How to make sure your files are encrypted when using AWS S3 KMS encryption?

Question

I'm trying to test the most basic use cases around encryption/decryption with AWS S3 and AWS java SDK (trying both v1 and v2).

So this is what I'm doing:

1. I upload a small json file using aws console, and then I check that in Properties > crypt, "AWS-KMS" is selected and my key alias is selected. I assume this tells me the file is encrypted with my key, but I have no way to check this, since if I try to open the file using aws console, it's in clear text.

2. I try to download the file using various methods, and I expect to get an encrypted file when I use the most basic method.

So by using this client (sdk v2):

  @Bean
  public S3Client s3Clientv2(AppProperties appProperties, CustomAwsCredentialsProvider customAwsCredentialsProvider) {

    return S3Client.builder()
        .httpClientBuilder(httpClientBuilder)
        .credentialsProvider(customAwsCredentialsProvider)
        .region(Region.EU_WEST_3)
        .build();

  }

and this download method:

  public void downloadFile(String bucket, String key) {    
    s3Client.getObject(GetObjectRequest.builder().bucket(bucket).key(key).build(), ResponseTransformer.toFile(Paths.get("test_aws.json")));    
  }

I expected to get an encrypted file, but it was not.

Then I tried to use a client able to "encrypt/decrypt" by itself "Any objects you get from Amazon S3 using this client are automatically decrypted" source: https://docs.aws.amazon.com/en_pv/sdk-for-java/v1/developer-guide/examples-crypto-kms.html

AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder
        .standard()
        .withRegion(Regions.US_WEST_2)
        .withCryptoConfiguration(new CryptoConfiguration(CryptoMode.EncryptionOnly).withAwsKmsRegion(Region.getRegion(Regions.US_WEST_2)))
        // Can either be Key ID or alias (prefixed with 'alias/')
        .withEncryptionMaterials(new KMSEncryptionMaterialsProvider("alias/s3-kms-key"))
        .build();

But using:

S3Object file = s3Encryption.getObject(new GetObjectRequest(bucket, key));

with this client call gets me a warning: "Unable to detect encryption information for object '%s' in bucket '%s'. Returning object without decryption."

• So what am I doing wrong here?
• How can I check my file is really encrypted?
• What would be the right config to download it and decrypt it without a "file not encrypted" warning?

Update : of course I've checked the object metadata, which do contain the KMS information and the KMS key id, but the encryption client is expecting some other informations about this:

/** Initialization vector (IV) header that is used in the symmetric and envelope encryption mechanisms */
public static final String CRYPTO_IV = "x-amz-iv";

and this:

/**
 * Encrypted symmetric key header that is used in the Encryption Only (EO) envelope
 * encryption mechanism.
 */
public static final String CRYPTO_KEY = "x-amz-key";

Answer 1

Ok, I think I get it: I got confused between server-side encryption and client-side encryption.

So AmazonS3Encryption client is only about client-side encryption . When you are using server-side encryption , any access to the file will decrypt it.

So the answer to my question would be: disable server-side encryption and use client-side encryption if you need fine-grained control about encryption, and to be able to download still encrypted content.