From 0459eed8d03185113da1c115bb345c8ede0c9ac5 Mon Sep 17 00:00:00 2001
From: Bryan Talbot <bryan.talbot@ijji.com>
Date: Fri, 5 May 2017 15:03:33 -0700
Subject: [PATCH] enable S3 ServerSideEncryption for all writes. S3 doesn't
 charge any extra for using encryption and there's no reason not to.  AES256
 using the S3 managed keys are used by default but can be changed to use KMS
 keys be setting the ENV variables ServerSideEncryption='aws:kms' and
 SSEKMSKeyId=kms-key-id

---
 backup.js      | 2 ++
 index.js       | 6 +++++-
 s3-backfill.js | 2 ++
 s3-snapshot.js | 2 ++
 4 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/backup.js b/backup.js
index 79e2e9a..bcf07ca 100644
--- a/backup.js
+++ b/backup.js
@@ -40,6 +40,8 @@ module.exports = function(config, done) {
     log('[segment %s] Starting backup job %s of %s', index, config.backup.jobid, config.region + '/' + config.table);
 
     s3.upload({
+        ServerSideEncryption: process.env.ServerSideEncryption || 'AES256',
+        SSEKMSKeyId: process.env.SSEKMSKeyId,
         Bucket: config.backup.bucket,
         Key: key,
         Body: data
diff --git a/index.js b/index.js
index 4c3b298..83b3322 100644
--- a/index.js
+++ b/index.js
@@ -193,7 +193,11 @@ function incrementalBackup(event, context, callback) {
                 };
 
                 var req = change.eventName === 'REMOVE' ? 'deleteObject' : 'putObject';
-                if (req === 'putObject') params.Body = JSON.stringify(change.dynamodb.NewImage);
+                if (req === 'putObject') {
+                    params.Body = JSON.stringify(change.dynamodb.NewImage);
+                    params.ServerSideEncryption = process.env.ServerSideEncryption || 'AES256';
+                    params.SSEKMSKeyId = process.env.SSEKMSKeyId;
+                }
 
                 s3[req](params, function(err) {
                     if (err) console.log(
diff --git a/s3-backfill.js b/s3-backfill.js
index b70e0af..2eb803b 100644
--- a/s3-backfill.js
+++ b/s3-backfill.js
@@ -58,6 +58,8 @@ function backfill(config, done) {
                 .digest('hex');
 
             var params = {
+                ServerSideEncryption: process.env.ServerSideEncryption || 'AES256',
+                SSEKMSKeyId: process.env.SSEKMSKeyId,
                 Bucket: config.backup.bucket,
                 Key: [config.backup.prefix, config.table, id].join('/'),
                 Body: Dyno.serialize(record)
diff --git a/s3-snapshot.js b/s3-snapshot.js
index fe3b3d0..a139edb 100644
--- a/s3-snapshot.js
+++ b/s3-snapshot.js
@@ -45,6 +45,8 @@ module.exports = function(config, done) {
     };
 
     var upload = s3.upload({
+        ServerSideEncryption: process.env.ServerSideEncryption || 'AES256',
+        SSEKMSKeyId: process.env.SSEKMSKeyId,
         Bucket: config.destination.bucket,
         Key: config.destination.key,
         Body: gzip