Encrypting an Amazon S3 Bucket Object on the Server Using AWS KMS

The following example uses the PutObject method to add the object myItem to the bucket amzn-s3-demo-bucket with server-side encryption set to AWS KMS.

Note that this differs from Setting Default Server-Side Encryption for an Amazon S3 Bucket, is in that case, the objects are encrypted without you having to explicitly perform the operation.

Choose Copy to save the code locally.

Create the file encrypt_object_on_server.go.

Add the required packages.

import (
    "github.com/aws/aws-sdk-go/aws"
    "github.com/aws/aws-sdk-go/aws/session"
    "github.com/aws/aws-sdk-go/service/s3"

    "fmt"
    "os"
    "strings"
)

Get the KMS key from the command line, where key is a KMS key ID as created in the Creating a CMK in AWS Key Management Service example, and set the bucket and object names.

if len(os.Args) != 2 {
    fmt.Println("You must supply a key")
    os.Exit(1)
}

key := os.Args[1]
bucket := "amzn-s3-demo-bucket"
object := "myItem"

Create a session and Amazon S3 client.

sess := session.Must(session.NewSessionWithOptions(session.Options{
    SharedConfigState: session.SharedConfigEnable,
}))

svc := s3.New(sess)

Create input for and call put_object. Notice that the server_side_encryption property is set to aws:kms, indicating that Amazon S3 encrypts the object using AWS KMS, and display a success message to the user.

input := &s3.PutObjectInput{
    Body:                 strings.NewReader(object),
    Bucket:               aws.String(bucket),
    Key:                  aws.String(object),
    ServerSideEncryption: aws.String("aws:kms"),
    SSEKMSKeyId:          aws.String(key),
}

_, err := svc.PutObject(input)
fmt.Println("Added object " + object + " to bucket " + bucket + " with AWS KMS encryption")

See the complete example on GitHub.