Menu
Amazon Simple Storage Service
Developer Guide (API Version 2006-03-01)

Specifying the AWS Key Management Service in Amazon S3 Using the AWS SDKs

When using AWS SDKs, you can request Amazon S3 to use AWS Key Management Service (AWS KMS)–managed encryption keys. This section provides examples of using the AWS SDKs for Java and .NET. For information about other SDKs, go to Sample Code and Libraries.

AWS SDK for Java

This section explains various Amazon S3 operations using the AWS SDK for Java and how you use the AWS KMS–managed encryption keys.

Put Operation

When uploading an object using the AWS SDK for Java, you can request Amazon S3 to use an AWS KMS–managed encryption key by adding the SSEAwsKeyManagementParams property as shown in the following request:

Copy
PutObjectRequest putRequest = new PutObjectRequest(bucketName, keyName, file).withSSEAwsKeyManagementParams(new SSEAwsKeyManagementParams());

In this case, Amazon S3 uses the default master key (see Protecting Data Using Server-Side Encryption with AWS KMS–Managed Keys (SSE-KMS)). You can optionally create your own key and specify that in the request.

Copy
PutObjectRequest putRequest = new PutObjectRequest(bucketName, keyName, file).withSSEAwsKeyManagementParams(new SSEAwsKeyManagementParams(keyID));

For more information about creating keys, go to Programming the AWS KMS API in the AWS Key Management Service Developer Guide.

For working code examples of uploading an object, see the following topics. You will need to update those code examples and provide encryption information as shown in the preceding code fragment.

Copy Operation

When copying objects, you add the same request properties (ServerSideEncryptionMethod and ServerSideEncryptionKeyManagementServiceKeyId) to request Amazon S3 to use an AWS KMS–managed encryption key. For more information about copying objects, see Copying Objects.

Pre-signed URLs

When creating a pre-signed URL for an object encrypted using an AWS KMS–managed encryption key, you must explicitly specify Signature Version 4:

Copy
ClientConfiguration clientConfiguration = new ClientConfiguration(); clientConfiguration.setSignerOverride("AWSS3V4SignerType"); AmazonS3Client s3client = new AmazonS3Client( new ProfileCredentialsProvider(), clientConfiguration); ...

For a code example, see Generate a Pre-signed Object URL using AWS SDK for Java.

AWS SDK for .NET

This section explains various Amazon S3 operations using the AWS SDK for .NET and how you use the AWS KMS–managed encryption keys.

Put Operation

When uploading an object using the AWS SDK for .NET, you can request Amazon S3 to use an AWS KMS–managed encryption key by adding the ServerSideEncryptionMethod property as shown in the following request:

Copy
PutObjectRequest putRequest = new PutObjectRequest { BucketName = bucketName, Key = keyName, // other properties. ServerSideEncryptionMethod = ServerSideEncryptionMethod.AWSKMS };

In this case, Amazon S3 uses the default master key (see Protecting Data Using Server-Side Encryption with AWS KMS–Managed Keys (SSE-KMS)). You can optionally create your own key and specify that in the request.

Copy
PutObjectRequest putRequest1 = new PutObjectRequest { BucketName = bucketName, Key = keyName, // other properties. ServerSideEncryptionMethod = ServerSideEncryptionMethod.AWSKMS, ServerSideEncryptionKeyManagementServiceKeyId = keyId };

For more information about creating keys, see Programming the AWS KMS API in the AWS Key Management Service Developer Guide.

For working code examples of uploading an object, see the following topics. You will need to update these code examples and provide encryption information as shown in the preceding code fragment.

Copy Operation

When copying objects, you add the same request properties (ServerSideEncryptionMethod and ServerSideEncryptionKeyManagementServiceKeyId) to request Amazon S3 to use an AWS KMS–managed encryption key. For more information about copying objects, see Copying Objects.

Pre-signed URLs

When creating a pre-signed URL for an object encrypted using an AWS KMS–managed encryption key, you must explicitly specify Signature Version 4:

Copy
AWSConfigs.S3Config.UseSignatureVersion4 = true;

For a code example, see Generate a Pre-signed Object URL using AWS SDK for .NET.