AWS Code Sample
Catalog demonstrates how to upload and download S3 objects using a KMS key.

/** * Copyright 2018-2019, Inc. or its affiliates. All Rights Reserved. * * This file is licensed under the Apache License, Version 2.0 (the "License"). * You may not use this file except in compliance with the License. A copy of * the License is located at * * * * This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR * CONDITIONS OF ANY KIND, either express or implied. See the License for the * specific language governing permissions and limitations under the License. */ import; import; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.regions.RegionUtils; import; import; import; import; import; import; import; import; import; public class UploadObjectKMSKey { public static void main(String[] args) throws IOException { String bucketName = "*** Bucket name ***"; String keyName = "*** Object key name ***"; String clientRegion = "*** Client region ***"; String kms_cmk_id = "*** AWS KMS customer master key ID ***"; int readChunkSize = 4096; try { // Optional: If you don't have a KMS key (or need another one), // create one. This example creates a key with AWS-created // key material. AWSKMS kmsClient = AWSKMSClientBuilder.standard() .withCredentials(new ProfileCredentialsProvider()) .withRegion(clientRegion) .build(); CreateKeyResult keyResult = kmsClient.createKey(); kms_cmk_id = keyResult.getKeyMetadata().getKeyId(); // Create the encryption client. KMSEncryptionMaterialsProvider materialProvider = new KMSEncryptionMaterialsProvider(kms_cmk_id); CryptoConfiguration cryptoConfig = new CryptoConfiguration() .withAwsKmsRegion(RegionUtils.getRegion(clientRegion)); AmazonS3Encryption encryptionClient = AmazonS3EncryptionClientBuilder.standard() .withCredentials(new ProfileCredentialsProvider()) .withEncryptionMaterials(materialProvider) .withCryptoConfiguration(cryptoConfig) .withRegion(clientRegion).build(); // Upload an object using the encryption client. String origContent = "S3 Encrypted Object Using KMS-Managed Customer Master Key."; int origContentLength = origContent.length(); encryptionClient.putObject(bucketName, keyName, origContent); // Download the object. The downloaded object is still encrypted. S3Object downloadedObject = encryptionClient.getObject(bucketName, keyName); S3ObjectInputStream input = downloadedObject.getObjectContent(); // Decrypt and read the object and close the input stream. byte[] readBuffer = new byte[readChunkSize]; ByteArrayOutputStream baos = new ByteArrayOutputStream(readChunkSize); int bytesRead = 0; int decryptedContentLength = 0; while ((bytesRead = != -1) { baos.write(readBuffer, 0, bytesRead); decryptedContentLength += bytesRead; } input.close(); // Verify that the original and decrypted contents are the same size. System.out.println("Original content length: " + origContentLength); System.out.println("Decrypted content length: " + decryptedContentLength); } catch(AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it, so it returned an error response. e.printStackTrace(); } catch(SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } }

Sample Details

Service: s3

Last tested: 2019-01-28

Author: AWS

Type: full-example

On this page: