Las traducciones son generadas a través de traducción automática. En caso de conflicto entre la traducción y la version original de inglés, prevalecerá la version en inglés.
AWS KMS ejemplos que se utilizan SDK para Java 2.x
Los siguientes ejemplos de código muestran cómo realizar acciones e implementar escenarios comunes mediante el uso del AWS SDK for Java 2.x with AWS KMS.
Las acciones son extractos de código de programas más grandes y deben ejecutarse en contexto. Mientras las acciones muestran cómo llamar a las funciones de servicio individuales, es posible ver las acciones en contexto en los escenarios relacionados y en los ejemplos entre servicios.
Los escenarios son ejemplos de código que muestran cómo llevar a cabo una tarea específica llamando a varias funciones dentro del mismo servicio.
Cada ejemplo incluye un enlace a GitHub, donde puede encontrar instrucciones sobre cómo configurar y ejecutar el código en su contexto.
Introducción
El siguiente ejemplo de código muestra cómo empezar a usar KMS key.
- SDKpara Java 2.x
-
nota
Hay más información. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el Repositorio de ejemplos de código de AWS
. import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.model.ListKeysRequest; import software.amazon.awssdk.services.kms.model.KmsException; import software.amazon.awssdk.services.kms.paginators.ListKeysIterable; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class HelloKMS { public static void main(String[] args) { Region region = Region.US_WEST_2; KmsClient kmsClient = KmsClient.builder() .region(region) .build(); listAllKeys(kmsClient); kmsClient.close(); } public static void listAllKeys(KmsClient kmsClient) { try { ListKeysRequest listKeysRequest = ListKeysRequest.builder() .limit(15) .build(); ListKeysIterable keysResponse = kmsClient.listKeysPaginator(listKeysRequest); keysResponse.stream() .flatMap(r -> r.keys().stream()) .forEach(key -> System.out .println(" The key ARN is: " + key.keyArn() + ". The key Id is: " + key.keyId())); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } }-
Para API obtener más información, consulte listKeysPaginatorla AWS SDK for Java 2.x APIReferencia.
-
Temas
Acciones
En el siguiente ejemplo de código, se muestra cómo usar CreateAlias.
- SDKpara Java 2.x
-
nota
Hay más información. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el Repositorio de ejemplos de código de AWS
. public static void createCustomAlias(KmsClient kmsClient, String targetKeyId, String aliasName) { try { CreateAliasRequest aliasRequest = CreateAliasRequest.builder() .aliasName(aliasName) .targetKeyId(targetKeyId) .build(); kmsClient.createAlias(aliasRequest); System.out.println(aliasName + " was successfully created."); } catch (ResourceExistsException e) { System.err.println("Alias already exists: " + e.getMessage()); System.err.println("Moving on..."); } catch (Exception e) { System.err.println("An unexpected error occurred: " + e.getMessage()); System.err.println("Moving on..."); } }-
Para API obtener más información, consulte CreateAliasla AWS SDK for Java 2.x APIReferencia.
-
En el siguiente ejemplo de código, se muestra cómo usar CreateGrant.
- SDKpara Java 2.x
-
nota
Hay más información. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el Repositorio de ejemplos de código de AWS
. public static String grantKey(KmsClient kmsClient, String keyId, String granteePrincipal) { try { // Add the desired KMS Grant permissions. List<GrantOperation> grantPermissions = new ArrayList<>(); grantPermissions.add(GrantOperation.ENCRYPT); grantPermissions.add(GrantOperation.DECRYPT); grantPermissions.add(GrantOperation.DESCRIBE_KEY); CreateGrantRequest grantRequest = CreateGrantRequest.builder() .keyId(keyId) .name("grant1") .granteePrincipal(granteePrincipal) .operations(grantPermissions) .build(); CreateGrantResponse response = kmsClient.createGrant(grantRequest); return response.grantId(); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; }-
Para API obtener más información, consulte CreateGrantla AWS SDK for Java 2.x APIReferencia.
-
En el siguiente ejemplo de código, se muestra cómo usar CreateKey.
- SDKpara Java 2.x
-
nota
Hay más información. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el Repositorio de ejemplos de código de AWS
. public static String createKey(KmsClient kmsClient, String keyDesc) { try { CreateKeyRequest keyRequest = CreateKeyRequest.builder() .description(keyDesc) .customerMasterKeySpec(CustomerMasterKeySpec.SYMMETRIC_DEFAULT) .keyUsage("ENCRYPT_DECRYPT") .build(); CreateKeyResponse result = kmsClient.createKey(keyRequest); System.out.println("Symmetric key with ARN [" + result.keyMetadata().arn() + "] has been created."); return result.keyMetadata().keyId(); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; }-
Para API obtener más información, consulte CreateKeyla AWS SDK for Java 2.x APIReferencia.
