Aws-sdk-js: Reading KMS encrypted S3 objects

Created on 15 Nov 2015  路  10Comments  路  Source: aws/aws-sdk-js

Recently AWS SES started accepting inbound email, saved in an S3 bucket. There's an option to encrypt the data, which is great, otherwise everything is exposed as plain text in your bucket.

The problems start with only accepting a KMS key for encryption. That means it needs to be managed from the AWS side.

The official documentation says on the subject:

Your mail is encrypted by Amazon SES using the Amazon S3 encryption client before the mail is submitted to Amazon S3 for storage. It is not encrypted using Amazon S3 server-side encryption. This means that you must use the Amazon S3 encryption client to decrypt the email after retrieving it from Amazon S3, as the service has no access to use your AWS KMS keys for decryption. This encryption client is available with the AWS Java SDK and AWS Java Ruby only.

http://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-action-s3.html

I tracked down the Ruby code here:
https://github.com/aws/aws-sdk-ruby/blob/master/aws-sdk-resources/lib/aws-sdk-resources/services/s3/encryption/decrypt_handler.rb#L36
http://docs.aws.amazon.com/sdkforruby/api/Aws/S3/Encryption/Client.html#client-instance_method

How can we bring that functionality to the JS lib, so we can decrypt and read our messages using Node.js?

Please let me know if I'm missing something.

Cheers

feature-request
Source
picture tracend
👍3

Most helpful comment

The code contributed as a pull request in 2015 is now available as a separate module:

https://github.com/makesites/aws-s3-encryption-client

picture tracend on 1 Nov 2018
👍2

All 10 comments

@tracend
Thanks for the feedback! This has been tagged as a feature request. We tend to prioritize which feature requests get worked on based on community feedback and by looking at what other SDKs are doing. We also accept pull requests from the community.

chrisradek picture chrisradek on 18 Nov 2015

Thanks @chrisradek,

Was considering contributing a pull request but thought I should ask first in case I missed an existing method for performing said task or there were special conventions in dealing with KMS I needed to be aware of.

I spent some time on this yesterday and was able to decrypt the messages, although they came encrypted as AES/GCM/NoPadding, not as stated in the Ruby lib AES/CBC/PKCS5Padding. I'm not sure if this is variable for SES encrypted messages...

I'll form a proper solution and use the structure of the Ruby lib as a guide.

Thanks again.

tracend picture tracend on 20 Nov 2015

We would very much like to see this as well. It seems fitting given that the examples from AWS use Node.js with Lambda to receive inbound email.

Thanks @tracend for contributing the PR. Hoping your work helps bring this needed feature more quickly!

rsweetland picture rsweetland on 10 May 2016

@tracend Thanks for the pull request, have you been using your code in production, and does it work well?

Any chance this is going to be included into the official AWS SDK any time soon? I've even been experimenting with writing my app in .NET Core C#, as it already supports the S3 Encrypted Client!

winzig picture winzig on 20 Jan 2017

Thanks @winzig - I've been using this on a daily basis for over a year now to decrypt emails from SES and it's fine for my needs.

Occasionally there might be a timeout error or resource leak that will occur from many parallel requests but that can be easily remedied with a fixed cap or even handled on the application level.

Hoping to see this on the AWS SDK as well. I'm guessing other languages have already had this feature because they have greater adoption/interest in enterprise; and it is frankly a feature beyond the needs of the average enthusiast.

tracend picture tracend on 21 Jan 2017
👍1

I did struggle with trying to use this fork as a workaround, and appreciate the time that was put into it, but was unable to get it going within my Lambda project. I'm hoping someone that is more familiar than I am with the current state of this SDK might one day pick up the challenge and take a stab at getting it officially integrated within this SDK, including documentation on use. I'm going to work on adding $200 towards a bounty on this issue.

winzig picture winzig on 27 Jan 2017

@winzig 馃憤 on getting this integrated. Any updates?

k00k picture k00k on 3 Apr 2018

@k00k I spent quite a few hours trying to figure out how to add a bounty on the issue, but was ultimately unsuccessful. But I would be willing to contribute towards such a bounty if someone can figure out how to get it going. ;-)

winzig picture winzig on 3 Apr 2018

Also want to express interest in this feature. Any updates?

jlongland picture jlongland on 31 Oct 2018

The code contributed as a pull request in 2015 is now available as a separate module:

https://github.com/makesites/aws-s3-encryption-client

tracend picture tracend on 1 Nov 2018
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

bhishp picture bhishp  路  4Comments
moltar picture moltar  路  3Comments
pihish picture pihish  路  4Comments
ranode picture ranode  路  4Comments
Usamaliaquat123 picture Usamaliaquat123  路  3Comments