forked from aws-samples/data-protection
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathusecase-1-Step-2.py
100 lines (87 loc) · 3.9 KB
/
usecase-1-Step-2.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
"""
################################################
# Server side encryption using KMS usecase-1 #
################################################
"""
import os
import sys
import json
import random
import subprocess
import boto3
def main():
"""
#######################################
# Server side encryption on S3 #
#######################################
"""
try:
#########################################################
# creating a s3 bucket with some name randomization #
#########################################################
s3_client = boto3.client('s3')
bucket_name = 'dp-workshop-bucket' + str(random.randint(1, 100000))
# Note: if statement necessary because locationconstraint does not support all regions today
region = boto3.Session().region_name
if 'us-east-1' in region:
s3_client.create_bucket(Bucket=bucket_name)
else:
s3_client.create_bucket(
Bucket=bucket_name,
CreateBucketConfiguration={
'LocationConstraint': region
}
)
waiter = s3_client.get_waiter('bucket_exists')
waiter.wait(Bucket=bucket_name)
response = s3_client.put_bucket_tagging(
Bucket=bucket_name,
Tagging={
'TagSet': [
{
'Key': 'workshop',
'Value': 'data-protection'
},
]
}
)
################################################################
# referencing the unencrypted text file plaintext_u on disk #
################################################################
current_directory = os.path.dirname(os.path.realpath(__file__)) + '/'
plaintext_filename_path = current_directory + 'plaintext_u.txt'
###############################################################################################
# uploading the unencrypted file to S3 and telling S3 to server side encrypt it #
# you can see that the put_object S3 API is being used here #
# data flows over TLS to s3 and then S3 service encrypt it using the KMS key you provided #
###############################################################################################
encrypted_filename = 'encrypted_e.txt'
response = s3_client.put_object(
Body=open(plaintext_filename_path, 'rb'),
Bucket=bucket_name,
Key=encrypted_filename,
ServerSideEncryption='aws:kms',
SSEKMSKeyId='alias/kms_key_sse_usecase_1'
)
#####################################################################################
# Do a S3 getobject on the encrypted file encrypted_e.txt that's stored on S3 #
# The unencrypted cycled file plaintext_cycled_u.txt is stored in the filesystem #
#####################################################################################
response = s3_client.get_object(
Bucket=bucket_name,
Key=encrypted_filename
)
current_directory = os.path.dirname(os.path.realpath(__file__)) + '/'
plaintext_cycled_filename_path = current_directory + 'plaintext_cycled_u.txt'
with open(plaintext_cycled_filename_path, 'wb') as f:
f.write(response['Body'].read())
print "\nModule run was successful !!"
print "\nplaintext_u.txt was successfully uploaded to S3,server side encrypted and stored as encrypted_e.txt!!"
print "\n Step 2 completed successfully"
except:
print "Unexpected error:", sys.exc_info()[0]
raise
else:
exit(0)
if __name__ == "__main__":
main()