

rafaljanicki avatar Feb 08 '22 14:02 rafaljanicki

Hello @rafaljanicki - thanks for reporting. At the moment there are no immediate plans for pushing this initiative forward as we're focusing on different priorities.

pgrzesik avatar Feb 08 '22 16:02 pgrzesik

Hey @pgrzesik , any news here? Or an idea of a workaround that is semi-automatic i.e. doesn't involve writing separate policies for each log group?

rafaljanicki avatar Sep 13 '23 10:09 rafaljanicki

If one wants to tackle that issue, I've created a module for that: https://github.com/Kult-io/serverless-plugin-log-key-id

rafaljanicki avatar Sep 18 '23 11:09 rafaljanicki