本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWS KMS 使用 Java 2. SDK x 的示例
下列程式碼範例說明如何使用 AWS SDK for Java 2.x 與來執行動作及實作常見案例 AWS KMS。
Actions 是大型程式的程式碼摘錄,必須在內容中執行。雖然動作會告訴您如何呼叫個別服務函數,但您可以在其相關情境和跨服務範例中查看內容中的動作。
Scenarios (案例) 是向您展示如何呼叫相同服務中的多個函數來完成特定任務的程式碼範例。
每個範例都包含一個連結 GitHub,您可以在其中找到如何在內容中設定和執行程式碼的指示。
開始使用
下列程式碼範例會示範如何開始使用 KMS key。
- SDK對於爪哇 2.x
-
注意
還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫
。 import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.model.ListKeysRequest; import software.amazon.awssdk.services.kms.model.KmsException; import software.amazon.awssdk.services.kms.paginators.ListKeysIterable; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class HelloKMS { public static void main(String[] args) { Region region = Region.US_WEST_2; KmsClient kmsClient = KmsClient.builder() .region(region) .build(); listAllKeys(kmsClient); kmsClient.close(); } public static void listAllKeys(KmsClient kmsClient) { try { ListKeysRequest listKeysRequest = ListKeysRequest.builder() .limit(15) .build(); ListKeysIterable keysResponse = kmsClient.listKeysPaginator(listKeysRequest); keysResponse.stream() .flatMap(r -> r.keys().stream()) .forEach(key -> System.out .println(" The key ARN is: " + key.keyArn() + ". The key Id is: " + key.keyId())); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } }-
如需詳API細資訊,請參閱AWS SDK for Java 2.x API參考listKeysPaginator中的。
-
動作
下列程式碼範例會示範如何使用CreateAlias。
- SDK對於爪哇 2.x
-
注意
還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫
。 public static void createCustomAlias(KmsClient kmsClient, String targetKeyId, String aliasName) { try { CreateAliasRequest aliasRequest = CreateAliasRequest.builder() .aliasName(aliasName) .targetKeyId(targetKeyId) .build(); kmsClient.createAlias(aliasRequest); System.out.println(aliasName + " was successfully created."); } catch (ResourceExistsException e) { System.err.println("Alias already exists: " + e.getMessage()); System.err.println("Moving on..."); } catch (Exception e) { System.err.println("An unexpected error occurred: " + e.getMessage()); System.err.println("Moving on..."); } }-
如需詳API細資訊,請參閱AWS SDK for Java 2.x API參考CreateAlias中的。
-
下列程式碼範例會示範如何使用CreateGrant。
- SDK對於爪哇 2.x
-
注意
還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫
。 public static String grantKey(KmsClient kmsClient, String keyId, String granteePrincipal) { try { // Add the desired KMS Grant permissions. List<GrantOperation> grantPermissions = new ArrayList<>(); grantPermissions.add(GrantOperation.ENCRYPT); grantPermissions.add(GrantOperation.DECRYPT); grantPermissions.add(GrantOperation.DESCRIBE_KEY); CreateGrantRequest grantRequest = CreateGrantRequest.builder() .keyId(keyId) .name("grant1") .granteePrincipal(granteePrincipal) .operations(grantPermissions) .build(); CreateGrantResponse response = kmsClient.createGrant(grantRequest); return response.grantId(); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; }-
如需詳API細資訊,請參閱AWS SDK for Java 2.x API參考CreateGrant中的。
-
下列程式碼範例會示範如何使用CreateKey。
- SDK對於爪哇 2.x
-
注意
還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫
。 public static String createKey(KmsClient kmsClient, String keyDesc) { try { CreateKeyRequest keyRequest = CreateKeyRequest.builder() .description(keyDesc) .customerMasterKeySpec(CustomerMasterKeySpec.SYMMETRIC_DEFAULT) .keyUsage("ENCRYPT_DECRYPT") .build(); CreateKeyResponse result = kmsClient.createKey(keyRequest); System.out.println("Symmetric key with ARN [" + result.keyMetadata().arn() + "] has been created."); return result.keyMetadata().keyId(); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; }-
如需詳API細資訊,請參閱AWS SDK for Java 2.x API參考CreateKey中的。
-
下列程式碼範例會示範如何使用Decrypt。
- SDK對於爪哇 2.x
-
注意
還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫
。 public static String decryptData(KmsClient kmsClient, SdkBytes encryptedData, String keyId) { try { DecryptRequest decryptRequest = DecryptRequest.builder() .ciphertextBlob(encryptedData) .keyId(keyId) .build(); DecryptResponse decryptResponse = kmsClient.decrypt(decryptRequest); return decryptResponse.plaintext().asString(StandardCharsets.UTF_8); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; }-
如需詳API細資訊,請參閱在AWS SDK for Java 2.x API參考中解密。
-
下列程式碼範例會示範如何使用DeleteAlias。
- SDK對於爪哇 2.x
-
注意
還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫
。 public static void deleteSpecificAlias(KmsClient kmsClient, String aliasName) { try { DeleteAliasRequest deleteAliasRequest = DeleteAliasRequest.builder() .aliasName(aliasName) .build(); kmsClient.deleteAlias(deleteAliasRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
如需詳API細資訊,請參閱AWS SDK for Java 2.x API參考DeleteAlias中的。
-
下列程式碼範例會示範如何使用DescribeKey。
- SDK對於爪哇 2.x
-
注意
還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫
。 public static boolean isKeyEnabled(KmsClient kmsClient, String keyId) { try { DescribeKeyRequest keyRequest = DescribeKeyRequest.builder() .keyId(keyId) .build(); DescribeKeyResponse response = kmsClient.describeKey(keyRequest); KeyState keyState = response.keyMetadata().keyState(); if (keyState == KeyState.ENABLED) { System.out.println("The key is enabled."); return true; } else { System.out.println("The key is not enabled. Key state: " + keyState); } } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return false; }-
如需詳API細資訊,請參閱AWS SDK for Java 2.x API參考DescribeKey中的。
-
下列程式碼範例會示範如何使用DisableKey。
- SDK對於爪哇 2.x
-
注意
還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫
。 public static void disableKey(KmsClient kmsClient, String keyId) { try { DisableKeyRequest keyRequest = DisableKeyRequest.builder() .keyId(keyId) .build(); kmsClient.disableKey(keyRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
如需詳API細資訊,請參閱AWS SDK for Java 2.x API參考DisableKey中的。
-
下列程式碼範例會示範如何使用EnableKey。
- SDK對於爪哇 2.x
-
注意
還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫
。 // Enable the KMS key. public static void enableKey(KmsClient kmsClient, String keyId) { try { EnableKeyRequest enableKeyRequest = EnableKeyRequest.builder() .keyId(keyId) .build(); kmsClient.enableKey(enableKeyRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
如需詳API細資訊,請參閱AWS SDK for Java 2.x API參考EnableKey中的。
-
下列程式碼範例會示範如何使用Encrypt。
- SDK對於爪哇 2.x
-
注意
還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫
。 public static SdkBytes encryptData(KmsClient kmsClient, String keyId, String text) { try { SdkBytes myBytes = SdkBytes.fromUtf8String(text); EncryptRequest encryptRequest = EncryptRequest.builder() .keyId(keyId) .plaintext(myBytes) .build(); EncryptResponse response = kmsClient.encrypt(encryptRequest); String algorithm = response.encryptionAlgorithm().toString(); System.out.println("The string was encrypted with algorithm " + algorithm + "."); // Get the encrypted data. SdkBytes encryptedData = response.ciphertextBlob(); return encryptedData; } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return null; }-
如需詳API細資訊,請參閱AWS SDK for Java 2.x API參考中的加密。
-
下列程式碼範例會示範如何使用ListAliases。
- SDK對於爪哇 2.x
-
注意
還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫
。 public static void listAllAliases(KmsClient kmsClient) { try { ListAliasesRequest aliasesRequest = ListAliasesRequest.builder() .limit(15) .build(); ListAliasesIterable aliasesResponse = kmsClient.listAliasesPaginator(aliasesRequest); aliasesResponse.stream() .flatMap(r -> r.aliases().stream()) .forEach(alias -> System.out .println("The alias name is: " + alias.aliasName())); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
如需詳API細資訊,請參閱AWS SDK for Java 2.x API參考ListAliases中的。
-
下列程式碼範例會示範如何使用ListGrants。
- SDK對於爪哇 2.x
-
注意
還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫
。 public static void displayGrantIds(KmsClient kmsClient, String keyId) { try { ListGrantsRequest grantsRequest = ListGrantsRequest.builder() .keyId(keyId) .limit(15) .build(); ListGrantsIterable response = kmsClient.listGrantsPaginator(grantsRequest); response.stream() .flatMap(r -> r.grants().stream()) .forEach(grant -> { System.out.println("The grant Id is : " + grant.grantId()); List<GrantOperation> ops = grant.operations(); for (GrantOperation op : ops) { System.out.println(op.name()); } }); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
如需詳API細資訊,請參閱AWS SDK for Java 2.x API參考ListGrants中的。
-
下列程式碼範例會示範如何使用ListKeyPolicies。
- SDK對於爪哇 2.x
-
注意
還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫
。 public static void getKeyPolicy(KmsClient kmsClient, String keyId, String policyName) { try { GetKeyPolicyRequest policyRequest = GetKeyPolicyRequest.builder() .keyId(keyId) .policyName(policyName) .build(); GetKeyPolicyResponse response = kmsClient.getKeyPolicy(policyRequest); System.out.println("The response is "+response.policy()); } catch (KmsException e) { if (e.getMessage().contains("No such policy exists")) { System.out.println("The policy cannot be found. Error message: " + e.getMessage()); } else { throw e; } } }-