-
En el siguiente ejemplo de código, se muestra cómo usar Decrypt.
- SDKpara Java 2.x
-
nota
Hay más información. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el Repositorio de ejemplos de código de AWS
. public static String decryptData(KmsClient kmsClient, SdkBytes encryptedData, String keyId) { try { DecryptRequest decryptRequest = DecryptRequest.builder() .ciphertextBlob(encryptedData) .keyId(keyId) .build(); DecryptResponse decryptResponse = kmsClient.decrypt(decryptRequest); return decryptResponse.plaintext().asString(StandardCharsets.UTF_8); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; }-
Para API obtener más información, consulte Decrypt in AWS SDK for Java 2.x APIReference.
-
En el siguiente ejemplo de código, se muestra cómo usar DeleteAlias.
- SDKpara Java 2.x
-
nota
Hay más información. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el Repositorio de ejemplos de código de AWS
. public static void deleteSpecificAlias(KmsClient kmsClient, String aliasName) { try { DeleteAliasRequest deleteAliasRequest = DeleteAliasRequest.builder() .aliasName(aliasName) .build(); kmsClient.deleteAlias(deleteAliasRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
Para API obtener más información, consulte DeleteAliasla AWS SDK for Java 2.x APIReferencia.
-
En el siguiente ejemplo de código, se muestra cómo usar DescribeKey.
- SDKpara Java 2.x
-
nota
Hay más información. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el Repositorio de ejemplos de código de AWS
. public static boolean isKeyEnabled(KmsClient kmsClient, String keyId) { try { DescribeKeyRequest keyRequest = DescribeKeyRequest.builder() .keyId(keyId) .build(); DescribeKeyResponse response = kmsClient.describeKey(keyRequest); KeyState keyState = response.keyMetadata().keyState(); if (keyState == KeyState.ENABLED) { System.out.println("The key is enabled."); return true; } else { System.out.println("The key is not enabled. Key state: " + keyState); } } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return false; }-
Para API obtener más información, consulte DescribeKeyla AWS SDK for Java 2.x APIReferencia.
-
En el siguiente ejemplo de código, se muestra cómo usar DisableKey.
- SDKpara Java 2.x
-
nota
Hay más información. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el Repositorio de ejemplos de código de AWS
. public static void disableKey(KmsClient kmsClient, String keyId) { try { DisableKeyRequest keyRequest = DisableKeyRequest.builder() .keyId(keyId) .build(); kmsClient.disableKey(keyRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
Para API obtener más información, consulte DisableKeyla AWS SDK for Java 2.x APIReferencia.
-
En el siguiente ejemplo de código, se muestra cómo usar EnableKey.
- SDKpara Java 2.x
-
nota
Hay más información. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el Repositorio de ejemplos de código de AWS
. // Enable the KMS key. public static void enableKey(KmsClient kmsClient, String keyId) { try { EnableKeyRequest enableKeyRequest = EnableKeyRequest.builder() .keyId(keyId) .build(); kmsClient.enableKey(enableKeyRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
Para API obtener más información, consulte EnableKeyla AWS SDK for Java 2.x APIReferencia.
-
En el siguiente ejemplo de código, se muestra cómo usar Encrypt.
- SDKpara Java 2.x
-
nota
Hay más información. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el Repositorio de ejemplos de código de AWS
. public static SdkBytes encryptData(KmsClient kmsClient, String keyId, String text) { try { SdkBytes myBytes = SdkBytes.fromUtf8String(text); EncryptRequest encryptRequest = EncryptRequest.builder() .keyId(keyId) .plaintext(myBytes) .build(); EncryptResponse response = kmsClient.encrypt(encryptRequest); String algorithm = response.encryptionAlgorithm().toString(); System.out.println("The string was encrypted with algorithm " + algorithm + "."); // Get the encrypted data. SdkBytes encryptedData = response.ciphertextBlob(); return encryptedData; } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return null; }-
Para API obtener más información, consulte Cifrar en AWS SDK for Java 2.x APIreferencia.
-
En el siguiente ejemplo de código, se muestra cómo usar ListAliases.
- SDKpara Java 2.x
-
nota
Hay más información. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el Repositorio de ejemplos de código de AWS
. public static void listAllAliases(KmsClient kmsClient) { try { ListAliasesRequest aliasesRequest = ListAliasesRequest.builder() .limit(15) .build(); ListAliasesIterable aliasesResponse = kmsClient.listAliasesPaginator(aliasesRequest); aliasesResponse.stream() .flatMap(r -> r.aliases().stream()) .forEach(alias -> System.out .println("The alias name is: " + alias.aliasName())); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
Para API obtener más información, consulte ListAliasesla AWS SDK for Java 2.x APIReferencia.
