use of com.amazonaws.services.s3.model.CryptoConfiguration in project aws-doc-sdk-examples by awsdocs.
the class UploadObjectKMSKey method main.
public static void main(String[] args) throws IOException {
String bucketName = "*** Bucket name ***";
String keyName = "*** Object key name ***";
Regions clientRegion = Regions.DEFAULT_REGION;
String kms_cmk_id = "*** AWS KMS customer master key ID ***";
int readChunkSize = 4096;
try {
// Optional: If you don't have a KMS key (or need another one),
// create one. This example creates a key with AWS-created
// key material.
AWSKMS kmsClient = AWSKMSClientBuilder.standard().withRegion(clientRegion).build();
CreateKeyResult keyResult = kmsClient.createKey();
kms_cmk_id = keyResult.getKeyMetadata().getKeyId();
// Create the encryption client.
KMSEncryptionMaterialsProvider materialProvider = new KMSEncryptionMaterialsProvider(kms_cmk_id);
CryptoConfiguration cryptoConfig = new CryptoConfiguration().withAwsKmsRegion(RegionUtils.getRegion(clientRegion.toString()));
AmazonS3Encryption encryptionClient = AmazonS3EncryptionClientBuilder.standard().withCredentials(new ProfileCredentialsProvider()).withEncryptionMaterials(materialProvider).withCryptoConfiguration(cryptoConfig).withRegion(clientRegion).build();
// Upload an object using the encryption client.
String origContent = "S3 Encrypted Object Using KMS-Managed Customer Master Key.";
int origContentLength = origContent.length();
encryptionClient.putObject(bucketName, keyName, origContent);
// Download the object. The downloaded object is still encrypted.
S3Object downloadedObject = encryptionClient.getObject(bucketName, keyName);
S3ObjectInputStream input = downloadedObject.getObjectContent();
// Decrypt and read the object and close the input stream.
byte[] readBuffer = new byte[readChunkSize];
ByteArrayOutputStream baos = new ByteArrayOutputStream(readChunkSize);
int bytesRead = 0;
int decryptedContentLength = 0;
while ((bytesRead = input.read(readBuffer)) != -1) {
baos.write(readBuffer, 0, bytesRead);
decryptedContentLength += bytesRead;
}
input.close();
// Verify that the original and decrypted contents are the same size.
System.out.println("Original content length: " + origContentLength);
System.out.println("Decrypted content length: " + decryptedContentLength);
} catch (AmazonServiceException e) {
// The call was transmitted successfully, but Amazon S3 couldn't process
// it, so it returned an error response.
e.printStackTrace();
} catch (SdkClientException e) {
// Amazon S3 couldn't be contacted for a response, or the client
// couldn't parse the response from Amazon S3.
e.printStackTrace();
}
}
use of com.amazonaws.services.s3.model.CryptoConfiguration in project zeppelin by apache.
the class S3NotebookRepo method init.
public void init(ZeppelinConfiguration conf) throws IOException {
this.conf = conf;
bucketName = conf.getS3BucketName();
user = conf.getS3User();
rootFolder = user + "/notebook";
useServerSideEncryption = conf.isS3ServerSideEncryption();
if (StringUtils.isNotBlank(conf.getS3CannedAcl())) {
objectCannedAcl = CannedAccessControlList.valueOf(conf.getS3CannedAcl());
}
// always use the default provider chain
AWSCredentialsProvider credentialsProvider = new DefaultAWSCredentialsProviderChain();
CryptoConfiguration cryptoConf = new CryptoConfiguration();
String keyRegion = conf.getS3KMSKeyRegion();
if (StringUtils.isNotBlank(keyRegion)) {
cryptoConf.setAwsKmsRegion(Region.getRegion(Regions.fromName(keyRegion)));
}
ClientConfiguration cliConf = createClientConfiguration();
// see if we should be encrypting data in S3
String kmsKeyID = conf.getS3KMSKeyID();
if (kmsKeyID != null) {
// use the AWS KMS to encrypt data
KMSEncryptionMaterialsProvider emp = new KMSEncryptionMaterialsProvider(kmsKeyID);
this.s3client = new AmazonS3EncryptionClient(credentialsProvider, emp, cliConf, cryptoConf);
} else if (conf.getS3EncryptionMaterialsProviderClass() != null) {
// use a custom encryption materials provider class
EncryptionMaterialsProvider emp = createCustomProvider(conf);
this.s3client = new AmazonS3EncryptionClient(credentialsProvider, emp, cliConf, cryptoConf);
} else {
// regular S3
this.s3client = new AmazonS3Client(credentialsProvider, cliConf);
}
s3client.setS3ClientOptions(S3ClientOptions.builder().setPathStyleAccess(conf.isS3PathStyleAccess()).build());
// set S3 endpoint to use
s3client.setEndpoint(conf.getS3Endpoint());
}
use of com.amazonaws.services.s3.model.CryptoConfiguration in project aws-doc-sdk-examples by awsdocs.
the class S3Encrypt method authenticatedEncryption_CustomerManagedAsymmetricKey.
