Created
November 10, 2019 22:16
-
-
Save ychennay/23b1a046bcc131f2ac3f3057b2ecfe39 to your computer and use it in GitHub Desktop.
AWS CMK Encryption for S3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import com.amazonaws.AmazonServiceException; | |
import com.amazonaws.SdkClientException; | |
import com.amazonaws.auth.profile.ProfileCredentialsProvider; | |
import com.amazonaws.regions.RegionUtils; | |
import com.amazonaws.regions.Regions; | |
import com.amazonaws.services.kms.AWSKMS; | |
import com.amazonaws.services.kms.AWSKMSClientBuilder; | |
import com.amazonaws.services.kms.model.CreateKeyResult; | |
import com.amazonaws.services.s3.AmazonS3Encryption; | |
import com.amazonaws.services.s3.AmazonS3EncryptionClientBuilder; | |
import com.amazonaws.services.s3.model.CryptoConfiguration; | |
import com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider; | |
import com.amazonaws.services.s3.model.S3Object; | |
import com.amazonaws.services.s3.model.S3ObjectInputStream; | |
import java.io.ByteArrayOutputStream; | |
import java.io.IOException; | |
public class UploadObjectKMSKey { | |
public static void main(String[] args) throws IOException { | |
String bucketName = "*** Bucket name ***"; | |
String keyName = "*** Object key name ***"; | |
Regions clientRegion = Regions.DEFAULT_REGION; | |
String kms_cmk_id = "*** AWS KMS customer master key ID ***"; | |
int readChunkSize = 4096; | |
try { | |
// Optional: If you don't have a KMS key (or need another one), | |
// create one. This example creates a key with AWS-created | |
// key material. | |
AWSKMS kmsClient = AWSKMSClientBuilder.standard() | |
.withRegion(clientRegion) | |
.build(); | |
CreateKeyResult keyResult = kmsClient.createKey(); | |
kms_cmk_id = keyResult.getKeyMetadata().getKeyId(); | |
// Create the encryption client. | |
KMSEncryptionMaterialsProvider materialProvider = new KMSEncryptionMaterialsProvider(kms_cmk_id); | |
CryptoConfiguration cryptoConfig = new CryptoConfiguration() | |
.withAwsKmsRegion(RegionUtils.getRegion(clientRegion.toString())); | |
AmazonS3Encryption encryptionClient = AmazonS3EncryptionClientBuilder.standard() | |
.withCredentials(new ProfileCredentialsProvider()) | |
.withEncryptionMaterials(materialProvider) | |
.withCryptoConfiguration(cryptoConfig) | |
.withRegion(clientRegion).build(); | |
// Upload an object using the encryption client. | |
String origContent = "S3 Encrypted Object Using KMS-Managed Customer Master Key."; | |
int origContentLength = origContent.length(); | |
encryptionClient.putObject(bucketName, keyName, origContent); | |
// Download the object. The downloaded object is still encrypted. | |
S3Object downloadedObject = encryptionClient.getObject(bucketName, keyName); | |
S3ObjectInputStream input = downloadedObject.getObjectContent(); | |
// Decrypt and read the object and close the input stream. | |
byte[] readBuffer = new byte[readChunkSize]; | |
ByteArrayOutputStream baos = new ByteArrayOutputStream(readChunkSize); | |
int bytesRead = 0; | |
int decryptedContentLength = 0; | |
while ((bytesRead = input.read(readBuffer)) != -1) { | |
baos.write(readBuffer, 0, bytesRead); | |
decryptedContentLength += bytesRead; | |
} | |
input.close(); | |
// Verify that the original and decrypted contents are the same size. | |
System.out.println("Original content length: " + origContentLength); | |
System.out.println("Decrypted content length: " + decryptedContentLength); | |
} catch (AmazonServiceException e) { | |
// The call was transmitted successfully, but Amazon S3 couldn't process | |
// it, so it returned an error response. | |
e.printStackTrace(); | |
} catch (SdkClientException e) { | |
// Amazon S3 couldn't be contacted for a response, or the client | |
// couldn't parse the response from Amazon S3. | |
e.printStackTrace(); | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment