我正在尝试下载存储在S3存储桶中的CloudTrail的日志文件,但是当我收到该文件时,它是不可读的,直到我意识到它可以按照here加密并且我不知道如何解密文件。
这是我的代码:
AWSCredentials credentials = new BasicAWSCredentials(prop.getProperty("provider.aws01.username"), prop.getProperty("provider.aws01.password"));
s3client = new AmazonS3Client(credentials);
S3Object s3object = s3client.getObject(new GetObjectRequest(
bucketName, "examplecloudtraillog.json.gz"));
System.out.println("Encrypted with: " +
s3object.getObjectMetadata().getSSEAlgorithm());
InputStream is = s3object.getObjectContent();
OutputStream outputStream =
new FileOutputStream(new File("test.txt"));
int read = 0;
byte[] bytes = new byte[1024];
while ((read = is.read(bytes)) != -1) {
outputStream.write(bytes, 0, read);
}
System.out.println("Done!");
当我收到文件时,它看起来像乱码,这是输出文件:
‹ ÅUÛ²¢Xý•
_OQr¿øxDÅž‰Ž
{£ÈU6 Xqþ½Ásº«ººª§f¢#&‚13W^ȵòóÈFA^B<šüòy„”U.*q”g£ÉˆúDr£££Rƒ½%ªºÑäó¨ê
Ô[åÃn‡Ê&
PïeM#¨ô#П@
yîøS§£×oÐN”‘4I É4ïP„•&”p½»ìòº'\áoPÞ=Öà "c\§ÈΓ!}ïb£ó[Õ¨&‚Þ Aõ&üÔ,ÂaüÝúÞz”Ï}Øì%ºÕW(ûìU?¡aeŸ|×cöyß‹Š’”‰
|DQ!I±<=÷~r9ÔÊlÒƒN"N&´HR4-J$ÉÓ“Ág,Ã4ʆiõ•y†Ñ,Ai_Ô3[P¢çG Éó¿%vú±Èóm>õŽð1S0˜*ÎúQu.k½mœÍÌÎdö(ëMÆY³é^““±W÷R ÈNsS ˦8Ž—]‘å÷1[R'na60Úé†>øW²Ž5P-²û©8¢:®Z†Kk'ÎwDh¯£ÐòºÙC@æBƒ¾” ÎiWšb…xm+ÇìVsö|ö,ÕvõZÜR;\ŽYÅÁW4³¥\n*wÖŦ*u{+im¨®USÎÇ×ÇÊ÷뛚:GYZ\ð‹M{w-Œ‹–aòrIÎö
FÙtetÝ]´Óþø’^¬sŠo/;u,šóQÝýó(âA~Ñ7‹Ònzé.;ºÜI’¼‚Øç7öù‡>Ôö‘;Rr_ny;¥Øl=ŸÝ ~Õxööq
Pw0´§E·N÷صÎè%·È¡$8Ë¡ÊS|,û§NpÎ]ìÒ‚tÚ—ÙÅœ‡Á9¸«ÛÄ×ÝlãTÛUwne
o3–Ü«u!CeKzjÜr÷½,³ëã}®®3èÑX§Çêa(”$Ù9Ü8m3*Ÿ:g:{¬¸Òf®öâ
͇|mÎl¤¦|tØ?Xèr†¹?òšpa¯cÀTùF{Èb0}±³„oWüµ•I¾ÝMU>Ëó²-k‰…ÆÞDIÔõüî•«@Ù<ƒ‡K·Ýÿ«&I,‚~)
Ôip èN“u™ÖŽ¦åY3V·ækyàp[D%¨Þ¸j‚î-|ü0(ŠžôÍ}ÍÑëëœÓ¦ƒI€({~Ž`iŽ# h‚¡hB‰
Kþ.Ï ¤$Qá"$XF"‰>Íø>’‚>ŠòúMÞôO¶×?KÒg·yÝgzýÚ«7}QÈÉD“ÍÉä)S¯ÿþ]ßÍw,‘
’äYHQo”‹/ ×€Ù="(Š~ ÐDCaúyHÍèS‚ÏJb¯&ÿ”®I^Ã^W£ä¿‘wŽœ0â?(ï5&ÀÕ´ý‡5þYâÿÆí‡JÿS
®ÀÎ üëóçTÁe•Ÿñ¯ïüõf| ùIåÿÍ´Ù^¡™þÚXÌÆã¶ß¥ÿN3þí“|°Ìa‚sE̦cy\Láê»ÕFÎüFî(ZfO…]ñ¦ã¨õ;ˆíÕx·‡ô,†c™µ(çzÓ-4;çÉVMœn:¯R}=o’0
X…—¦ÍTç\Ï>L“B°Éúê¯/7\ÐÓUÐXšcvl,fŒð‡¢1Ê}lcÑ[Zm±¿YY#ïܽä`xýrMt™Æ÷ã¸ràöD‘×y#×É™/4êTÒ9·5óÅìâ GÓ=S‚ ‹lY3*^$Ö¢=ð)çjS%ÎjÙ‹Kqž6ç«› ÎnÏŽgQ'Q{gJ-;}Ìî´.N3]‘ť… c…Ç5c/ÒìæÕ9åBÙÊUUßVk XrÇ;í°£
rÇÂ’Ò–‚'ÆTH5_?K%>ÂóõºB13f-иU“ŹxZøÇóXÔ
›`k$”$ØoÇÙB•œŽ›[ÝúŠöi’ˆR—øʻڱó*,i-‘¹P}Øýº'Íà°œûžÏõúò×Û‚ÙYSMWSWVy³åf“¯¶öã@Š¯¨ÑSûj¼C?A‘ñ×tøæ@&” € ×Æ'(
„Oú4!Ë …@ÿt †>EÑ!"X!@’!0>Ë@DSÿÛø<ÿÿ_‡€ìÏ KJ„("ÑkƒHø(äˆ@$¸°·õY_©¤"a
如何下载和解密CloudTrail的日志文件?
更新
我添加了以下代码行:
AWSCredentialsProvider cp = new StaticCredentialsProvider(credentials);
InputStream is = s3object2.getObjectContent();
byte[] bytes = IOUtils.toByteArray(is);
ByteBuffer ciphertextBlob = ByteBuffer.wrap(bytes);
AWSKMS kms = AWSKMSClientBuilder.standard().withCredentials(cp).withRegion("eu-central-1").build();
DecryptRequest req = new DecryptRequest().withCiphertextBlob(ciphertextBlob);
ByteBuffer plainText = kms.decrypt(req).getPlaintext();
这给我的错误如下:
Exception in thread "main" com.amazonaws.services.kms.model.InvalidCiphertextException: null (Service: AWSKMS; Status Code: 400; Error Code: InvalidCiphertextException; Request ID: 3260fbb1-51b0-11e7-a1e6-f561a86f2a15)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1588)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1258)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1030)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:742)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:716)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667)
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513)
at com.amazonaws.services.kms.AWSKMSClient.doInvoke(AWSKMSClient.java:3036)
at com.amazonaws.services.kms.AWSKMSClient.invoke(AWSKMSClient.java:3012)
at com.amazonaws.services.kms.AWSKMSClient.executeDecrypt(AWSKMSClient.java:811)
at com.amazonaws.services.kms.AWSKMSClient.decrypt(AWSKMSClient.java:787)
at awslogdownloader.TestOne.main(TestOne.java:92)
我检查了S3Object的元数据以查看它是否已加密,并且它为getSSEAlgorithm返回AES256,但getSSEAwsKmsKeyID返回null。
答案 0 :(得分:0)
您需要使用KMS密钥来解密数据。
http://docs.aws.amazon.com/kms/latest/developerguide/programming-encryption.html
ByteBuffer ciphertextBlob = Place your ciphertext here;
DecryptRequest req = new DecryptRequest().withCiphertextBlob(ciphertextBlob);
ByteBuffer plainText = kms.decrypt(req).getPlaintext();