You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[//]: #"Copyright Amazon.com Inc. or its affiliates. All Rights Reserved."
2
+
[//]: #"SPDX-License-Identifier: CC-BY-SA-4.0"
3
+
1
4
# Client
2
5
3
6
## Version
@@ -27,13 +30,13 @@ Depending on the language, this could be a builder (using the Builder pattern) o
27
30
28
31
## Overview
29
32
30
-
This document describes the top-level public S3 Encryption Client (S3EC).
33
+
This document describes the top-level public S3 Encryption Client (S3EC).
31
34
The S3EC provides client-side encryption for Amazon S3.
32
35
33
36
## AWS SDK Compatibility
34
37
35
-
The S3EC MUST adhere to the same interface for API operations as the conventional AWS SDK S3 client.
36
-
In other words, the SDK's conventional S3 client is able to be substituted for the S3EC.
38
+
The S3EC MUST adhere to the same interface for API operations as the conventional AWS SDK S3 client.
39
+
In other words, the SDK's conventional S3 client is able to be substituted for the S3EC.
37
40
The S3EC SHOULD support invoking operations unrelated to client-side encryption e.g. CopyObject as the conventional AWS SDK S3 client would.
38
41
The S3EC MUST provide a different set of configuration options than the conventional S3 client.
39
42
@@ -43,36 +46,36 @@ The S3EC MUST provide a different set of configuration options than the conventi
43
46
44
47
The S3EC MUST accept either one CMM or one Keyring instance upon initialization.
45
48
If both a CMM and a Keyring are provided, the S3EC MUST throw an exception.
46
-
When a Keyring is provided, the S3EC MUST create an instance of the DefaultCMM using the provided Keyring.
49
+
When a Keyring is provided, the S3EC MUST create an instance of the DefaultCMM using the provided Keyring.
47
50
48
-
The S3EC MAY accept key material directly.
51
+
The S3EC MAY accept key material directly.
49
52
When only key material is provided, a Keyring corresponding to the type of key material is created by default.
50
-
This behavior is discouraged, as it requires all Keyring configuration options to be supported by client initialization.
53
+
This behavior is discouraged, as it requires all Keyring configuration options to be supported by client initialization.
51
54
This leads to customer confusion when a Keyring is provided and a Keyring option is set on the client, and thus not applied.
52
-
It is considered deprecated, meaning it will be removed in the next major version (v4).
55
+
It is considered deprecated, meaning it will be removed in the next major version (v4).
53
56
54
57
### Options
55
58
56
59
#### Enable Legacy Wrapping Algorithms
57
60
58
-
The S3EC MUST support the option to enable or disable legacy wrapping algorithms.
59
-
The option to enable legacy wrapping algorithms MUST be set to false by default.
61
+
The S3EC MUST support the option to enable or disable legacy wrapping algorithms.
62
+
The option to enable legacy wrapping algorithms MUST be set to false by default.
60
63
When enabled, the S3EC MUST be able to decrypt objects encrypted with all supported wrapping algorithms (both legacy and fully supported).
61
64
When disabled, the S3EC MUST NOT decrypt objects encrypted using legacy wrapping algorithms; it MUST throw an exception when attempting to decrypt an object encrypted with a legacy wrapping algorithm.
62
65
63
66
#### Enable Legacy Unauthenticated Modes
64
67
65
68
The S3EC MUST support the option to enable or disable legacy unauthenticated modes (content encryption algorithms).
66
-
The option to enable legacy unauthenticated modes MUST be set to false by default.
69
+
The option to enable legacy unauthenticated modes MUST be set to false by default.
67
70
When enabled, the S3EC MUST be able to decrypt objects encrypted with all content encryption algorithms (both legacy and fully supported).
68
71
When disabled, the S3EC MUST NOT decrypt objects encrypted using legacy content encryption algorithms; it MUST throw an exception when attempting to decrypt an object encrypted with a legacy content encryption algorithm.
69
72
70
73
#### Enable Delayed Authentication
71
74
72
75
The S3EC MUST support the option to enable or disable Delayed Authentication mode.
73
-
Delayed Authentication mode MUST be set to false by default.
76
+
Delayed Authentication mode MUST be set to false by default.
74
77
When enabled, the S3EC MAY release plaintext from a stream which has not been authenticated.
75
-
When disabled the S3EC MUST NOT release plaintext from a stream which has not been authenticated.
78
+
When disabled the S3EC MUST NOT release plaintext from a stream which has not been authenticated.
76
79
77
80
#### Set Buffer Size
78
81
@@ -92,45 +95,48 @@ In this case, the Instruction File Configuration SHOULD be optional, such that i
92
95
### Inherited SDK Configuration
93
96
94
97
The S3EC MAY support directly configuring the wrapped SDK clients through its initialization.
