Skip to content

feat(storage-s3): add support for encrypted s3 uploads #13125

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ra100 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(storage-s3): add support for encrypted s3 uploads #13125

ra100 wants to merge 1 commit into from

Conversation

@ra100
Copy link

@ra100 ra100 commented Jul 10, 2025

feat(storage-s3): add support for encrypted s3 uploads

What?

This PR adds server-side encryption support for S3 uploads in the @payloadcms/storage-s3 plugin. The enhancement allows users to configure AWS KMS encryption for their S3 objects, providing an additional layer of security for uploaded files.

Why?

S3 server-side encryption is a critical security feature for applications that handle sensitive data. Many enterprise applications require encryption at rest to comply with security policies and regulations. Previously, the S3 storage plugin didn't support configuring encryption parameters, forcing users to rely on bucket-level defaults or manual S3 configuration.

This feature addresses the need for:

  • Compliance with security requirements that mandate encryption at rest
  • Fine-grained control over encryption settings per Payload application
  • Support for both AWS managed keys (AES256) and customer-managed KMS keys
  • Flexibility to configure encryption without modifying S3 bucket policies

How?

The implementation adds an optional encryption configuration object to the S3StorageOptions interface with the following properties:

  • serverSideEncryption: Specifies the encryption algorithm (supports all AWS ServerSideEncryption options)
  • kmsKeyId: Optional KMS key identifier (required for KMS encryption types)

Key Changes:

  1. Type Definitions (src/index.ts):

    • Added encryption option to S3StorageOptions interface
    • Imported ServerSideEncryption type from AWS SDK

  2. Upload Handler (src/handleUpload.ts):

    • Enhanced getHandleUpload to accept encryption parameters
    • Added encryption parameters to both putObject and multipart upload operations
    • Validates KMS key usage only for KMS encryption types

  3. Signed URL Generation (src/generateSignedURL.ts):

    • Updated signed URL generation to include encryption parameters
    • Ensures pre-signed URLs respect the same encryption settings as direct uploads

  4. Documentation (README.md):

    • Added configuration example showing how to enable KMS encryption
    • Documented the optional nature of the encryption settings

Usage Example:

s3Storage({
  config: {
    region: process.env.S3_REGION,
    // ... other S3 configuration
  },
  encryption: {
    serverSideEncryption: 'aws:kms',
    kmsKeyId: process.env.S3_KMS_KEY_ID,
  },
})

The implementation is backward compatible - existing configurations continue to work without any changes, and encryption is only applied when explicitly configured.

Fixes #5596
@ra100 ra100 requested a review from denolfe as a code owner July 10, 2025 15:45
@ra100
Copy link
Author

ra100 commented Jul 11, 2025

I don't quite understand what's the issue with ci / analyze job
@ra100 ra100 force-pushed the main branch 4 times, most recently from d16479b to 1e2ecf5 Compare July 14, 2025 11:54
@github-actions github-actions bot added the stale label Aug 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

stale

1 participant

@ra100