Get started with encryption for Amazon S3 objects using an AWS SDK - AWS SDK Code Examples

There are more AWS SDK examples available in the AWS Doc SDK Examples GitHub repo.

Get started with encryption for Amazon S3 objects using an AWS SDK

The following code example shows how to get started with encryption for Amazon S3 objects.

.NET
AWS SDK for .NET
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the AWS Code Examples Repository.

using System; using System.IO; using System.Security.Cryptography; using System.Threading.Tasks; using Amazon.S3; using Amazon.S3.Model; /// <summary> /// This example shows how to apply client encryption to an object in an /// Amazon Simple Storage Service (Amazon S3) bucket. /// </summary> public class SSEClientEncryption { public static async Task Main() { string bucketName = "amzn-s3-demo-bucket"; string keyName = "exampleobject.txt"; string copyTargetKeyName = "examplecopy.txt"; // If the AWS Region defined for your default user is different // from the Region where your Amazon S3 bucket is located, // pass the Region name to the Amazon S3 client object's constructor. // For example: RegionEndpoint.USWest2. IAmazonS3 client = new AmazonS3Client(); try { // Create an encryption key. Aes aesEncryption = Aes.Create(); aesEncryption.KeySize = 256; aesEncryption.GenerateKey(); string base64Key = Convert.ToBase64String(aesEncryption.Key); // Upload the object. PutObjectRequest putObjectRequest = await UploadObjectAsync(client, bucketName, keyName, base64Key); // Download the object and verify that its contents match what you uploaded. await DownloadObjectAsync(client, bucketName, keyName, base64Key, putObjectRequest); // Get object metadata and verify that the object uses AES-256 encryption. await GetObjectMetadataAsync(client, bucketName, keyName, base64Key); // Copy both the source and target objects using server-side encryption with // an encryption key. await CopyObjectAsync(client, bucketName, keyName, copyTargetKeyName, aesEncryption, base64Key); } catch (AmazonS3Exception ex) { Console.WriteLine($"Error: {ex.Message}"); } } /// <summary> /// Uploads an object to an Amazon S3 bucket. /// </summary> /// <param name="client">The initialized Amazon S3 client object used to call /// PutObjectAsync.</param> /// <param name="bucketName">The name of the Amazon S3 bucket to which the /// object will be uploaded.</param> /// <param name="keyName">The name of the object to upload to the Amazon S3 /// bucket.</param> /// <param name="base64Key">The encryption key.</param> /// <returns>The PutObjectRequest object for use by DownloadObjectAsync.</returns> public static async Task<PutObjectRequest> UploadObjectAsync( IAmazonS3 client, string bucketName, string keyName, string base64Key) { PutObjectRequest putObjectRequest = new PutObjectRequest { BucketName = bucketName, Key = keyName, ContentBody = "sample text", ServerSideEncryptionCustomerMethod = ServerSideEncryptionCustomerMethod.AES256, ServerSideEncryptionCustomerProvidedKey = base64Key, }; PutObjectResponse putObjectResponse = await client.PutObjectAsync(putObjectRequest); return putObjectRequest; } /// <summary> /// Downloads an encrypted object from an Amazon S3 bucket. /// </summary> /// <param name="client">The initialized Amazon S3 client object used to call /// GetObjectAsync.</param> /// <param name="bucketName">The name of the Amazon S3 bucket where the object /// is located.</param> /// <param name="keyName">The name of the Amazon S3 object to download.</param> /// <param name="base64Key">The encryption key used to encrypt the /// object.</param> /// <param name="putObjectRequest">The PutObjectRequest used to upload /// the object.</param> public static async Task DownloadObjectAsync( IAmazonS3 client, string bucketName, string keyName, string base64Key, PutObjectRequest putObjectRequest) { GetObjectRequest getObjectRequest = new GetObjectRequest { BucketName = bucketName, Key = keyName, // Provide encryption information for the object stored in Amazon S3. ServerSideEncryptionCustomerMethod = ServerSideEncryptionCustomerMethod.AES256, ServerSideEncryptionCustomerProvidedKey = base64Key, }; using (GetObjectResponse getResponse = await client.GetObjectAsync(getObjectRequest)) using (StreamReader reader = new StreamReader(getResponse.ResponseStream)) { string content = reader.ReadToEnd(); if (string.Compare(putObjectRequest.ContentBody, content) == 0) { Console.WriteLine("Object content is same as we uploaded"); } else { Console.WriteLine("Error...Object content is not same."); } if (getResponse.ServerSideEncryptionCustomerMethod == ServerSideEncryptionCustomerMethod.AES256) { Console.WriteLine("Object encryption method is AES256, same as we set"); } else { Console.WriteLine("Error...Object encryption method is not the same as AES256 we set"); } } } /// <summary> /// Retrieves the metadata associated with an Amazon S3 object. /// </summary> /// <param name="client">The initialized Amazon S3 client object used /// to call GetObjectMetadataAsync.</param> /// <param name="bucketName">The name of the Amazon S3 bucket containing the /// object for which we want to retrieve metadata.</param> /// <param name="keyName">The name of the object for which we wish to /// retrieve the metadata.</param> /// <param name="base64Key">The encryption key associated with the /// object.</param> public static async Task GetObjectMetadataAsync( IAmazonS3 client, string bucketName, string keyName, string base64Key) { GetObjectMetadataRequest getObjectMetadataRequest = new GetObjectMetadataRequest { BucketName = bucketName, Key = keyName, // The object stored in Amazon S3 is encrypted, so provide the necessary encryption information. ServerSideEncryptionCustomerMethod = ServerSideEncryptionCustomerMethod.AES256, ServerSideEncryptionCustomerProvidedKey = base64Key, }; GetObjectMetadataResponse getObjectMetadataResponse = await client.GetObjectMetadataAsync(getObjectMetadataRequest); Console.WriteLine("The object metadata show encryption method used is: {0}", getObjectMetadataResponse.ServerSideEncryptionCustomerMethod); } /// <summary> /// Copies an encrypted object from one Amazon S3 bucket to another. /// </summary> /// <param name="client">The initialized Amazon S3 client object used to call /// CopyObjectAsync.</param> /// <param name="bucketName">The Amazon S3 bucket containing the object /// to copy.</param> /// <param name="keyName">The name of the object to copy.</param> /// <param name="copyTargetKeyName">The Amazon S3 bucket to which the object /// will be copied.</param> /// <param name="aesEncryption">The encryption type to use.</param> /// <param name="base64Key">The encryption key to use.</param> public static async Task CopyObjectAsync( IAmazonS3 client, string bucketName, string keyName, string copyTargetKeyName, Aes aesEncryption, string base64Key) { aesEncryption.GenerateKey(); string copyBase64Key = Convert.ToBase64String(aesEncryption.Key); CopyObjectRequest copyRequest = new CopyObjectRequest { SourceBucket = bucketName, SourceKey = keyName, DestinationBucket = bucketName, DestinationKey = copyTargetKeyName, // Information about the source object's encryption. CopySourceServerSideEncryptionCustomerMethod = ServerSideEncryptionCustomerMethod.AES256, CopySourceServerSideEncryptionCustomerProvidedKey = base64Key, // Information about the target object's encryption. ServerSideEncryptionCustomerMethod = ServerSideEncryptionCustomerMethod.AES256, ServerSideEncryptionCustomerProvidedKey = copyBase64Key, }; await client.CopyObjectAsync(copyRequest); } }