95
-
For example, the S3EC MAY accept a credentials provider instance during its initialization.
98
+
For example, the S3EC MAY accept a credentials provider instance during its initialization.
96
99
If the S3EC accepts SDK client configuration, the configuration MUST be applied to all wrapped S3 clients.
97
100
If the S3EC accepts SDK client configuration, the configuration MUST be applied to all wrapped SDK clients including the KMS client.
98
-
If the S3EC accepts any SDK client configuration options, then the S3EC should support all possible configuration options.
101
+
If the S3EC accepts any SDK client configuration options, then the S3EC should support all possible configuration options.
99
102
100
103
### Other Dependencies
101
104
102
105
#### Randomness
103
106
104
107
The S3EC MAY accept a source of randomness during client initialization.
105
-
The inclusion of a source of randomness is subject to language availability.
108
+
The inclusion of a source of randomness is subject to language availability.
106
109
107
110
## API Operations
108
111
109
112
The S3EC must provide implementations for the following S3 operations:
110
-
* GetObject MUST be implemented by the S3EC.
111
-
* GetObject MUST decrypt data received from the S3 server and return it as plaintext.
112
-
* PutObject MUST be implemented by the S3EC.
113
-
* PutObject MUST encrypt its input data before it is uploaded to S3.
114
-
* DeleteObject MUST be implemented by the S3EC.
115
-
* DeleteObject MUST delete the given object key.
116
-
* DeleteObject MUST delete the associated instruction file using the default instruction file suffix.
117
-
* DeleteObjects MUST be implemented by the S3EC.
118
-
* DeleteObjects MUST delete each of the given objects.
119
-
* DeleteObjects MUST delete each of the corresponding instruction files using the default instruction file suffix.
113
+
114
+
- GetObject MUST be implemented by the S3EC.
115
+
- GetObject MUST decrypt data received from the S3 server and return it as plaintext.
116
+
- PutObject MUST be implemented by the S3EC.
117
+
- PutObject MUST encrypt its input data before it is uploaded to S3.
118
+
- DeleteObject MUST be implemented by the S3EC.
119
+
- DeleteObject MUST delete the given object key.
120
+
- DeleteObject MUST delete the associated instruction file using the default instruction file suffix.
121
+
- DeleteObjects MUST be implemented by the S3EC.
122
+
- DeleteObjects MUST delete each of the given objects.
123
+
- DeleteObjects MUST delete each of the corresponding instruction files using the default instruction file suffix.
120
124
121
125
The S3EC may provide implementations for the following S3 operations:
122
-
* CreateMultipartUpload MAY be implemented by the S3EC.
123
-
* If implemented, CreateMultipartUpload MUST initiate a multipart upload.
124
-
* UploadPart MAY be implemented by the S3EC.
125
-
* UploadPart MUST encrypt each part.
126
-
* Each part MUST be encrypted in sequence.
127
-
* Each part MUST be encrypted using the same cipher instance for each part.
128
-
* CompleteMultipartUpload MAY be implemented by the S3EC.
129
-
* CompleteMultipartUpload MUST complete the multipart upload.
130
-
* AbortMultipartUpload MAY be implemented by the S3EC.
131
-
* AbortMultipartUpload MUST abort the multipart upload.
126
+
127
+
- CreateMultipartUpload MAY be implemented by the S3EC.
128
+
- If implemented, CreateMultipartUpload MUST initiate a multipart upload.
129
+
- UploadPart MAY be implemented by the S3EC.
130
+
- UploadPart MUST encrypt each part.
131
+
- Each part MUST be encrypted in sequence.
132
+
- Each part MUST be encrypted using the same cipher instance for each part.
133
+
- CompleteMultipartUpload MAY be implemented by the S3EC.
134
+
- CompleteMultipartUpload MUST complete the multipart upload.
135
+
- AbortMultipartUpload MAY be implemented by the S3EC.
136
+
- AbortMultipartUpload MUST abort the multipart upload.
132
137
133
138
The S3EC may provide implementations for the following S3EC-specific operation(s):
134
-
* ReEncryptInstructionFile MAY be implemented by the S3EC.
135
-
* ReEncryptInstructionFile MUST decrypt the instruction file's encrypted data key for the given object using the client's CMM.
136
-
* ReEncryptInstructionFile MUST re-encrypt the plaintext data key with a provided keyring.
139
+
140
+
- ReEncryptInstructionFile MAY be implemented by the S3EC.
141
+
- ReEncryptInstructionFile MUST decrypt the instruction file's encrypted data key for the given object using the client's CMM.
142
+
- ReEncryptInstructionFile MUST re-encrypt the plaintext data key with a provided keyring.
0 commit comments