如需詳API細資訊,請參閱AWS SDK for Java 2.x API參考ListKeyPolicies中的。
-
下列程式碼範例會示範如何使用ListKeys。
- SDK對於爪哇 2.x
-
注意
還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫
。 import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.model.ListKeysRequest; import software.amazon.awssdk.services.kms.model.KmsException; import software.amazon.awssdk.services.kms.paginators.ListKeysIterable; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class HelloKMS { public static void main(String[] args) { Region region = Region.US_WEST_2; KmsClient kmsClient = KmsClient.builder() .region(region) .build(); listAllKeys(kmsClient); kmsClient.close(); } public static void listAllKeys(KmsClient kmsClient) { try { ListKeysRequest listKeysRequest = ListKeysRequest.builder() .limit(15) .build(); ListKeysIterable keysResponse = kmsClient.listKeysPaginator(listKeysRequest); keysResponse.stream() .flatMap(r -> r.keys().stream()) .forEach(key -> System.out .println(" The key ARN is: " + key.keyArn() + ". The key Id is: " + key.keyId())); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } }-
如需詳API細資訊,請參閱AWS SDK for Java 2.x API參考ListKeys中的。
-
下列程式碼範例會示範如何使用RevokeGrant。
- SDK對於爪哇 2.x
-
注意
還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫
。 public static void revokeKeyGrant(KmsClient kmsClient, String keyId, String grantId) { try { RevokeGrantRequest grantRequest = RevokeGrantRequest.builder() .keyId(keyId) .grantId(grantId) .build(); kmsClient.revokeGrant(grantRequest); System.out.println("Grant ID: [" + grantId +"] was successfully revoked!"); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
如需詳API細資訊,請參閱AWS SDK for Java 2.x API參考RevokeGrant中的。
-
下列程式碼範例會示範如何使用ScheduleKeyDeletion。
- SDK對於爪哇 2.x
-
注意
還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫
。 public static void deleteKey(KmsClient kmsClient, String keyId) { try { ScheduleKeyDeletionRequest deletionRequest = ScheduleKeyDeletionRequest.builder() .keyId(keyId) .pendingWindowInDays(7) .build(); kmsClient.scheduleKeyDeletion(deletionRequest); System.out.println("The key will be deleted in 7 days."); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
如需詳API細資訊,請參閱AWS SDK for Java 2.x API參考ScheduleKeyDeletion中的。
-
下列程式碼範例會示範如何使用Sign。
- SDK對於爪哇 2.x
-
注意
還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫
。 public static void signVerifyData(KmsClient kmsClient) { String signMessage = "Here is the message that will be digitally signed"; // Create an AWS KMS key used to digitally sign data. CreateKeyRequest request = CreateKeyRequest.builder() .keySpec(KeySpec.RSA_2048) // Specify key spec .keyUsage(KeyUsageType.SIGN_VERIFY) // Specify key usage .origin(OriginType.AWS_KMS) // Specify key origin .build(); CreateKeyResponse response = kmsClient.createKey(request); String keyId2 = response.keyMetadata().keyId(); System.out.println("Created KMS key with ID: " + keyId2); SdkBytes bytes = SdkBytes.fromString(signMessage, Charset.defaultCharset()); SignRequest signRequest = SignRequest.builder() .keyId(keyId2) .message(bytes) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); SignResponse signResponse = kmsClient.sign(signRequest); byte[] signedBytes = signResponse.signature().asByteArray(); // Verify the digital signature. VerifyRequest verifyRequest = VerifyRequest.builder() .keyId(keyId2) .message(SdkBytes.fromByteArray(signMessage.getBytes(Charset.defaultCharset()))) .signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(signedBytes))) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); VerifyResponse verifyResponse = kmsClient.verify(verifyRequest); System.out.println("Signature verification result: " + verifyResponse.signatureValid()); }-
如需詳API細資訊,請參閱登入AWS SDK for Java 2.xAPI參考。
-
下列程式碼範例會示範如何使用TagResource。
- SDK對於爪哇 2.x
-
注意
還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫
。 public static void tagKMSKey(KmsClient kmsClient, String keyId) { try { Tag tag = Tag.builder() .tagKey("Environment") .tagValue("Production") .build(); TagResourceRequest tagResourceRequest = TagResourceRequest.builder() .keyId(keyId) .tags(tag) .build(); kmsClient.tagResource(tagResourceRequest); System.out.println("The key has been tagged."); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
如需詳API細資訊,請參閱AWS SDK for Java 2.x API參考TagResource中的。
-
案例
以下程式碼範例顯示做法:
建立 KMS 金鑰。
列出您帳戶的KMS金鑰並取得有關它們的詳細資訊。
啟用和停用KMS金鑰。
產生可用於用戶端加密的對稱資料金鑰。
產生用於數位簽署資料的非對稱金鑰。
標記鍵。
刪除KMS金鑰。
- SDK對於爪哇 2.x
-
注意