/**
* Same as {@link #authenticatedEncryption_CustomerManagedKey()} except uses an asymmetric key pair and
* RSA/ECB/OAEPWithSHA-256AndMGF1Padding as the key wrapping algorithm.
*/
public void authenticatedEncryption_CustomerManagedAsymmetricKey() throws NoSuchAlgorithmException {
KeyPair keyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder.standard().withRegion(Regions.US_WEST_2).withCryptoConfiguration(new CryptoConfiguration(CryptoMode.AuthenticatedEncryption)).withEncryptionMaterials(new StaticEncryptionMaterialsProvider(new EncryptionMaterials(keyPair))).build();
AmazonS3 s3NonEncrypt = AmazonS3ClientBuilder.standard().withRegion(Regions.DEFAULT_REGION).build();
s3Encryption.putObject(BUCKET_NAME, ENCRYPTED_KEY, "some contents");
s3NonEncrypt.putObject(BUCKET_NAME, NON_ENCRYPTED_KEY, "some other contents");
System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, ENCRYPTED_KEY));
System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, NON_ENCRYPTED_KEY));
}
use of com.amazonaws.services.s3.model.CryptoConfiguration in project aws-doc-sdk-examples by awsdocs.
the class S3Encrypt method encryptionOnly_RangeGet_CustomerManagedKey.
/**
* Non-authenticated encryption schemes can do range GETs without an issue.
*/
// snippet-start:[s3.java1.s3_encrypt.encryption_only]
public void encryptionOnly_RangeGet_CustomerManagedKey() throws NoSuchAlgorithmException {
SecretKey secretKey = KeyGenerator.getInstance("AES").generateKey();
AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder.standard().withRegion(Regions.US_WEST_2).withCryptoConfiguration(new CryptoConfiguration(CryptoMode.EncryptionOnly)).withEncryptionMaterials(new StaticEncryptionMaterialsProvider(new EncryptionMaterials(secretKey))).build();
s3Encryption.putObject(BUCKET_NAME, ENCRYPTED_KEY, "some contents");
System.out.println(s3Encryption.getObject(new GetObjectRequest(BUCKET_NAME, ENCRYPTED_KEY).withRange(0, 2)));
}
use of com.amazonaws.services.s3.model.CryptoConfiguration in project aws-doc-sdk-examples by awsdocs.
the class S3Encrypt method authenticatedEncryption_KmsManagedKey.
// snippet-end:[s3.java1.s3_encrypt.kms_encryption_only]
/**
* This uses the V2 metadata schema with a key wrap algorithm of 'kms' and a CEK algorithm of AES/GCM/NoPadding.
*/
// snippet-start:[s3.java1.s3_encrypt.kms_authenticated_encryption]
public void authenticatedEncryption_KmsManagedKey() throws NoSuchAlgorithmException {
// snippet-start:[s3.java1.s3_encrypt.kms_authenticated_encryption_builder]
AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder.standard().withRegion(Regions.US_WEST_2).withCryptoConfiguration(new CryptoConfiguration(CryptoMode.AuthenticatedEncryption).withAwsKmsRegion(Region.getRegion(Regions.US_WEST_2))).withEncryptionMaterials(new KMSEncryptionMaterialsProvider("alias/s3-kms-key")).build();
AmazonS3 s3NonEncrypt = AmazonS3ClientBuilder.standard().withRegion(Regions.DEFAULT_REGION).build();
// snippet-end:[s3.java1.s3_encrypt.kms_authenticated_encryption_builder]
// snippet-start:[s3.java1.s3_encrypt.kms_authenticated_encryption_put_object]
s3Encryption.putObject(BUCKET_NAME, ENCRYPTED_KEY, "some contents");
s3NonEncrypt.putObject(BUCKET_NAME, NON_ENCRYPTED_KEY, "some other contents");
System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, ENCRYPTED_KEY));
System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, NON_ENCRYPTED_KEY));
// snippet-end:[s3.java1.s3_encrypt.kms_authenticated_encryption_put_object]
}
Aggregations