Amazon Simple Storage Service
开发人员指南 (API Version 2006-03-01)
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。点 击 Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

示例:客户端加密 (选项 1:使用 AWS KMS 托管客户主密钥 - 适用于 Java 的 AWS 开发工具包)

以下 Java 代码示例将一个对象上传到 Amazon S3。示例在将数据上传到 Amazon S3 之前,使用 KMS 托管客户主密钥 (CMK) 加密数据。在代码中您将需要 CMK ID。

有关使用 KMS 托管 CMK 的客户端加密如何工作的更多信息,请参阅 选项 1:使用 AWS KMS 托管客户主密钥 (CMK)

有关如何创建和测试有效示例的说明,请参阅 测试 Java 代码示例。您需要通过提供存储桶名称和 CMK ID 来更新代码。

Copy
import java.io.ByteArrayInputStream; import java.util.Arrays; import junit.framework.Assert; import org.apache.commons.io.IOUtils; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.regions.Region; import com.amazonaws.regions.Regions; import com.amazonaws.services.s3.AmazonS3EncryptionClient; import com.amazonaws.services.s3.model.CryptoConfiguration; import com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider; import com.amazonaws.services.s3.model.ObjectMetadata; import com.amazonaws.services.s3.model.PutObjectRequest; import com.amazonaws.services.s3.model.S3Object; public class testKMSkeyUploadObject { private static AmazonS3EncryptionClient encryptionClient; public static void main(String[] args) throws Exception { String bucketName = "***bucket name***"; String objectKey = "ExampleKMSEncryptedObject"; String kms_cmk_id = "***AWS KMS customer master key ID***"; KMSEncryptionMaterialsProvider materialProvider = new KMSEncryptionMaterialsProvider(kms_cmk_id); encryptionClient = new AmazonS3EncryptionClient(new ProfileCredentialsProvider(), materialProvider, new CryptoConfiguration().withKmsRegion(Regions.US_EAST_1)) .withRegion(Region.getRegion(Regions.US_EAST_1)); // Upload object using the encryption client. byte[] plaintext = "Hello World, S3 Client-side Encryption Using Asymmetric Master Key!" .getBytes(); System.out.println("plaintext's length: " + plaintext.length); encryptionClient.putObject(new PutObjectRequest(bucketName, objectKey, new ByteArrayInputStream(plaintext), new ObjectMetadata())); // Download the object. S3Object downloadedObject = encryptionClient.getObject(bucketName, objectKey); byte[] decrypted = IOUtils.toByteArray(downloadedObject .getObjectContent()); // Verify same data. Assert.assertTrue(Arrays.equals(plaintext, decrypted)); } }