Search in sources :

Example 11 with CryptoConfiguration

use of com.amazonaws.services.s3.model.CryptoConfiguration in project aws-doc-sdk-examples by awsdocs.

the class UploadObjectKMSKey method main.

public static void main(String[] args) throws IOException {
    String bucketName = "*** Bucket name ***";
    String keyName = "*** Object key name ***";
    Regions clientRegion = Regions.DEFAULT_REGION;
    String kms_cmk_id = "*** AWS KMS customer master key ID ***";
    int readChunkSize = 4096;
    try {
        // Optional: If you don't have a KMS key (or need another one),
        // create one. This example creates a key with AWS-created
        // key material.
        AWSKMS kmsClient = AWSKMSClientBuilder.standard().withRegion(clientRegion).build();
        CreateKeyResult keyResult = kmsClient.createKey();
        kms_cmk_id = keyResult.getKeyMetadata().getKeyId();
        // Create the encryption client.
        KMSEncryptionMaterialsProvider materialProvider = new KMSEncryptionMaterialsProvider(kms_cmk_id);
        CryptoConfiguration cryptoConfig = new CryptoConfiguration().withAwsKmsRegion(RegionUtils.getRegion(clientRegion.toString()));
        AmazonS3Encryption encryptionClient = AmazonS3EncryptionClientBuilder.standard().withCredentials(new ProfileCredentialsProvider()).withEncryptionMaterials(materialProvider).withCryptoConfiguration(cryptoConfig).withRegion(clientRegion).build();
        // Upload an object using the encryption client.
        String origContent = "S3 Encrypted Object Using KMS-Managed Customer Master Key.";
        int origContentLength = origContent.length();
        encryptionClient.putObject(bucketName, keyName, origContent);
        // Download the object. The downloaded object is still encrypted.
        S3Object downloadedObject = encryptionClient.getObject(bucketName, keyName);
        S3ObjectInputStream input = downloadedObject.getObjectContent();
        // Decrypt and read the object and close the input stream.
        byte[] readBuffer = new byte[readChunkSize];
        ByteArrayOutputStream baos = new ByteArrayOutputStream(readChunkSize);
        int bytesRead = 0;
        int decryptedContentLength = 0;
        while ((bytesRead = input.read(readBuffer)) != -1) {
            baos.write(readBuffer, 0, bytesRead);
            decryptedContentLength += bytesRead;
        }
        input.close();
        // Verify that the original and decrypted contents are the same size.
        System.out.println("Original content length: " + origContentLength);
        System.out.println("Decrypted content length: " + decryptedContentLength);
    } catch (AmazonServiceException e) {
        // The call was transmitted successfully, but Amazon S3 couldn't process
        // it, so it returned an error response.
        e.printStackTrace();
    } catch (SdkClientException e) {
        // Amazon S3 couldn't be contacted for a response, or the client
        // couldn't parse the response from Amazon S3.
        e.printStackTrace();
    }
}
Also used : KMSEncryptionMaterialsProvider(com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider) CryptoConfiguration(com.amazonaws.services.s3.model.CryptoConfiguration) Regions(com.amazonaws.regions.Regions) S3ObjectInputStream(com.amazonaws.services.s3.model.S3ObjectInputStream) ByteArrayOutputStream(java.io.ByteArrayOutputStream) AWSKMS(com.amazonaws.services.kms.AWSKMS) CreateKeyResult(com.amazonaws.services.kms.model.CreateKeyResult) SdkClientException(com.amazonaws.SdkClientException) AmazonServiceException(com.amazonaws.AmazonServiceException) ProfileCredentialsProvider(com.amazonaws.auth.profile.ProfileCredentialsProvider) AmazonS3Encryption(com.amazonaws.services.s3.AmazonS3Encryption) S3Object(com.amazonaws.services.s3.model.S3Object)

Example 12 with CryptoConfiguration

use of com.amazonaws.services.s3.model.CryptoConfiguration in project zeppelin by apache.

the class S3NotebookRepo method init.