還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫
。 import software.amazon.awssdk.core.SdkBytes; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.model.AliasListEntry; import software.amazon.awssdk.services.kms.model.AlreadyExistsException; import software.amazon.awssdk.services.kms.model.CreateAliasRequest; import software.amazon.awssdk.services.kms.model.CreateGrantRequest; import software.amazon.awssdk.services.kms.model.CreateGrantResponse; import software.amazon.awssdk.services.kms.model.CreateKeyRequest; import software.amazon.awssdk.services.kms.model.CreateKeyResponse; import software.amazon.awssdk.services.kms.model.CustomerMasterKeySpec; import software.amazon.awssdk.services.kms.model.DecryptRequest; import software.amazon.awssdk.services.kms.model.DecryptResponse; import software.amazon.awssdk.services.kms.model.DeleteAliasRequest; import software.amazon.awssdk.services.kms.model.DescribeKeyRequest; import software.amazon.awssdk.services.kms.model.DescribeKeyResponse; import software.amazon.awssdk.services.kms.model.DisableKeyRequest; import software.amazon.awssdk.services.kms.model.EnableKeyRequest; import software.amazon.awssdk.services.kms.model.EnableKeyRotationRequest; import software.amazon.awssdk.services.kms.model.EncryptRequest; import software.amazon.awssdk.services.kms.model.EncryptResponse; import software.amazon.awssdk.services.kms.model.GetKeyPolicyRequest; import software.amazon.awssdk.services.kms.model.GetKeyPolicyResponse; import software.amazon.awssdk.services.kms.model.GrantOperation; import software.amazon.awssdk.services.kms.model.KeySpec; import software.amazon.awssdk.services.kms.model.KeyState; import software.amazon.awssdk.services.kms.model.KeyUsageType; import software.amazon.awssdk.services.kms.model.KmsException; import software.amazon.awssdk.services.kms.model.LimitExceededException; import software.amazon.awssdk.services.kms.model.ListAliasesRequest; import software.amazon.awssdk.services.kms.model.ListGrantsRequest; import software.amazon.awssdk.services.kms.model.ListKeyPoliciesRequest; import software.amazon.awssdk.services.kms.model.ListKeyPoliciesResponse; import software.amazon.awssdk.services.kms.model.OriginType; import software.amazon.awssdk.services.kms.model.PutKeyPolicyRequest; import software.amazon.awssdk.services.kms.model.RevokeGrantRequest; import software.amazon.awssdk.services.kms.model.ScheduleKeyDeletionRequest; import software.amazon.awssdk.services.kms.model.SignRequest; import software.amazon.awssdk.services.kms.model.SignResponse; import software.amazon.awssdk.services.kms.model.SigningAlgorithmSpec; import software.amazon.awssdk.services.kms.model.Tag; import software.amazon.awssdk.services.kms.model.TagResourceRequest; import software.amazon.awssdk.services.kms.model.VerifyRequest; import software.amazon.awssdk.services.kms.model.VerifyResponse; import software.amazon.awssdk.services.kms.paginators.ListAliasesIterable; import software.amazon.awssdk.services.kms.paginators.ListGrantsIterable; import software.amazon.awssdk.services.secretsmanager.model.ResourceExistsException; import software.amazon.awssdk.services.sts.StsClient; import software.amazon.awssdk.services.sts.model.GetCallerIdentityResponse; import java.nio.ByteBuffer; import java.nio.charset.Charset; import java.nio.charset.StandardCharsets; import java.util.List; import java.util.ArrayList; import java.util.Scanner; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class KMSScenario { public static final String DASHES = new String(new char[80]).replace("\0", "-"); private static final String accountId = getAccountId(); public static void main(String[] args) { final String usage = """ Usage: <granteePrincipal> Where: granteePrincipal - The principal (user, service account, or group) to whom the grant or permission is being given. """; if (args.length != 1) { System.out.println(usage); System.exit(1); } String granteePrincipal = args[0]; String policyName = "default"; Scanner scanner = new Scanner(System.in); String keyDesc = "Created by the AWS KMS API"; Region region = Region.US_WEST_2; KmsClient kmsClient = KmsClient.builder() .region(region) .build(); System.out.println(DASHES); System.out.println(""" Welcome to the AWS Key Management SDK Getting Started scenario. This program demonstrates how to interact with AWS Key Management using the AWS SDK for Java (v2). The AWS Key Management Service (KMS) is a secure