2

I have an encrypted file at an s3 bucket. I want to decrypt it programmatically without downloading it to my local machine. Is it possible to decrypt an encrypted file without downloading it to my local machine?

Things I'm using to encrypt the file: boto3 library, KMS keys for encryption aws sdk , python script

I can definitely download this file and then decrypt it in my local machine like this:

with aws_encryption_sdk.stream(
    mode='d',
    source=src_file,
    key_provider=kms_key
    ) as decryptor:
        for block in decryptor:
            tgt_file.write(block)

But this is possible if I download the file to the local system. I don't want to download the file. I want to decrypt it inside the s3 bucket and enable the next process to work on this decrypted file.

Any pointers will be highly appreciated!

Navneet Thakur
  • 71
  • 1
  • 8

1 Answers1

2

No, this isn't possible directly. However, you could create an AWS Lambda so that when the file uploads you could run a Lambda to do the decryption. See Using AWS Lambda with Amazon S3 for more details.

In pseudo code you'd do something like:

def lambda_handler(event, context): 
    read file from key in the event from S3
    decrypt file as your code shows
    save decrypted file back to S3 likely in a different bucket or directory path
    notify next process that the decrypted file is available.
stdunbar
  • 16,263
  • 11
  • 31
  • 53
  • 1
    With this solution, I would suggest to save the decrypted file to another S3 location (and have only the next process have access), otherwise why encrypt it in the first place? – jogold Apr 27 '19 at 12:42
  • Thanks for your response @stdunbar but looks like one can't use aws_ecryption_sdk using lambda function. I am getting an error as below: `Response: { "errorMessage": "Unable to import module 'lambda_function': No module named 'aws_encryption_sdk'", "errorType": "Runtime.ImportModuleError" }` – Navneet Thakur Apr 27 '19 at 23:23
  • @NavneetThakur - can you post more code like your `setup.py`? I don't see why it wouldn't work. – stdunbar Apr 28 '19 at 01:03
  • @stdunbar : Here is the code that I'm running: (Part - 1) `import json import boto3 import aws_encryption_sdk import boto3 import os from shutil import make_archive import time def lambda_handler(event, context): # TODO implement kms_key = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=['arn:aws:kms:us-west-1:XXX:key/XXXXXXXXX']) s3_client = boto3.client('s3') s3 = boto3.resource('s3')` – Navneet Thakur Apr 28 '19 at 07:13
  • Part 2: `#Below code copies the cipher_specimen1.txt file to s3 bucket navneettempe and renames it cipher_wages.txt copy_source = { 'Bucket': 'navneettempe', 'Key': 'cipher_specimen1.txt' } s3.meta.client.copy(copy_source, 'navneettempe','cipher_wages.txt') ct_file='cipher_wages.txt' pt_file='wages.txt' ` – Navneet Thakur Apr 28 '19 at 07:17
  • Part 3: `#Below code decrypts the cipher_wages.txt using the same KMS key that was used to encrypt the file with aws_encryption_sdk.stream( mode='d', source=ct_file, key_provider=kms_key ) as decryptor: for block in decryptor: pt_file.write(block)` – Navneet Thakur Apr 28 '19 at 07:17