Search in sources :

Example 1 with CryptoConfiguration

use of com.amazonaws.services.s3.model.CryptoConfiguration in project presto by prestodb.

the class PrestoS3FileSystem method createAmazonS3Client.

private AmazonS3Client createAmazonS3Client(URI uri, Configuration hadoopConfig, ClientConfiguration clientConfig) {
    AWSCredentialsProvider credentials = getAwsCredentialsProvider(uri, hadoopConfig);
    Optional<EncryptionMaterialsProvider> emp = createEncryptionMaterialsProvider(hadoopConfig);
    AmazonS3Client client;
    String signerType = hadoopConfig.get(S3_SIGNER_TYPE);
    if (signerType != null) {
        clientConfig.withSignerOverride(signerType);
    }
    if (emp.isPresent()) {
        client = new AmazonS3EncryptionClient(credentials, emp.get(), clientConfig, new CryptoConfiguration(), METRIC_COLLECTOR);
    } else {
        client = new AmazonS3Client(credentials, clientConfig, METRIC_COLLECTOR);
    }
    // use local region when running inside of EC2
    if (pinS3ClientToCurrentRegion) {
        Region region = Regions.getCurrentRegion();
        if (region != null) {
            client.setRegion(region);
        }
    }
    String endpoint = hadoopConfig.get(S3_ENDPOINT);
    if (endpoint != null) {
        client.setEndpoint(endpoint);
    }
    return client;
}
Also used : AmazonS3Client(com.amazonaws.services.s3.AmazonS3Client) AmazonS3EncryptionClient(com.amazonaws.services.s3.AmazonS3EncryptionClient) EncryptionMaterialsProvider(com.amazonaws.services.s3.model.EncryptionMaterialsProvider) KMSEncryptionMaterialsProvider(com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider) CryptoConfiguration(com.amazonaws.services.s3.model.CryptoConfiguration) Region(com.amazonaws.regions.Region) AWSCredentialsProvider(com.amazonaws.auth.AWSCredentialsProvider)

Example 2 with CryptoConfiguration

use of com.amazonaws.services.s3.model.CryptoConfiguration in project components by Talend.

the class S3Connection method createClient.

public static AmazonS3 createClient(S3OutputProperties properties) {
    S3DatasetProperties data_set = properties.getDatasetProperties();
    S3DatastoreProperties data_store = properties.getDatasetProperties().getDatastoreProperties();
    com.amazonaws.auth.AWSCredentials credentials = new com.amazonaws.auth.BasicAWSCredentials(data_store.accessKey.getValue(), data_store.secretKey.getValue());
    Region region = RegionUtils.getRegion(data_set.region.getValue().getValue());
    Boolean clientSideEnc = data_set.encryptDataInMotion.getValue();
    AmazonS3 conn = null;
    if (clientSideEnc != null && clientSideEnc) {
        String kms_cmk = data_set.kmsForDataInMotion.getValue();
        KMSEncryptionMaterialsProvider encryptionMaterialsProvider = new KMSEncryptionMaterialsProvider(kms_cmk);
        conn = new AmazonS3EncryptionClient(credentials, encryptionMaterialsProvider, new CryptoConfiguration().withAwsKmsRegion(region));
    } else {
        AWSCredentialsProvider basicCredentialsProvider = new StaticCredentialsProvider(credentials);
        conn = new AmazonS3Client(basicCredentialsProvider);
    }
    conn.setRegion(region);
    return conn;
}
Also used : AmazonS3(com.amazonaws.services.s3.AmazonS3) AmazonS3EncryptionClient(com.amazonaws.services.s3.AmazonS3EncryptionClient) StaticCredentialsProvider(com.amazonaws.internal.StaticCredentialsProvider) KMSEncryptionMaterialsProvider(com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider) CryptoConfiguration(com.amazonaws.services.s3.model.CryptoConfiguration) S3DatasetProperties(org.talend.components.simplefileio.s3.S3DatasetProperties) AmazonS3Client(com.amazonaws.services.s3.AmazonS3Client) Region(com.amazonaws.regions.Region) S3DatastoreProperties(org.talend.components.simplefileio.s3.S3DatastoreProperties) AWSCredentialsProvider(com.amazonaws.auth.AWSCredentialsProvider)

Example 3 with CryptoConfiguration

use of com.amazonaws.services.s3.model.CryptoConfiguration in project aws-doc-sdk-examples by awsdocs.

the class S3Encrypt method authenticatedEncryption_CustomerManagedKey.

/**
 * Uses AES/GCM with AESWrap key wrapping to encrypt the key. Uses v2 metadata schema. Note that authenticated
 * encryption requires the bouncy castle provider to be on the classpath. Also, for authenticated encryption the size
 * of the data can be no longer than 64 GB.
 */
// snippet-start:[s3.java1.s3_encrypt.authenticated_encryption]
public void authenticatedEncryption_CustomerManagedKey() throws NoSuchAlgorithmException {
    // snippet-start:[s3.java1.s3_encrypt.authenticated_encryption_build]
    SecretKey secretKey = KeyGenerator.getInstance("AES").generateKey();
    AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder.standard().withRegion(Regions.US_WEST_2).withCryptoConfiguration(new CryptoConfiguration(CryptoMode.AuthenticatedEncryption)).withEncryptionMaterials(new StaticEncryptionMaterialsProvider(new EncryptionMaterials(secretKey))).build();
    AmazonS3 s3NonEncrypt = AmazonS3ClientBuilder.standard().withRegion(Regions.DEFAULT_REGION).build();
    // snippet-end:[s3.java1.s3_encrypt.authenticated_encryption_build]
    s3Encryption.putObject(BUCKET_NAME, ENCRYPTED_KEY, "some contents");
    s3NonEncrypt.putObject(BUCKET_NAME, NON_ENCRYPTED_KEY, "some other contents");
    System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, ENCRYPTED_KEY));
    System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, NON_ENCRYPTED_KEY));
}
Also used : AmazonS3(com.amazonaws.services.s3.AmazonS3) SecretKey(javax.crypto.SecretKey) AmazonS3Encryption(com.amazonaws.services.s3.AmazonS3Encryption)

Example 4 with CryptoConfiguration

use of com.amazonaws.services.s3.model.CryptoConfiguration in project aws-doc-sdk-examples by awsdocs.

the class S3Encrypt method strictAuthenticatedEncryption_RangeGet_CustomerManagedKey.