public void init(ZeppelinConfiguration conf) throws IOException {
    this.conf = conf;
    bucketName = conf.getS3BucketName();
    user = conf.getS3User();
    rootFolder = user + "/notebook";
    useServerSideEncryption = conf.isS3ServerSideEncryption();
    if (StringUtils.isNotBlank(conf.getS3CannedAcl())) {
        objectCannedAcl = CannedAccessControlList.valueOf(conf.getS3CannedAcl());
    }
    // always use the default provider chain
    AWSCredentialsProvider credentialsProvider = new DefaultAWSCredentialsProviderChain();
    CryptoConfiguration cryptoConf = new CryptoConfiguration();
    String keyRegion = conf.getS3KMSKeyRegion();
    if (StringUtils.isNotBlank(keyRegion)) {
        cryptoConf.setAwsKmsRegion(Region.getRegion(Regions.fromName(keyRegion)));
    }
    ClientConfiguration cliConf = createClientConfiguration();
    // see if we should be encrypting data in S3
    String kmsKeyID = conf.getS3KMSKeyID();
    if (kmsKeyID != null) {
        // use the AWS KMS to encrypt data
        KMSEncryptionMaterialsProvider emp = new KMSEncryptionMaterialsProvider(kmsKeyID);
        this.s3client = new AmazonS3EncryptionClient(credentialsProvider, emp, cliConf, cryptoConf);
    } else if (conf.getS3EncryptionMaterialsProviderClass() != null) {
        // use a custom encryption materials provider class
        EncryptionMaterialsProvider emp = createCustomProvider(conf);
        this.s3client = new AmazonS3EncryptionClient(credentialsProvider, emp, cliConf, cryptoConf);
    } else {
        // regular S3
        this.s3client = new AmazonS3Client(credentialsProvider, cliConf);
    }
    s3client.setS3ClientOptions(S3ClientOptions.builder().setPathStyleAccess(conf.isS3PathStyleAccess()).build());
    // set S3 endpoint to use
    s3client.setEndpoint(conf.getS3Endpoint());
}
Also used : DefaultAWSCredentialsProviderChain(com.amazonaws.auth.DefaultAWSCredentialsProviderChain) AmazonS3Client(com.amazonaws.services.s3.AmazonS3Client) AmazonS3EncryptionClient(com.amazonaws.services.s3.AmazonS3EncryptionClient) KMSEncryptionMaterialsProvider(com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider) EncryptionMaterialsProvider(com.amazonaws.services.s3.model.EncryptionMaterialsProvider) KMSEncryptionMaterialsProvider(com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider) CryptoConfiguration(com.amazonaws.services.s3.model.CryptoConfiguration) AWSCredentialsProvider(com.amazonaws.auth.AWSCredentialsProvider) ClientConfiguration(com.amazonaws.ClientConfiguration)

Example 13 with CryptoConfiguration

use of com.amazonaws.services.s3.model.CryptoConfiguration in project aws-doc-sdk-examples by awsdocs.

the class S3Encrypt method authenticatedEncryption_CustomerManagedAsymmetricKey.

/**
 * Same as {@link #authenticatedEncryption_CustomerManagedKey()} except uses an asymmetric key pair and
 * RSA/ECB/OAEPWithSHA-256AndMGF1Padding as the key wrapping algorithm.
 */
public void authenticatedEncryption_CustomerManagedAsymmetricKey() throws NoSuchAlgorithmException {
    KeyPair keyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
    AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder.standard().withRegion(Regions.US_WEST_2).withCryptoConfiguration(new CryptoConfiguration(CryptoMode.AuthenticatedEncryption)).withEncryptionMaterials(new StaticEncryptionMaterialsProvider(new EncryptionMaterials(keyPair))).build();
    AmazonS3 s3NonEncrypt = AmazonS3ClientBuilder.standard().withRegion(Regions.DEFAULT_REGION).build();
    s3Encryption.putObject(BUCKET_NAME, ENCRYPTED_KEY, "some contents");
    s3NonEncrypt.putObject(BUCKET_NAME, NON_ENCRYPTED_KEY, "some other contents");
    System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, ENCRYPTED_KEY));
    System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, NON_ENCRYPTED_KEY));
}
Also used : AmazonS3(com.amazonaws.services.s3.AmazonS3) KeyPair(java.security.KeyPair) AmazonS3Encryption(com.amazonaws.services.s3.AmazonS3Encryption)

Example 14 with CryptoConfiguration

use of com.amazonaws.services.s3.model.CryptoConfiguration in project aws-doc-sdk-examples by awsdocs.

the class S3Encrypt method encryptionOnly_RangeGet_CustomerManagedKey.