-
En el siguiente ejemplo de código, se muestra cómo usar ListGrants.
- SDKpara Java 2.x
-
nota
Hay más información. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el Repositorio de ejemplos de código de AWS
. public static void displayGrantIds(KmsClient kmsClient, String keyId) { try { ListGrantsRequest grantsRequest = ListGrantsRequest.builder() .keyId(keyId) .limit(15) .build(); ListGrantsIterable response = kmsClient.listGrantsPaginator(grantsRequest); response.stream() .flatMap(r -> r.grants().stream()) .forEach(grant -> { System.out.println("The grant Id is : " + grant.grantId()); List<GrantOperation> ops = grant.operations(); for (GrantOperation op : ops) { System.out.println(op.name()); } }); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
Para API obtener más información, consulte ListGrantsla AWS SDK for Java 2.x APIReferencia.
-
En el siguiente ejemplo de código, se muestra cómo usar ListKeyPolicies.
- SDKpara Java 2.x
-
nota
Hay más información. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el Repositorio de ejemplos de código de AWS
. public static void getKeyPolicy(KmsClient kmsClient, String keyId, String policyName) { try { GetKeyPolicyRequest policyRequest = GetKeyPolicyRequest.builder() .keyId(keyId) .policyName(policyName) .build(); GetKeyPolicyResponse response = kmsClient.getKeyPolicy(policyRequest); System.out.println("The response is "+response.policy()); } catch (KmsException e) { if (e.getMessage().contains("No such policy exists")) { System.out.println("The policy cannot be found. Error message: " + e.getMessage()); } else { throw e; } } }-
Para API obtener más información, consulte ListKeyPoliciesla AWS SDK for Java 2.x APIReferencia.
-
En el siguiente ejemplo de código, se muestra cómo usar ListKeys.
- SDKpara Java 2.x
-
nota
Hay más información. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el Repositorio de ejemplos de código de AWS
. import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.model.ListKeysRequest; import software.amazon.awssdk.services.kms.model.KmsException; import software.amazon.awssdk.services.kms.paginators.ListKeysIterable; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class HelloKMS { public static void main(String[] args) { Region region = Region.US_WEST_2; KmsClient kmsClient = KmsClient.builder() .region(region) .build(); listAllKeys(kmsClient); kmsClient.close(); } public static void listAllKeys(KmsClient kmsClient) { try { ListKeysRequest listKeysRequest = ListKeysRequest.builder() .limit(15) .build(); ListKeysIterable keysResponse = kmsClient.listKeysPaginator(listKeysRequest); keysResponse.stream() .flatMap(r -> r.keys().stream()) .forEach(key -> System.out .println(" The key ARN is: " + key.keyArn() + ". The key Id is: " + key.keyId())); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } }-
Para API obtener más información, consulte ListKeysla AWS SDK for Java 2.x APIReferencia.
-
En el siguiente ejemplo de código, se muestra cómo usar RevokeGrant.
- SDKpara Java 2.x
-
nota
Hay más información. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el Repositorio de ejemplos de código de AWS
. public static void revokeKeyGrant(KmsClient kmsClient, String keyId, String grantId) { try { RevokeGrantRequest grantRequest = RevokeGrantRequest.builder() .keyId(keyId) .grantId(grantId) .build(); kmsClient.revokeGrant(grantRequest); System.out.println("Grant ID: [" + grantId +"] was successfully revoked!"); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
Para API obtener más información, consulte RevokeGrantla AWS SDK for Java 2.x APIReferencia.
-
En el siguiente ejemplo de código, se muestra cómo usar ScheduleKeyDeletion.
- SDKpara Java 2.x
-
nota
Hay más información. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el Repositorio de ejemplos de código de AWS
. public static void deleteKey(KmsClient kmsClient, String keyId) { try { ScheduleKeyDeletionRequest deletionRequest = ScheduleKeyDeletionRequest.builder() .keyId(keyId) .pendingWindowInDays(7) .build(); kmsClient.scheduleKeyDeletion(deletionRequest); System.out.println("The key will be deleted in 7 days."); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
Para API obtener más información, consulte ScheduleKeyDeletionla AWS SDK for Java 2.x APIReferencia.
-
En el siguiente ejemplo de código, se muestra cómo usar Sign.