and highly available service that allows you to create and manage AWS KMS keys and control their use across a wide range of AWS services and applications. KMS provides a centralized and unified approach to managing encryption keys, making it easier to meet your data protection and regulatory compliance requirements. This Getting Started scenario creates two key types. A symmetric encryption key is used to encrypt and decrypt data, and an asymmetric key used to digitally sign data. Let's get started... """); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("1. Create a symmetric KMS key\n"); System.out.println("First, the program will creates a symmetric KMS key that you can used to encrypt and decrypt data."); waitForInputToContinue(scanner); String targetKeyId = createKey(kmsClient, keyDesc); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println(""" 2. Enable a KMS key By default, when the SDK creates an AWS key it is enabled. The next bit of code checks to determine if the key is enabled. If it is not enabled, the code enables it. """); waitForInputToContinue(scanner); boolean isEnabled = isKeyEnabled(kmsClient, targetKeyId); if (!isEnabled) enableKey(kmsClient, targetKeyId); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("3. Encrypt data using the symmetric KMS key"); String plaintext = "Hello, AWS KMS!"; System.out.printf(""" One of the main uses of symmetric keys is to encrypt and decrypt data. Next, the code encrypts the string '%s' with the SYMMETRIC_DEFAULT encryption algorithm. %n""", plaintext); waitForInputToContinue(scanner); SdkBytes ciphertext = encryptData(kmsClient, targetKeyId, plaintext); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("4. Create an alias"); System.out.println(""" Enter an alias name for the key. The name should be prefixed with 'alias/'. For example, 'alias/myFirstKey'. """); String aliasName = scanner.nextLine(); String fullAliasName = aliasName.isEmpty() ? "alias/dev-encryption-key" : aliasName; createCustomAlias(kmsClient, targetKeyId, fullAliasName); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("5. List all of your aliases"); waitForInputToContinue(scanner); listAllAliases(kmsClient); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("6. Enable automatic rotation of the KMS key"); System.out.println(""" By default, when the SDK enables automatic rotation of a KMS key, KMS rotates the key material of the KMS key one year (approximately 365 days) from the enable date and every year thereafter. """); waitForInputToContinue(scanner); enableKeyRotation(kmsClient, targetKeyId); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println(""" 7. Create a grant A grant is a policy instrument that allows Amazon Web Services principals to use KMS keys. It also can allow them to view a KMS key (DescribeKey) and create and manage grants. When authorizing access to a KMS key, grants are considered along with key policies and IAM policies. """); waitForInputToContinue(scanner); String grantId = grantKey(kmsClient, targetKeyId, granteePrincipal); System.out.println("The code granted principal with ARN [" + granteePrincipal + "] "); System.out.println("use of the symmetric key. The grant ID is [" + grantId + "]"); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("8. List grants for the KMS key"); waitForInputToContinue(scanner); displayGrantIds(kmsClient, targetKeyId); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("9. Revoke the grant"); waitForInputToContinue(scanner); revokeKeyGrant(kmsClient, targetKeyId, grantId); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("10. Decrypt the data\n"); System.out.println(""" Lets decrypt the data that was encrypted in an early step. The code uses the same key to decrypt the string that we encrypted earlier in the program. """); waitForInputToContinue(scanner); String decryptText = decryptData(kmsClient, ciphertext, targetKeyId); System.out.println("Decrypted text is: " + decryptText); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("11. Replace a key policy\n"); System.out.println(""" A key policy is a resource policy for a KMS key. Key policies are the primary way to control access to KMS keys. Every KMS key must have exactly one key policy. The statements in the key policy determine who has permission to use the KMS key and how they can use it. You can also use IAM policies and grants to control access to the KMS key, but