docs: s3: SSE configuration docs

[GabrielYamin]

Summary by CodeRabbit

• Documentation
  • Added documentation for S3 output encryption configuration options: sse and sse_kms_key_id, covering SSE-S3, SSE-KMS, and DSSE-KMS modes.
  • Added configuration examples demonstrating SSE-KMS usage for S3 outputs across common deployment scenarios.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The S3 output plugin documentation adds two public configuration parameters, sse and sse_kms_key_id, and includes example Fluent Bit configuration blocks demonstrating SSE-KMS usage for general and PutObject scenarios.

Changes

Cohort / File(s)	Summary
S3 Output Plugin Documentation pipeline/outputs/s3.md	Added documentation for sse and sse_kms_key_id (SSE-S3, SSE-KMS, DSSE-KMS). Inserted example Fluent Bit configuration blocks (YAML and conf) showing SSE-KMS for general uploads and PutObject usage.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested labels

4.2.2

Suggested reviewers

• esmerel

Poem

🐰 A document grows, encryption takes flight,
SSE and KMS sparkle in gentle light.
Examples in YAML and conf now sing,
S3 buckets hum secure everything. 🔐

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'docs: s3: SSE configuration docs' directly and clearly summarizes the main change: adding SSE (server-side encryption) configuration documentation for the S3 output plugin.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[patrick-stephens]

@GabrielYamin I think this is functionality waiting for the PR to be merged right?

[GabrielYamin]

@patrick-stephens, The BL PR is still in draft, I'll be opening it for review very soon.
fluent/fluent-bit#11410
Thank you for the fast response!!!

[GabrielYamin]

PR is ready for review @patrick-stephens
Thanks :)

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pipeline/outputs/s3.md (1)

117-132: Document required KMS permissions for SSE-KMS encryption.

The permissions section only lists s3:PutObject, but when using sse: aws:kms or sse: aws:kms:dsse, additional KMS permissions are required. Without these, uploads will fail with permission errors.

Required KMS permissions:

• kms:GenerateDataKey - Required for encrypting objects
• kms:Decrypt - Required if using customer-managed keys

📋 Suggested documentation update

Add a new subsection after line 132:

### Additional permissions for SSE-KMS

When using server-side encryption with AWS KMS (`sse: aws:kms` or `sse: aws:kms:dsse`), the following KMS permissions are also required:

```json
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "kms:GenerateDataKey",
      "kms:Decrypt"
    ],
    "Resource": "arn:aws:kms:region:account-id:key/key-id"
  }]
}

Replace region, account-id, and key-id with your specific KMS key details. If using the AWS-managed S3 key (when sse_kms_key_id is not specified), permissions are managed automatically.

</details>

</blockquote></details>

</blockquote></details>

🧹 Nitpick comments (1)

pipeline/outputs/s3.md (1)

579-617: Consider adding examples for SSE-S3 and DSSE-KMS.

The example demonstrates SSE-KMS effectively, but users may also need guidance on:

• SSE-S3 (simpler, no KMS key required): Just set sse: AES256
• DSSE-KMS (dual-layer encryption): Use sse: aws:kms:dsse with a KMS key ARN

Adding brief examples of these variants would provide more complete documentation coverage.

📝 Suggested additional examples

Add after line 617:

An example using SSE-S3 encryption (S3-managed keys):

{% tabs %}
{% tab title="fluent-bit.yaml" %}

```yaml
pipeline:

  outputs:
    - name: s3
      match: '*'
      bucket: your-bucket
      region: us-east-1
      sse: AES256

{% endtab %}
{% tab title="fluent-bit.conf" %}

[OUTPUT]
  Name     s3
  Match    *
  bucket   your-bucket
  region   us-east-1
  sse      AES256

{% endtab %}
{% endtabs %}

</details>

</blockquote></details>

</blockquote></details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->