use of com.amazonaws.services.s3.model.CryptoConfiguration in project presto by prestodb.
the class PrestoS3FileSystem method createAmazonS3Client.
private AmazonS3Client createAmazonS3Client(URI uri, Configuration hadoopConfig, ClientConfiguration clientConfig) {
AWSCredentialsProvider credentials = getAwsCredentialsProvider(uri, hadoopConfig);
Optional<EncryptionMaterialsProvider> emp = createEncryptionMaterialsProvider(hadoopConfig);
AmazonS3Client client;
String signerType = hadoopConfig.get(S3_SIGNER_TYPE);
if (signerType != null) {
clientConfig.withSignerOverride(signerType);
}
if (emp.isPresent()) {
client = new AmazonS3EncryptionClient(credentials, emp.get(), clientConfig, new CryptoConfiguration(), METRIC_COLLECTOR);
} else {
client = new AmazonS3Client(credentials, clientConfig, METRIC_COLLECTOR);
}
// use local region when running inside of EC2
if (pinS3ClientToCurrentRegion) {
Region region = Regions.getCurrentRegion();
if (region != null) {
client.setRegion(region);
}
}
String endpoint = hadoopConfig.get(S3_ENDPOINT);
if (endpoint != null) {
client.setEndpoint(endpoint);
}
return client;
}
use of com.amazonaws.services.s3.model.CryptoConfiguration in project components by Talend.
the class S3Connection method createClient.
public static AmazonS3 createClient(S3OutputProperties properties) {
S3DatasetProperties data_set = properties.getDatasetProperties();
S3DatastoreProperties data_store = properties.getDatasetProperties().getDatastoreProperties();
com.amazonaws.auth.AWSCredentials credentials = new com.amazonaws.auth.BasicAWSCredentials(data_store.accessKey.getValue(), data_store.secretKey.getValue());
Region region = RegionUtils.getRegion(data_set.region.getValue().getValue());
Boolean clientSideEnc = data_set.encryptDataInMotion.getValue();
AmazonS3 conn = null;
if (clientSideEnc != null && clientSideEnc) {
String kms_cmk = data_set.kmsForDataInMotion.getValue();
KMSEncryptionMaterialsProvider encryptionMaterialsProvider = new KMSEncryptionMaterialsProvider(kms_cmk);
conn = new AmazonS3EncryptionClient(credentials, encryptionMaterialsProvider, new CryptoConfiguration().withAwsKmsRegion(region));
} else {
AWSCredentialsProvider basicCredentialsProvider = new StaticCredentialsProvider(credentials);
conn = new AmazonS3Client(basicCredentialsProvider);
}
conn.setRegion(region);
return conn;
}
use of com.amazonaws.services.s3.model.CryptoConfiguration in project aws-doc-sdk-examples by awsdocs.
the class S3Encrypt method authenticatedEncryption_CustomerManagedKey.
/**
* Uses AES/GCM with AESWrap key wrapping to encrypt the key. Uses v2 metadata schema. Note that authenticated
* encryption requires the bouncy castle provider to be on the classpath. Also, for authenticated encryption the size
* of the data can be no longer than 64 GB.
*/
// snippet-start:[s3.java1.s3_encrypt.authenticated_encryption]
public void authenticatedEncryption_CustomerManagedKey() throws NoSuchAlgorithmException {
// snippet-start:[s3.java1.s3_encrypt.authenticated_encryption_build]
SecretKey secretKey = KeyGenerator.getInstance("AES").generateKey();
AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder.standard().withRegion(Regions.US_WEST_2).withCryptoConfiguration(new CryptoConfiguration(CryptoMode.AuthenticatedEncryption)).withEncryptionMaterials(new StaticEncryptionMaterialsProvider(new EncryptionMaterials(secretKey))).build();
AmazonS3 s3NonEncrypt = AmazonS3ClientBuilder.standard().withRegion(Regions.DEFAULT_REGION).build();
// snippet-end:[s3.java1.s3_encrypt.authenticated_encryption_build]
s3Encryption.putObject(BUCKET_NAME, ENCRYPTED_KEY, "some contents");
s3NonEncrypt.putObject(BUCKET_NAME, NON_ENCRYPTED_KEY, "some other contents");
System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, ENCRYPTED_KEY));
System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, NON_ENCRYPTED_KEY));
}
use of com.amazonaws.services.s3.model.CryptoConfiguration in project aws-doc-sdk-examples by awsdocs.
the class S3Encrypt method strictAuthenticatedEncryption_RangeGet_CustomerManagedKey.
// snippet-end:[s3.java1.s3_encrypt.strict_authenticated_encryption]
/**
* Strict authenticated encryption mode does not support ranged GETs. This is because we must use AES/CTR for ranged
* GETs which is not an authenticated encryption algorithm. To do a partial get using authenticated encryption you have to
* get the whole object and filter to the data you want.
*/
public void strictAuthenticatedEncryption_RangeGet_CustomerManagedKey() throws NoSuchAlgorithmException {
SecretKey secretKey = KeyGenerator.getInstance("AES").generateKey();
AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder.standard().withRegion(Regions.US_WEST_2).withCryptoConfiguration(new CryptoConfiguration(CryptoMode.StrictAuthenticatedEncryption)).withEncryptionMaterials(new StaticEncryptionMaterialsProvider(new EncryptionMaterials(secretKey))).build();
s3Encryption.putObject(BUCKET_NAME, ENCRYPTED_KEY, "some contents");
try {
s3Encryption.getObject(new GetObjectRequest(BUCKET_NAME, ENCRYPTED_KEY).withRange(0, 2));
} catch (SecurityException e) {
System.err.println("Range GET is not supported with authenticated encryption");
}
}
use of com.amazonaws.services.s3.model.CryptoConfiguration in project aws-doc-sdk-examples by awsdocs.
the class S3Encrypt method authenticatedEncryption_RangeGet_CustomerManagedKey.
// snippet-end:[s3.java1.s3_encrypt.authenticated_encryption]
/**
* For ranged GET we do not use authenticated encryption since we aren't reading the entire message and can't produce the
* MAC. Instead we use AES/CTR, an unauthenticated encryption algorithm. If {@link CryptoMode#StrictAuthenticatedEncryption}
* is enabled, ranged GETs will not be allowed since they do not use authenticated encryption..
*/
public void authenticatedEncryption_RangeGet_CustomerManagedKey() throws NoSuchAlgorithmException {
SecretKey secretKey = KeyGenerator.getInstance("AES").generateKey();
AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder.standard().withRegion(Regions.US_WEST_2).withCryptoConfiguration(new CryptoConfiguration(CryptoMode.AuthenticatedEncryption)).withEncryptionMaterials(new StaticEncryptionMaterialsProvider(new EncryptionMaterials(secretKey))).build();
AmazonS3 s3NonEncrypt = AmazonS3ClientBuilder.standard().withRegion(Regions.DEFAULT_REGION).build();
s3Encryption.putObject(BUCKET_NAME, ENCRYPTED_KEY, "some contents");
s3NonEncrypt.putObject(BUCKET_NAME, NON_ENCRYPTED_KEY, "some other contents");
System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, ENCRYPTED_KEY));
System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, NON_ENCRYPTED_KEY));
}
Aggregations