every KMS key must have a key policy. By default, when you create a key by using the SDK, a policy is created that gives the AWS account that owns the KMS key full access to the KMS key. Let's try to replace the automatically created policy with the following policy. "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::0000000000:root"}, "Action": "kms:*", "Resource": "*" }] """); waitForInputToContinue(scanner); boolean polAdded = replacePolicy(kmsClient, targetKeyId, policyName); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("12. Get the key policy\n"); System.out.println("The next bit of code that runs gets the key policy to make sure it exists."); waitForInputToContinue(scanner); getKeyPolicy(kmsClient, targetKeyId, policyName); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("13. Create an asymmetric KMS key and sign your data\n"); System.out.println(""" Signing your data with an AWS key can provide several benefits that make it an attractive option for your data signing needs. By using an AWS KMS key, you can leverage the security controls and compliance features provided by AWS, which can help you meet various regulatory requirements and enhance the overall security posture of your organization. """); waitForInputToContinue(scanner); signVerifyData(kmsClient); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("14. Tag your symmetric KMS Key\n"); System.out.println(""" By using tags, you can improve the overall management, security, and governance of your KMS keys, making it easier to organize, track, and control access to your encrypted data within your AWS environment """); waitForInputToContinue(scanner); tagKMSKey(kmsClient, targetKeyId); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("15. Schedule the deletion of the KMS key\n"); System.out.println(""" By default, KMS applies a waiting period of 30 days, but you can specify a waiting period of 7-30 days. When this operation is successful, the key state of the KMS key changes to PendingDeletion and the key can't be used in any cryptographic operations. It remains in this state for the duration of the waiting period. Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted, all data that was encrypted under the KMS key is unrecoverable.\s """); System.out.println("Would you like to delete the Key Management resources? (y/n)"); String delAns = scanner.nextLine().trim(); if (delAns.equalsIgnoreCase("y")) { System.out.println("You selected to delete the AWS KMS resources."); waitForInputToContinue(scanner); deleteSpecificAlias(kmsClient, fullAliasName); disableKey(kmsClient, targetKeyId); deleteKey(kmsClient, targetKeyId); } else { System.out.println("The Key Management resources will not be deleted"); } System.out.println(DASHES); System.out.println("This concludes the AWS Key Management SDK Getting Started scenario"); System.out.println(DASHES); } public static void listAllAliases(KmsClient kmsClient) { try { ListAliasesRequest aliasesRequest = ListAliasesRequest.builder() .limit(15) .build(); ListAliasesIterable aliasesResponse = kmsClient.listAliasesPaginator(aliasesRequest); aliasesResponse.stream() .flatMap(r -> r.aliases().stream()) .forEach(alias -> System.out .println("The alias name is: " + alias.aliasName())); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static void disableKey(KmsClient kmsClient, String keyId) { try { DisableKeyRequest keyRequest = DisableKeyRequest.builder() .keyId(keyId) .build(); kmsClient.disableKey(keyRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static void signVerifyData(KmsClient kmsClient) { String signMessage = "Here is the message that will be digitally signed"; // Create an AWS KMS key used to digitally sign data. CreateKeyRequest request = CreateKeyRequest.builder() .keySpec(KeySpec.RSA_2048) // Specify key spec .keyUsage(KeyUsageType.SIGN_VERIFY) // Specify key usage .origin(OriginType.AWS_KMS) // Specify key origin .build(); CreateKeyResponse response = kmsClient.createKey(request); String keyId2 = response.keyMetadata().keyId(); System.out.println("Created KMS key with ID: " + keyId2); SdkBytes bytes = SdkBytes.fromString(signMessage, Charset.defaultCharset()); SignRequest signRequest = SignRequest.builder() .keyId(keyId2) .message(bytes) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); SignResponse signResponse = kmsClient.sign(signRequest); byte[] signedBytes = signResponse.signature().asByteArray(); // Verify