1
// Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
2
// SPDX-License-Identifier: MIT-0 (For details, see https://github.com/awsdocs/amazon-s3-developer-guide/blob/master/LICENSE-SAMPLECODE.)
3

4
import java.io.ByteArrayInputStream;
5

6
import com.amazonaws.AmazonServiceException;
7
import com.amazonaws.SdkClientException;
8
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
9
import com.amazonaws.services.s3.AmazonS3;
10
import com.amazonaws.services.s3.AmazonS3ClientBuilder;
11
import com.amazonaws.services.s3.internal.SSEResultBase;
12
import com.amazonaws.services.s3.model.CopyObjectRequest;
13
import com.amazonaws.services.s3.model.CopyObjectResult;
14
import com.amazonaws.services.s3.model.ObjectMetadata;
15
import com.amazonaws.services.s3.model.PutObjectRequest;
16
import com.amazonaws.services.s3.model.PutObjectResult;
17

18
public class SpecifyServerSideEncryption {
19

20
    public static void main(String[] args) {
21
           String clientRegion = "*** Client region ***";
22
           String bucketName = "*** Bucket name ***";
23
           String keyNameToEncrypt = "*** Key name for an object to upload and encrypt ***";
24
           String keyNameToCopyAndEncrypt = "*** Key name for an unencrypted object to be encrypted by copying ***";
25
           String copiedObjectKeyName = "*** Key name for the encrypted copy of the unencrypted object ***";
26
           
27
           try {
28
               AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
29
                                       .withRegion(clientRegion)
30
                                       .withCredentials(new ProfileCredentialsProvider())
31
                                       .build();
32
           
33
               // Upload an object and encrypt it with SSE.
34
               uploadObjectWithSSEEncryption(s3Client, bucketName, keyNameToEncrypt);
35
               
36
               // Upload a new unencrypted object, then change its encryption state
37
               // to encrypted by making a copy.
38
               changeSSEEncryptionStatusByCopying(s3Client, 
39
                                                  bucketName, 
40
                                                  keyNameToCopyAndEncrypt, 
41
                                                  copiedObjectKeyName);
42
           }
43
           catch(AmazonServiceException e) {
44
            // The call was transmitted successfully, but Amazon S3 couldn't process 
45
            // it, so it returned an error response.
46
            e.printStackTrace();
47
        }
48
        catch(SdkClientException e) {
49
            // Amazon S3 couldn't be contacted for a response, or the client
50
            // couldn't parse the response from Amazon S3.
51
            e.printStackTrace();
52
        }
53
    }
54

55
    private static void uploadObjectWithSSEEncryption(AmazonS3 s3Client, String bucketName, String keyName) {
56
        String objectContent = "Test object encrypted with SSE";
57
                
58
        // Specify server-side encryption.
59
        ObjectMetadata objectMetadata = new ObjectMetadata();
60
        objectMetadata.setContentLength(objectContent.length());
61
        objectMetadata.setSSEAlgorithm(ObjectMetadata.AES_256_SERVER_SIDE_ENCRYPTION);
62
        PutObjectRequest putRequest = new PutObjectRequest(bucketName, 
63
                                                           keyName, 
64
                                                           new ByteArrayInputStream(objectContent.getBytes()), 
65
                                                           objectMetadata);
66

67
        // Upload the object and check its encryption status.
68
        PutObjectResult putResult = s3Client.putObject(putRequest);
69
        System.out.println("Object \"" + keyName + "\" uploaded with SSE.");
70
        printEncryptionStatus(putResult);
71
    }
72
    
73
    private static void changeSSEEncryptionStatusByCopying(AmazonS3 s3Client, 
74
                                                           String bucketName, 
75
                                                           String sourceKey,
76
                                                           String destKey) {
77
        // Upload a new, unencrypted object.
78
        PutObjectResult putResult = s3Client.putObject(bucketName, sourceKey, "Object example to encrypt by copying");
79
        System.out.println("Unencrypted object \"" + sourceKey + "\" uploaded.");
80
        printEncryptionStatus(putResult);
81
        
82
        // Make a copy of the object and use server-side encryption when storing the copy.
83
        CopyObjectRequest request = new CopyObjectRequest(bucketName,
84
                                                          sourceKey,
85
                                                          bucketName,
86
                                                          destKey);
87
        ObjectMetadata objectMetadata = new ObjectMetadata();
88
        objectMetadata.setSSEAlgorithm(ObjectMetadata.AES_256_SERVER_SIDE_ENCRYPTION);
89
        request.setNewObjectMetadata(objectMetadata);
90
        
91
        // Perform the copy operation and display the copy's encryption status.
92
        CopyObjectResult response = s3Client.copyObject(request);
93
        System.out.println("Object \"" + destKey + "\" uploaded with SSE.");
94
        printEncryptionStatus(response);
95
        
96
        // Delete the original, unencrypted object, leaving only the encrypted copy in Amazon S3.
97
        s3Client.deleteObject(bucketName, sourceKey);
98
        System.out.println("Unencrypted object \"" + sourceKey + "\" deleted.");
99
    }
100
    
101
    private static void printEncryptionStatus(SSEResultBase response) {
102
        String encryptionStatus = response.getSSEAlgorithm();
103
        if(encryptionStatus == null) {
104
            encryptionStatus = "Not encrypted with SSE"; 
105
        }
106
        System.out.println("Object encryption status is: " + encryptionStatus);
107
    }
108
}
109

110