// snippet-end:[s3.java1.s3_encrypt.strict_authenticated_encryption]
/**
 * Strict authenticated encryption mode does not support ranged GETs. This is because we must use AES/CTR for ranged
 * GETs which is not an authenticated encryption algorithm. To do a partial get using authenticated encryption you have to
 * get the whole object and filter to the data you want.
 */
public void strictAuthenticatedEncryption_RangeGet_CustomerManagedKey() throws NoSuchAlgorithmException {
    SecretKey secretKey = KeyGenerator.getInstance("AES").generateKey();
    AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder.standard().withRegion(Regions.US_WEST_2).withCryptoConfiguration(new CryptoConfiguration(CryptoMode.StrictAuthenticatedEncryption)).withEncryptionMaterials(new StaticEncryptionMaterialsProvider(new EncryptionMaterials(secretKey))).build();
    s3Encryption.putObject(BUCKET_NAME, ENCRYPTED_KEY, "some contents");
    try {
        s3Encryption.getObject(new GetObjectRequest(BUCKET_NAME, ENCRYPTED_KEY).withRange(0, 2));
    } catch (SecurityException e) {
        System.err.println("Range GET is not supported with authenticated encryption");
    }
}
Also used : SecretKey(javax.crypto.SecretKey) AmazonS3Encryption(com.amazonaws.services.s3.AmazonS3Encryption)

Example 5 with CryptoConfiguration

use of com.amazonaws.services.s3.model.CryptoConfiguration in project aws-doc-sdk-examples by awsdocs.

the class S3Encrypt method authenticatedEncryption_RangeGet_CustomerManagedKey.

// snippet-end:[s3.java1.s3_encrypt.authenticated_encryption]
/**
 * For ranged GET we do not use authenticated encryption since we aren't reading the entire message and can't produce the
 * MAC. Instead we use AES/CTR, an unauthenticated encryption algorithm. If {@link CryptoMode#StrictAuthenticatedEncryption}
 * is enabled, ranged GETs will not be allowed since they do not use authenticated encryption..
 */
public void authenticatedEncryption_RangeGet_CustomerManagedKey() throws NoSuchAlgorithmException {
    SecretKey secretKey = KeyGenerator.getInstance("AES").generateKey();
    AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder.standard().withRegion(Regions.US_WEST_2).withCryptoConfiguration(new CryptoConfiguration(CryptoMode.AuthenticatedEncryption)).withEncryptionMaterials(new StaticEncryptionMaterialsProvider(new EncryptionMaterials(secretKey))).build();
    AmazonS3 s3NonEncrypt = AmazonS3ClientBuilder.standard().withRegion(Regions.DEFAULT_REGION).build();
    s3Encryption.putObject(BUCKET_NAME, ENCRYPTED_KEY, "some contents");
    s3NonEncrypt.putObject(BUCKET_NAME, NON_ENCRYPTED_KEY, "some other contents");
    System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, ENCRYPTED_KEY));
    System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, NON_ENCRYPTED_KEY));
}
Also used : AmazonS3(com.amazonaws.services.s3.AmazonS3) SecretKey(javax.crypto.SecretKey) AmazonS3Encryption(com.amazonaws.services.s3.AmazonS3Encryption)

Aggregations

AmazonS3Encryption (com.amazonaws.services.s3.AmazonS3Encryption)12 AmazonS3 (com.amazonaws.services.s3.AmazonS3)10 SecretKey (javax.crypto.SecretKey)6 CryptoConfiguration (com.amazonaws.services.s3.model.CryptoConfiguration)4 KMSEncryptionMaterialsProvider (com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider)4 AWSCredentialsProvider (com.amazonaws.auth.AWSCredentialsProvider)3 AmazonS3Client (com.amazonaws.services.s3.AmazonS3Client)3 AmazonS3EncryptionClient (com.amazonaws.services.s3.AmazonS3EncryptionClient)3 Region (com.amazonaws.regions.Region)2 EncryptionMaterialsProvider (com.amazonaws.services.s3.model.EncryptionMaterialsProvider)2 KeyPair (java.security.KeyPair)2 AmazonServiceException (com.amazonaws.AmazonServiceException)1 ClientConfiguration (com.amazonaws.ClientConfiguration)1 SdkClientException (com.amazonaws.SdkClientException)1 DefaultAWSCredentialsProviderChain (com.amazonaws.auth.DefaultAWSCredentialsProviderChain)1 ProfileCredentialsProvider (com.amazonaws.auth.profile.ProfileCredentialsProvider)1 StaticCredentialsProvider (com.amazonaws.internal.StaticCredentialsProvider)1 Regions (com.amazonaws.regions.Regions)1 AWSKMS (com.amazonaws.services.kms.AWSKMS)1 CreateKeyResult (com.amazonaws.services.kms.model.CreateKeyResult)1