the digital signature. VerifyRequest verifyRequest = VerifyRequest.builder() .keyId(keyId2) .message(SdkBytes.fromByteArray(signMessage.getBytes(Charset.defaultCharset()))) .signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(signedBytes))) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); VerifyResponse verifyResponse = kmsClient.verify(verifyRequest); System.out.println("Signature verification result: " + verifyResponse.signatureValid()); } public static void tagKMSKey(KmsClient kmsClient, String keyId) { try { Tag tag = Tag.builder() .tagKey("Environment") .tagValue("Production") .build(); TagResourceRequest tagResourceRequest = TagResourceRequest.builder() .keyId(keyId) .tags(tag) .build(); kmsClient.tagResource(tagResourceRequest); System.out.println("The key has been tagged."); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static void getKeyPolicy(KmsClient kmsClient, String keyId, String policyName) { try { GetKeyPolicyRequest policyRequest = GetKeyPolicyRequest.builder() .keyId(keyId) .policyName(policyName) .build(); GetKeyPolicyResponse response = kmsClient.getKeyPolicy(policyRequest); System.out.println("The response is "+response.policy()); } catch (KmsException e) { if (e.getMessage().contains("No such policy exists")) { System.out.println("The policy cannot be found. Error message: " + e.getMessage()); } else { throw e; } } } public static boolean replacePolicy(KmsClient kmsClient, String keyId, String policyName) { // Change the principle in the below JSON. String policy = """ { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::%s:root"}, "Action": "kms:*", "Resource": "*" }] } """.formatted(accountId); try { PutKeyPolicyRequest keyPolicyRequest = PutKeyPolicyRequest.builder() .keyId(keyId) .policyName(policyName) .policy(policy) .build(); kmsClient.putKeyPolicy(keyPolicyRequest); System.out.println("The key policy has been replaced."); } catch (LimitExceededException e) { System.out.println("Policy limit reached. Unable to create the policy."); return false; } catch (AlreadyExistsException e) { System.out.println("Only one policy per key is supported. Unable to create the policy."); return false; } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return true; } public static boolean doesKeyHavePolicy(KmsClient kmsClient, String keyId, String policyName){ ListKeyPoliciesRequest policiesRequest = ListKeyPoliciesRequest.builder() .keyId(keyId) .build(); boolean hasPolicy = false; ListKeyPoliciesResponse response = kmsClient.listKeyPolicies(policiesRequest); List<String>policyNames = response.policyNames(); for (String pol : policyNames) { hasPolicy = true; } return hasPolicy; } public static void deleteKey(KmsClient kmsClient, String keyId) { try { ScheduleKeyDeletionRequest deletionRequest = ScheduleKeyDeletionRequest.builder() .keyId(keyId) .pendingWindowInDays(7) .build(); kmsClient.scheduleKeyDeletion(deletionRequest); System.out.println("The key will be deleted in 7 days."); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static void deleteSpecificAlias(KmsClient kmsClient, String aliasName) { try { DeleteAliasRequest deleteAliasRequest = DeleteAliasRequest.builder() .aliasName(aliasName) .build(); kmsClient.deleteAlias(deleteAliasRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static boolean isKeyEnabled(KmsClient kmsClient, String keyId) { try { DescribeKeyRequest keyRequest = DescribeKeyRequest.builder() .keyId(keyId) .build(); DescribeKeyResponse response = kmsClient.describeKey(keyRequest); KeyState keyState = response.keyMetadata().keyState(); if (keyState == KeyState.ENABLED) { System.out.println("The key is enabled."); return true; } else { System.out.println("The key is not enabled. Key state: " + keyState); } } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return false; } public static String decryptData(KmsClient kmsClient, SdkBytes encryptedData, String keyId) { try { DecryptRequest decryptRequest = DecryptRequest.builder() .ciphertextBlob(encryptedData) .keyId(keyId) .build(); DecryptResponse decryptResponse = kmsClient.decrypt(decryptRequest); return decryptResponse.plaintext().asString(StandardCharsets.UTF_8); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; } public static void revokeKeyGrant(KmsClient kmsClient, String keyId, String grantId) { try { RevokeGrantRequest grantRequest = RevokeGrantRequest.builder() .keyId(keyId) .grantId(grantId) .build(); kmsClient.revokeGrant(grantRequest); System.out.println("Grant ID: [" + grantId +"] was successfully revoked!"); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static void displayGrantIds(KmsClient kmsClient, String keyId) { try { ListGrantsRequest grantsRequest = ListGrantsRequest.builder() .keyId(keyId) .limit(15) .build(); ListGrantsIterable response = kmsClient.listGrantsPaginator(grantsRequest); response.stream() .flatMap(r -> r.grants().stream()) .forEach(grant -> { System.out.println("The grant Id is : " + grant.grantId()); List<GrantOperation> ops = grant.operations(); for (GrantOperation op : ops) { System.out.println(op.name()); } }); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static String grantKey(KmsClient kmsClient, String keyId, String granteePrincipal) { try { // Add the desired KMS Grant permissions. List<GrantOperation> grantPermissions = new ArrayList<>(); grantPermissions.add(GrantOperation.ENCRYPT); grantPermissions.add(GrantOperation.DECRYPT); grantPermissions.add(GrantOperation.DESCRIBE_KEY); CreateGrantRequest grantRequest = CreateGrantRequest.builder() .keyId(keyId) .name("grant1") .granteePrincipal(granteePrincipal) .operations(grantPermissions) .build(); CreateGrantResponse response = kmsClient.createGrant(grantRequest); return response.grantId(); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; } public static void enableKeyRotation(KmsClient kmsClient, String keyId) { try { EnableKeyRotationRequest enableKeyRotationRequest = EnableKeyRotationRequest.builder() .keyId(keyId) .build(); kmsClient.enableKeyRotation(enableKeyRotationRequest); System.out.println("Key rotation has been enabled for key with id [" + keyId + "]"); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static void createCustomAlias(KmsClient kmsClient, String targetKeyId, String aliasName) { try { CreateAliasRequest aliasRequest = CreateAliasRequest.builder() .aliasName(aliasName) .targetKeyId(targetKeyId) .build(); kmsClient.createAlias(aliasRequest); System.out.println(aliasName + " was successfully created."); } catch (ResourceExistsException e) { System.err.println("Alias already exists: " + e.getMessage()); System.err.println("Moving on..."); } catch (Exception e) { System.err.println("An unexpected error occurred: " + e.getMessage()); System.err.println("Moving on..."); } } public static SdkBytes encryptData(KmsClient kmsClient, String keyId, String text) { try { SdkBytes myBytes = SdkBytes.fromUtf8String(text); EncryptRequest encryptRequest = EncryptRequest.builder() .keyId(keyId) .plaintext(myBytes) .build(); EncryptResponse response = kmsClient.encrypt(encryptRequest); String algorithm = response.encryptionAlgorithm().toString(); System.out.println("The string was encrypted with algorithm " + algorithm + "."); // Get the encrypted data. SdkBytes encryptedData = response.ciphertextBlob(); return encryptedData; } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return null; } public static String createKey(KmsClient kmsClient, String keyDesc) { try { CreateKeyRequest keyRequest = CreateKeyRequest.builder() .description(keyDesc) .customerMasterKeySpec(CustomerMasterKeySpec.SYMMETRIC_DEFAULT) .keyUsage("ENCRYPT_DECRYPT") .build(); CreateKeyResponse result = kmsClient.createKey(keyRequest); System.out.println("Symmetric key with ARN [" + result.keyMetadata().arn() + "] has been created."); return result.keyMetadata().keyId(); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; } // Enable the KMS key. public static void enableKey(KmsClient kmsClient, String keyId) { try { EnableKeyRequest enableKeyRequest = EnableKeyRequest.builder() .keyId(keyId) .build(); kmsClient.enableKey(enableKeyRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } private static void waitForInputToContinue(Scanner scanner) { while (true) { System.out.println(""); System.out.println("Enter 'c' followed by <ENTER> to continue:"); String input = scanner.nextLine(); if (input.trim().equalsIgnoreCase("c")) { System.out.println("Continuing with the program..."); System.out.println(""); break; } else { // Handle invalid input. System.out.println("Invalid input. Please try again."); } } } private static String getAccountId(){ try (StsClient stsClient = StsClient.create()){ GetCallerIdentityResponse callerIdentity = stsClient.getCallerIdentity(); return callerIdentity.account(); } } }-
如需詳API細資訊,請參閱「AWS SDK for Java 2.x API參考」中的下列主題。
-