- SDKpara Java 2.x
-
nota
Hay más información. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el Repositorio de ejemplos de código de AWS
. public static void signVerifyData(KmsClient kmsClient) { String signMessage = "Here is the message that will be digitally signed"; // Create an AWS KMS key used to digitally sign data. CreateKeyRequest request = CreateKeyRequest.builder() .keySpec(KeySpec.RSA_2048) // Specify key spec .keyUsage(KeyUsageType.SIGN_VERIFY) // Specify key usage .origin(OriginType.AWS_KMS) // Specify key origin .build(); CreateKeyResponse response = kmsClient.createKey(request); String keyId2 = response.keyMetadata().keyId(); System.out.println("Created KMS key with ID: " + keyId2); SdkBytes bytes = SdkBytes.fromString(signMessage, Charset.defaultCharset()); SignRequest signRequest = SignRequest.builder() .keyId(keyId2) .message(bytes) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); SignResponse signResponse = kmsClient.sign(signRequest); byte[] signedBytes = signResponse.signature().asByteArray(); // Verify the digital signature. VerifyRequest verifyRequest = VerifyRequest.builder() .keyId(keyId2) .message(SdkBytes.fromByteArray(signMessage.getBytes(Charset.defaultCharset()))) .signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(signedBytes))) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); VerifyResponse verifyResponse = kmsClient.verify(verifyRequest); System.out.println("Signature verification result: " + verifyResponse.signatureValid()); }-
Para API obtener más información, consulta la AWS SDK for Java 2.x APIreferencia de inicio de sesión.
-
En el siguiente ejemplo de código, se muestra cómo usar TagResource.
- SDKpara Java 2.x
-
nota
Hay más información. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el Repositorio de ejemplos de código de AWS
. public static void tagKMSKey(KmsClient kmsClient, String keyId) { try { Tag tag = Tag.builder() .tagKey("Environment") .tagValue("Production") .build(); TagResourceRequest tagResourceRequest = TagResourceRequest.builder() .keyId(keyId) .tags(tag) .build(); kmsClient.tagResource(tagResourceRequest); System.out.println("The key has been tagged."); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
Para API obtener más información, consulte TagResourcela AWS SDK for Java 2.x APIReferencia.
-
Escenarios
En el siguiente ejemplo de código, se muestra cómo:
Crea una clave de KMS.
Haz una lista de KMS las claves de tu cuenta y obtén detalles sobre ellas.
Activa y desactiva KMS las claves.
Generar una clave de datos simétrica que pueda usarse para el cifrado del cliente.
Genere una clave asimétrica que se utilice para firmar digitalmente los datos.
Etiquete las claves.
Eliminar KMS claves.
- SDKpara Java 2.x
-
nota
Hay más información. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el Repositorio de ejemplos de código de AWS
. import software.amazon.awssdk.core.SdkBytes; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.model.AliasListEntry; import software.amazon.awssdk.services.kms.model.AlreadyExistsException; import software.amazon.awssdk.services.kms.model.CreateAliasRequest; import software.amazon.awssdk.services.kms.model.CreateGrantRequest; import software.amazon.awssdk.services.kms.model.CreateGrantResponse; import software.amazon.awssdk.services.kms.model.CreateKeyRequest; import software.amazon.awssdk.services.kms.model.CreateKeyResponse; import software.amazon.awssdk.services.kms.model.CustomerMasterKeySpec; import software.amazon.awssdk.services.kms.model.DecryptRequest; import software.amazon.awssdk.services.kms.model.DecryptResponse; import software.amazon.awssdk.services.kms.model.DeleteAliasRequest; import software.amazon.awssdk.services.kms.model.DescribeKeyRequest; import software.amazon.awssdk.services.kms.model.DescribeKeyResponse; import software.amazon.awssdk.services.kms.model.DisableKeyRequest; import software.amazon.awssdk.services.kms.model.EnableKeyRequest; import software.amazon.awssdk.services.kms.model.EnableKeyRotationRequest; import software.amazon.awssdk.services.kms.model.EncryptRequest; import software.amazon.awssdk.services.kms.model.EncryptResponse; import software.amazon.awssdk.services.kms.model.GetKeyPolicyRequest; import software.amazon.awssdk.services.kms.model.GetKeyPolicyResponse; import software.amazon.awssdk.services.kms.model.GrantOperation; import software.amazon.awssdk.services.kms.model.KeySpec; import software.amazon.awssdk.services.kms.model.KeyState; import software.amazon.awssdk.services.kms.model.KeyUsageType; import software.amazon.awssdk.services.kms.model.KmsException; import software.amazon.awssdk.services.kms.model.LimitExceededException; import software.amazon.awssdk.services.kms.model.ListAliasesRequest; import software.amazon.awssdk.services.kms.model.ListGrantsRequest; import software.amazon.awssdk.services.kms.model.ListKeyPoliciesRequest; import software.amazon.awssdk.services.kms.model.ListKeyPoliciesResponse; import