Add SSE support for S3 operations

[jbyars]

Currently, if a S3 bucket has a policy requiring SSE for uploads it appears storeDir and publishDir functionality may not work properly. Please add SSE support for S3 opertions. Adding an top level option to the configuration such as

aws {
  client {
    server-side-encryption = AES256
  }
}

should suffice for most. For some a per bucket setting may be preferred if they are using a more complicated encryption key scheme. Thanks!

[pditommaso]

As far as I know a S3 bucket does not enforce the encryption. That should be a property at file level, right?

[jbyars]

SSE is a file level property, but you can set a policy on S3 buckets to require all uploads to use some form of SSE, for example

{
    "Version": "2012-10-17",
    "Id": "PutObjPolicy",
    "Statement": [
        {
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<your bucket>/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "AES256"
                }
            }
        }
    ]
}

It is a really convenient way to ensure everything uploaded to a bucket is encrypted.

[pditommaso]

I see. Thus the best thing would be to define it at bucket level. Also I was thinking that along the encryption would be useful being able to define the Storage class .

[jbyars]

I normally use bucket policies to manage storage class as well, but having the ability to specify infrequent access or reduced redundancy at upload time would be very nice. Bucket level options would be a preferable implementation for both.

[pditommaso]

Implemented by #475