Reputation: 71
Decrypt an object in AWS S3 without downloading it to local system
I have an encrypted file at an s3 bucket. I want to decrypt it programmatically without downloading it to my local machine. Is it possible to decrypt an encrypted file without downloading it to my local machine?
Things I'm using to encrypt the file: boto3 library, KMS keys for encryption aws sdk , python script
I can definitely download this file and then decrypt it in my local machine like this:
with aws_encryption_sdk.stream(
mode='d',
source=src_file,
key_provider=kms_key
) as decryptor:
for block in decryptor:
tgt_file.write(block)
But this is possible if I download the file to the local system. I don't want to download the file. I want to decrypt it inside the s3 bucket and enable the next process to work on this decrypted file.
Any pointers will be highly appreciated!
Upvotes: 2
Views: 4055
Answers (1)
Reputation: 17435
No, this isn't possible directly. However, you could create an AWS Lambda so that when the file uploads you could run a Lambda to do the decryption. See Using AWS Lambda with Amazon S3 for more details.
In pseudo code you'd do something like:
def lambda_handler(event, context):
read file from key in the event from S3
decrypt file as your code shows
save decrypted file back to S3 likely in a different bucket or directory path
notify next process that the decrypted file is available.
Upvotes: 2
Related Questions
- How do I download an encrypted s3 object without decryption?
- How to download an encrypted object from S3 and decrypt the same?
- Python Cryptography module to decrypt Client-side Encrypted data in s3
- AWS S3 using client side enctyption
- Read a KMS encrypted file from S3
- Encrypt a file using KMS and push to S3
- Python - Decrypt S3 image file, encrypted with CSE KMS
- how to download an kms encrypted s3 object
- AWS S3 server side encryption using CLI
- AWS S3 Data Protection Using Client-Side Encryption