software.amazon.awssdk.services.kms.model.OriginType; import software.amazon.awssdk.services.kms.model.PutKeyPolicyRequest; import software.amazon.awssdk.services.kms.model.RevokeGrantRequest; import software.amazon.awssdk.services.kms.model.ScheduleKeyDeletionRequest; import software.amazon.awssdk.services.kms.model.SignRequest; import software.amazon.awssdk.services.kms.model.SignResponse; import software.amazon.awssdk.services.kms.model.SigningAlgorithmSpec; import software.amazon.awssdk.services.kms.model.Tag; import software.amazon.awssdk.services.kms.model.TagResourceRequest; import software.amazon.awssdk.services.kms.model.VerifyRequest; import software.amazon.awssdk.services.kms.model.VerifyResponse; import software.amazon.awssdk.services.kms.paginators.ListAliasesIterable; import software.amazon.awssdk.services.kms.paginators.ListGrantsIterable; import software.amazon.awssdk.services.secretsmanager.model.ResourceExistsException; import software.amazon.awssdk.services.sts.StsClient; import software.amazon.awssdk.services.sts.model.GetCallerIdentityResponse; import java.nio.ByteBuffer; import java.nio.charset.Charset; import java.nio.charset.StandardCharsets; import java.util.List; import java.util.ArrayList; import java.util.Scanner; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class KMSScenario { public static final String DASHES = new String(new char[80]).replace("\0", "-"); private static final String accountId = getAccountId(); public static void main(String[] args) { final String usage = """ Usage: <granteePrincipal> Where: granteePrincipal - The principal (user, service account, or group) to whom the grant or permission is being given. """; if (args.length != 1) { System.out.println(usage); System.exit(1); } String granteePrincipal = args[0]; String policyName = "default"; Scanner scanner = new Scanner(System.in); String keyDesc = "Created by the AWS KMS API"; Region region = Region.US_WEST_2; KmsClient kmsClient = KmsClient.builder() .region(region) .build(); System.out.println(DASHES); System.out.println(""" Welcome to the AWS Key Management SDK Getting Started scenario. This program demonstrates how to interact with AWS Key Management using the AWS SDK for Java (v2). The AWS Key Management Service (KMS) is a secure and highly available service that allows you to create and manage AWS KMS keys and control their use across a wide range of AWS services and applications. KMS provides a centralized and unified approach to managing encryption keys, making it easier to meet your data protection and regulatory compliance requirements. This Getting Started scenario creates two key types. A symmetric encryption key is used to encrypt and decrypt data, and an asymmetric key used to digitally sign data. Let's get started... """); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("1. Create a symmetric KMS key\n"); System.out.println("First, the program will creates a symmetric KMS key that you can used to encrypt and decrypt data."); waitForInputToContinue(scanner); String targetKeyId = createKey(kmsClient, keyDesc); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println(""" 2. Enable a KMS key By default, when the SDK creates an AWS key it is enabled. The next bit of code checks to determine if the key is enabled. If it is not enabled, the code enables it. """); waitForInputToContinue(scanner); boolean isEnabled = isKeyEnabled(kmsClient, targetKeyId); if (!isEnabled) enableKey(kmsClient, targetKeyId); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("3. Encrypt data using the symmetric KMS key"); String plaintext = "Hello, AWS KMS!"; System.out.printf(""" One of the main uses of symmetric keys is to encrypt and decrypt data. Next, the code encrypts the string '%s' with the SYMMETRIC_DEFAULT encryption algorithm. %n""", plaintext); waitForInputToContinue(scanner); SdkBytes ciphertext = encryptData(kmsClient, targetKeyId, plaintext); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("4. Create an alias"); System.out.println(""" Enter an alias name for the key. The name should be prefixed with 'alias/'. For example, 'alias/myFirstKey'. """); String aliasName = scanner.nextLine(); String fullAliasName = aliasName.isEmpty() ? "alias/dev-encryption-key" : aliasName; createCustomAlias(kmsClient, targetKeyId, fullAliasName); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("5. List all of your aliases"); waitForInputToContinue(scanner); listAllAliases(kmsClient); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("6. Enable automatic rotation of the KMS key"); System.out.println(""" By default, when the SDK enables automatic rotation of a KMS key, KMS rotates the key material of the KMS key one year (approximately 365 days) from the enable date and every year thereafter. """); waitForInputToContinue(scanner); enableKeyRotation(kmsClient, targetKeyId); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println(""" 7. Create a grant A grant is a policy instrument that allows Amazon Web Services principals