How to upload encrypted data to S3?

Question

I am trying to upload encrypted data to S3. This code successfully encrypts the data, however it uploads the original unencrypted file to S3. How do I tell it to upload the encrypted data instead?

note-the commented decryption lines were to test the data had been encrypted and decrypted properly

session = botocore.session.get_session()
client = session.create_client('kms', 
                               region_name = 'us-east-1', 
                               aws_access_key_id = '[YOUR ACCESS KEY]', 
                               aws_secret_access_key = '[YOUR SECRET ACCESSKEY]')

key_id = '[KEY ID]'
plaintext='[FILEPATH\FILENAME.CSV]'



ciphertext = client.encrypt(KeyId=key_id, Plaintext=plaintext)
#decrypt_ciphertext = client.decrypt(CiphertextBlob = 
ciphertext['CiphertextBlob'])
print('Ciphertext: ', ciphertext)
#print('Decrypted Ciphertext: ', decrypt_ciphertext) 


s3 = boto3.client('s3',
         aws_access_key_id='[YOUR ACCESS KEY]',
         aws_secret_access_key='[YOUR SECRET ACCESS KEY]')

filename = '[FILEPATH\FILENAME.CSV]'
bucket_name = '[BUCKET NAME]'

# Uploads the given file using a managed uploader, which will split up large
# files automatically and upload parts in parallel.
s3.upload_file(filename, bucket_name, filename)

Answer 1

The KMS encrypt() command does not work on files. Rather, it accepts incoming text in Plaintext and outputs encrypted text in CiphertextBlob.

Your code is responsible for reading the source file and passing the contents to encrypt(), and it is then responsible for writing the contents out to disk.

See also:

• AWS Encryption SDK for Python Example Code - AWS Encryption SDK
• s3-client-side-encryption/put.py at master · tedder/s3-client-side-encryption · GitHub