- Encryption at rest for AWS SNS and/or AWS SQS which can optionally be configured by specifying the KMS key alias or KMS key id as a tomodachi service option `options.aws_sns_sqs.sns_kms_master_key_id` (to configure encryption at rest on the SNS topics for which the tomodachi service handles the SNS -\> SQS subscriptions) and/or `options.aws_sns_sqs.sqs_kms_master_key_id` (to configure encryption at rest for the SQS queues which the service is consuming).
Note that an option value set to empty string (`""`) or `False` will unset the KMS master key id and thus disable encryption at rest. (The AWS APIs for SNS and SQS uses empty string value to the KMSMasterKeyId attribute to disable encryption with KMS if it was previously enabled).
If instead an option is completely unset or set to `None` value no changes will be done to the KMS related attributes on an existing topic or queue.
If it's expected that the services themselves, via their IAM credentials or assumed role, are responsible for creating queues and topics, these options could be used to provide encryption at rest without additional manual intervention
*However, do not use these options if you instead are using IaC tooling to handle the topics, queues and subscriptions or that they for example are created / updated as a part of deployments. To not have the service update any attributes keep the options unset or set to a* `None` *value.*
See further details about AWS KMS for AWS SNS+SQS at:
- <https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html>
- <https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html#sse-key-terms>.
- Fixes an issue where a GET request to an endpoint serving static files via `http_static` could be crafted to probe the directory structure setup (but not read file content outside of its permitted path), by applying directory traversal techniques. This could expose the internal directory structure of the file system in the container or environment that the service is hosted on. Limited to if `http_static` handlers were used within the service and those endpoints could be accessed.
- Additional validation for the path used in the `http_static` decorator to prevent a developer from accidentally supplying a `"/"` or `""` value to the `path` argument, which in those cases could lead to unintended files being exposed via the static file handler.