to use KMS keys. It also can allow them to view a KMS key (DescribeKey) and create and manage grants. When authorizing access to a KMS key, grants are considered along with key policies and IAM policies. """); waitForInputToContinue(scanner); String grantId = grantKey(kmsClient, targetKeyId, granteePrincipal); System.out.println("The code granted principal with ARN [" + granteePrincipal + "] "); System.out.println("use of the symmetric key. The grant ID is [" + grantId + "]"); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("8. List grants for the KMS key"); waitForInputToContinue(scanner); displayGrantIds(kmsClient, targetKeyId); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("9. Revoke the grant"); waitForInputToContinue(scanner); revokeKeyGrant(kmsClient, targetKeyId, grantId); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("10. Decrypt the data\n"); System.out.println(""" Lets decrypt the data that was encrypted in an early step. The code uses the same key to decrypt the string that we encrypted earlier in the program. """); waitForInputToContinue(scanner); String decryptText = decryptData(kmsClient, ciphertext, targetKeyId); System.out.println("Decrypted text is: " + decryptText); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("11. Replace a key policy\n"); System.out.println(""" A key policy is a resource policy for a KMS key. Key policies are the primary way to control access to KMS keys. Every KMS key must have exactly one key policy. The statements in the key policy determine who has permission to use the KMS key and how they can use it. You can also use IAM policies and grants to control access to the KMS key, but every KMS key must have a key policy. By default, when you create a key by using the SDK, a policy is created that gives the AWS account that owns the KMS key full access to the KMS key. Let's try to replace the automatically created policy with the following policy. "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::0000000000:root"}, "Action": "kms:*", "Resource": "*" }] """); waitForInputToContinue(scanner); boolean polAdded = replacePolicy(kmsClient, targetKeyId, policyName); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("12. Get the key policy\n"); System.out.println("The next bit of code that runs gets the key policy to make sure it exists."); waitForInputToContinue(scanner); getKeyPolicy(kmsClient, targetKeyId, policyName); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("13. Create an asymmetric KMS key and sign your data\n"); System.out.println(""" Signing your data with an AWS key can provide several benefits that make it an attractive option for your data signing needs. By using an AWS KMS key, you can leverage the security controls and compliance features provided by AWS, which can help you meet various regulatory requirements and enhance the overall security posture of your organization. """); waitForInputToContinue(scanner); signVerifyData(kmsClient); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("14. Tag your symmetric KMS Key\n"); System.out.println(""" By using tags, you can improve the overall management, security, and governance of your KMS keys, making it easier to organize, track, and control access to your encrypted data within your AWS environment """); waitForInputToContinue(scanner); tagKMSKey(kmsClient, targetKeyId); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("15. Schedule the deletion of the KMS key\n"); System.out.println(""" By default, KMS applies a waiting period of 30 days, but you can specify a waiting period of 7-30 days. When this operation is successful, the key state of the KMS key changes to PendingDeletion and the key can't be used in any cryptographic operations. It remains in this state for the duration of the waiting period. Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted, all data that was encrypted under the KMS key is unrecoverable.\s """); System.out.println("Would you like to delete the Key Management resources? (y/n)"); String delAns = scanner.nextLine().trim(); if (delAns.equalsIgnoreCase("y")) { System.out.println("You selected to delete the AWS KMS resources."); waitForInputToContinue(scanner); deleteSpecificAlias(kmsClient, fullAliasName); disableKey(kmsClient, targetKeyId); deleteKey(kmsClient, targetKeyId); } else { System.out.println("The Key Management resources will not be deleted"); } System.out.println(DASHES); System.out.println("This concludes the AWS Key Management SDK Getting Started scenario"); System.out.println(DASHES); } public static void listAllAliases(KmsClient kmsClient) { try { ListAliasesRequest aliasesRequest = ListAliasesRequest.builder() .limit(15) .build(); ListAliasesIterable aliasesResponse = kmsClient.listAliasesPaginator(aliasesRequest); aliasesResponse.stream() .flatMap(r -> r.aliases().stream()) .forEach(alias -> System.out .println("The alias name is: " + alias.aliasName())); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static