/**
 * Non-authenticated encryption schemes can do range GETs without an issue.
 */
// snippet-start:[s3.java1.s3_encrypt.encryption_only]
public void encryptionOnly_RangeGet_CustomerManagedKey() throws NoSuchAlgorithmException {
    SecretKey secretKey = KeyGenerator.getInstance("AES").generateKey();
    AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder.standard().withRegion(Regions.US_WEST_2).withCryptoConfiguration(new CryptoConfiguration(CryptoMode.EncryptionOnly)).withEncryptionMaterials(new StaticEncryptionMaterialsProvider(new EncryptionMaterials(secretKey))).build();
    s3Encryption.putObject(BUCKET_NAME, ENCRYPTED_KEY, "some contents");
    System.out.println(s3Encryption.getObject(new GetObjectRequest(BUCKET_NAME, ENCRYPTED_KEY).withRange(0, 2)));
}
Also used : SecretKey(javax.crypto.SecretKey) AmazonS3Encryption(com.amazonaws.services.s3.AmazonS3Encryption)

Example 15 with CryptoConfiguration

use of com.amazonaws.services.s3.model.CryptoConfiguration in project aws-doc-sdk-examples by awsdocs.

the class S3Encrypt method authenticatedEncryption_KmsManagedKey.

// snippet-end:[s3.java1.s3_encrypt.kms_encryption_only]
/**
 * This uses the V2 metadata schema with a key wrap algorithm of 'kms' and a CEK algorithm of AES/GCM/NoPadding.
 */
// snippet-start:[s3.java1.s3_encrypt.kms_authenticated_encryption]
public void authenticatedEncryption_KmsManagedKey() throws NoSuchAlgorithmException {
    // snippet-start:[s3.java1.s3_encrypt.kms_authenticated_encryption_builder]
    AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder.standard().withRegion(Regions.US_WEST_2).withCryptoConfiguration(new CryptoConfiguration(CryptoMode.AuthenticatedEncryption).withAwsKmsRegion(Region.getRegion(Regions.US_WEST_2))).withEncryptionMaterials(new KMSEncryptionMaterialsProvider("alias/s3-kms-key")).build();
    AmazonS3 s3NonEncrypt = AmazonS3ClientBuilder.standard().withRegion(Regions.DEFAULT_REGION).build();
    // snippet-end:[s3.java1.s3_encrypt.kms_authenticated_encryption_builder]
    // snippet-start:[s3.java1.s3_encrypt.kms_authenticated_encryption_put_object]
    s3Encryption.putObject(BUCKET_NAME, ENCRYPTED_KEY, "some contents");
    s3NonEncrypt.putObject(BUCKET_NAME, NON_ENCRYPTED_KEY, "some other contents");
    System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, ENCRYPTED_KEY));
    System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, NON_ENCRYPTED_KEY));
// snippet-end:[s3.java1.s3_encrypt.kms_authenticated_encryption_put_object]
}
Also used : AmazonS3(com.amazonaws.services.s3.AmazonS3) AmazonS3Encryption(com.amazonaws.services.s3.AmazonS3Encryption)

Aggregations

AmazonS3Encryption (com.amazonaws.services.s3.AmazonS3Encryption)12 AmazonS3 (com.amazonaws.services.s3.AmazonS3)10 SecretKey (javax.crypto.SecretKey)6 CryptoConfiguration (com.amazonaws.services.s3.model.CryptoConfiguration)4 KMSEncryptionMaterialsProvider (com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider)4 AWSCredentialsProvider (com.amazonaws.auth.AWSCredentialsProvider)3 AmazonS3Client (com.amazonaws.services.s3.AmazonS3Client)3 AmazonS3EncryptionClient (com.amazonaws.services.s3.AmazonS3EncryptionClient)3 Region (com.amazonaws.regions.Region)2 EncryptionMaterialsProvider (com.amazonaws.services.s3.model.EncryptionMaterialsProvider)2 KeyPair (java.security.KeyPair)2 AmazonServiceException (com.amazonaws.AmazonServiceException)1 ClientConfiguration (com.amazonaws.ClientConfiguration)1 SdkClientException (com.amazonaws.SdkClientException)1 DefaultAWSCredentialsProviderChain (com.amazonaws.auth.DefaultAWSCredentialsProviderChain)1 ProfileCredentialsProvider (com.amazonaws.auth.profile.ProfileCredentialsProvider)1 StaticCredentialsProvider (com.amazonaws.internal.StaticCredentialsProvider)1 Regions (com.amazonaws.regions.Regions)1 AWSKMS (com.amazonaws.services.kms.AWSKMS)1 CreateKeyResult (com.amazonaws.services.kms.model.CreateKeyResult)1