void disableKey(KmsClient kmsClient, String keyId) { try { DisableKeyRequest keyRequest = DisableKeyRequest.builder() .keyId(keyId) .build(); kmsClient.disableKey(keyRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static void signVerifyData(KmsClient kmsClient) { String signMessage = "Here is the message that will be digitally signed"; // Create an AWS KMS key used to digitally sign data. CreateKeyRequest request = CreateKeyRequest.builder() .keySpec(KeySpec.RSA_2048) // Specify key spec .keyUsage(KeyUsageType.SIGN_VERIFY) // Specify key usage .origin(OriginType.AWS_KMS) // Specify key origin .build(); CreateKeyResponse response = kmsClient.createKey(request); String keyId2 = response.keyMetadata().keyId(); System.out.println("Created KMS key with ID: " + keyId2); SdkBytes bytes = SdkBytes.fromString(signMessage, Charset.defaultCharset()); SignRequest signRequest = SignRequest.builder() .keyId(keyId2) .message(bytes) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); SignResponse signResponse = kmsClient.sign(signRequest); byte[] signedBytes = signResponse.signature().asByteArray(); // Verify the digital signature. VerifyRequest verifyRequest = VerifyRequest.builder() .keyId(keyId2) .message(SdkBytes.fromByteArray(signMessage.getBytes(Charset.defaultCharset()))) .signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(signedBytes))) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); VerifyResponse verifyResponse = kmsClient.verify(verifyRequest); System.out.println("Signature verification result: " + verifyResponse.signatureValid()); } public static void tagKMSKey(KmsClient kmsClient, String keyId) { try { Tag tag = Tag.builder() .tagKey("Environment") .tagValue("Production") .build(); TagResourceRequest tagResourceRequest = TagResourceRequest.builder() .keyId(keyId) .tags(tag) .build(); kmsClient.tagResource(tagResourceRequest); System.out.println("The key has been tagged."); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static void getKeyPolicy(KmsClient kmsClient, String keyId, String policyName) { try { GetKeyPolicyRequest policyRequest = GetKeyPolicyRequest.builder() .keyId(keyId) .policyName(policyName) .build(); GetKeyPolicyResponse response = kmsClient.getKeyPolicy(policyRequest); System.out.println("The response is "+response.policy()); } catch (KmsException e) { if (e.getMessage().contains("No such policy exists")) { System.out.println("The policy cannot be found. Error message: " + e.getMessage()); } else { throw e; } } } public static boolean replacePolicy(KmsClient kmsClient, String keyId, String policyName) { // Change the principle in the below JSON. String policy = """ { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::%s:root"}, "Action": "kms:*", "Resource": "*" }] } """.formatted(accountId); try { PutKeyPolicyRequest keyPolicyRequest = PutKeyPolicyRequest.builder() .keyId(keyId) .policyName(policyName) .policy(policy) .build(); kmsClient.putKeyPolicy(keyPolicyRequest); System.out.println("The key policy has been replaced."); } catch (LimitExceededException e) { System.out.println("Policy limit reached. Unable to create the policy."); return false; } catch (AlreadyExistsException e) { System.out.println("Only one policy per key is supported. Unable to create the policy."); return false; } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return true; } public static boolean doesKeyHavePolicy(KmsClient kmsClient, String keyId, String policyName){ ListKeyPoliciesRequest policiesRequest = ListKeyPoliciesRequest.builder() .keyId(keyId) .build(); boolean hasPolicy = false; ListKeyPoliciesResponse response = kmsClient.listKeyPolicies(policiesRequest); List<String>policyNames = response.policyNames(); for (String pol : policyNames) { hasPolicy = true; } return hasPolicy; } public static void deleteKey(KmsClient kmsClient, String keyId) { try { ScheduleKeyDeletionRequest deletionRequest = ScheduleKeyDeletionRequest.builder() .keyId(keyId) .pendingWindowInDays(7) .build(); kmsClient.scheduleKeyDeletion(deletionRequest); System.out.println("The key will be deleted in 7 days."); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static void deleteSpecificAlias(KmsClient kmsClient, String aliasName) { try { DeleteAliasRequest deleteAliasRequest = DeleteAliasRequest.builder() .aliasName(aliasName) .build(); kmsClient.deleteAlias(deleteAliasRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static boolean isKeyEnabled(KmsClient kmsClient, String keyId) { try { DescribeKeyRequest keyRequest = DescribeKeyRequest.builder() .keyId(keyId) .build(); DescribeKeyResponse response = kmsClient.describeKey(keyRequest); KeyState keyState = response.keyMetadata().keyState(); if (keyState == KeyState.ENABLED) { System.out.println("The key is enabled."); return true; } else { System.out.println("The key is not enabled. Key state: " + keyState); } } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return false; } public static String decryptData(KmsClient kmsClient, SdkBytes encryptedData, String keyId) { try { DecryptRequest decryptRequest = DecryptRequest.builder() .ciphertextBlob(encryptedData) .keyId(keyId) .build(); DecryptResponse decryptResponse = kmsClient.decrypt(decryptRequest); return decryptResponse.plaintext().asString(StandardCharsets.UTF_8); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; } public static void revokeKeyGrant(KmsClient kmsClient, String keyId, String grantId) { try { RevokeGrantRequest grantRequest = RevokeGrantRequest.builder() .keyId(keyId) .grantId(grantId) .build(); kmsClient.revokeGrant(grantRequest); System.out.println("Grant ID: [" + grantId +"] was successfully revoked!"); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static void displayGrantIds(KmsClient kmsClient, String keyId) { try { ListGrantsRequest grantsRequest = ListGrantsRequest.builder() .keyId(keyId) .limit(15) .build(); ListGrantsIterable response = kmsClient.listGrantsPaginator(grantsRequest); response.stream() .flatMap(r -> r.grants().stream()) .forEach(grant -> { System.out.println("The grant Id is : " + grant.grantId()); List<GrantOperation> ops = grant.operations(); for (GrantOperation op : ops) { System.out.println(op.name()); } }); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static String grantKey(KmsClient kmsClient, String keyId, String granteePrincipal) { try { // Add the desired KMS Grant permissions. List<GrantOperation> grantPermissions = new ArrayList<>(); grantPermissions.add(GrantOperation.ENCRYPT); grantPermissions.add(GrantOperation.DECRYPT); grantPermissions.add(GrantOperation.DESCRIBE_KEY); CreateGrantRequest grantRequest = CreateGrantRequest.builder() .keyId(keyId) .name("grant1") .granteePrincipal(granteePrincipal) .operations(grantPermissions) .build(); CreateGrantResponse response = kmsClient.createGrant(grantRequest); return response.grantId(); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; } public static void enableKeyRotation(KmsClient kmsClient, String keyId) { try { EnableKeyRotationRequest enableKeyRotationRequest = EnableKeyRotationRequest.builder() .keyId(keyId) .build(); kmsClient.enableKeyRotation(enableKeyRotationRequest); System.out.println("Key rotation has been enabled for key with id [" + keyId + "]"); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static void createCustomAlias(KmsClient kmsClient, String targetKeyId, String aliasName) { try { CreateAliasRequest aliasRequest = CreateAliasRequest.builder() .aliasName(aliasName) .targetKeyId(targetKeyId) .build(); kmsClient.createAlias(aliasRequest); System.out.println(aliasName + " was successfully created."); } catch (ResourceExistsException e) { System.err.println("Alias already exists: " + e.getMessage()); System.err.println("Moving on..."); } catch (Exception e) { System.err.println("An unexpected error occurred: " + e.getMessage()); System.err.println("Moving on..."); } } public static SdkBytes encryptData(KmsClient kmsClient, String keyId, String text) { try { SdkBytes myBytes = SdkBytes.fromUtf8String(text); EncryptRequest encryptRequest = EncryptRequest.builder() .keyId(keyId) .plaintext(myBytes) .build(); EncryptResponse response = kmsClient.encrypt(encryptRequest); String algorithm = response.encryptionAlgorithm().toString(); System.out.println("The string was encrypted with algorithm " + algorithm + "."); // Get the encrypted data. SdkBytes encryptedData = response.ciphertextBlob(); return encryptedData; } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return null; } public static String createKey(KmsClient kmsClient, String keyDesc) { try { CreateKeyRequest keyRequest = CreateKeyRequest.builder() .description(keyDesc) .customerMasterKeySpec(CustomerMasterKeySpec.SYMMETRIC_DEFAULT) .keyUsage("ENCRYPT_DECRYPT") .build(); CreateKeyResponse result = kmsClient.createKey(keyRequest); System.out.println("Symmetric key with ARN [" + result.keyMetadata().arn() + "] has been created."); return result.keyMetadata().keyId(); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; } // Enable the KMS key. public static void enableKey(KmsClient kmsClient, String keyId) { try { EnableKeyRequest enableKeyRequest = EnableKeyRequest.builder() .keyId(keyId) .build(); kmsClient.enableKey(enableKeyRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } private static void waitForInputToContinue(Scanner scanner) { while (true) { System.out.println(""); System.out.println("Enter 'c' followed by <ENTER> to continue:"); String input = scanner.nextLine(); if (input.trim().equalsIgnoreCase("c")) { System.out.println("Continuing with the program..."); System.out.println(""); break; } else { // Handle invalid input. System.out.println("Invalid input. Please try again."); } } } private static String getAccountId(){ try (StsClient stsClient = StsClient.create()){ GetCallerIdentityResponse callerIdentity = stsClient.getCallerIdentity(); return callerIdentity.account(); } } }-
Para API obtener más información, consulte los siguientes temas en AWS SDK for Java 2.x APIReference.
-
