{"id":12791,"date":"2016-12-12T11:13:28","date_gmt":"2016-12-12T02:13:28","guid":{"rendered":"http:\/\/www.techscore.com\/blog\/?p=12791"},"modified":"2018-11-14T16:33:44","modified_gmt":"2018-11-14T07:33:44","slug":"amazon-s3-server-side-encryption","status":"publish","type":"post","link":"https:\/\/www.techscore.com\/blog\/2016\/12\/12\/amazon-s3-server-side-encryption\/","title":{"rendered":"Amazon S3 \u3067\u306e\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u306e\u6697\u53f7\u5316"},"content":{"rendered":"

\u3053\u3093\u306b\u3061\u306f\u3002\u677e\u672c\u3067\u3059\u3002
\n\u3053\u306e\u8a18\u4e8b\u306f TECHSCORE Advent Calendar 2016<\/a> \u306e 12 \u65e5\u76ee\u306e\u8a18\u4e8b\u3067\u3059\u3002<\/p>\n

Amazon S3 \u3067\u30b9\u30c8\u30ec\u30fc\u30b8\u4e0a\u306e\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u3092\u6697\u53f7\u5316\u3057\u3066\u4fdd\u5b58\u3059\u308b\u65b9\u6cd5\u306f 5 \u901a\u308a\u3042\u308a\u307e\u3059\u3002<\/p>\n

\u6697\u53f7\u5316\uff0f\u5fa9\u53f7\u3092\u30b5\u30fc\u30d0\u30fc\u5074 (SSE : Server Side Encryption) \u3068\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u5074 (CSE : Client Side Encryption) \u306e\u3044\u305a\u308c\u3067\u884c\u3046\u304b\u3067 2 \u901a\u308a\u306b\u5206\u985e\u3067\u304d\u3001\u305d\u308c\u3089\u3092\u3055\u3089\u306b\u6697\u53f7\u5316\u30ad\u30fc\u306e\u7ba1\u7406\u65b9\u6cd5\u3067\u5206\u985e\u3057\u3066\u3044\u307e\u3059\u3002\u4e0b\u306e\u8868\u304c\u305d\u308c\u3092\u307e\u3068\u3081\u305f\u3082\u306e\u3067\u3059\u3002<\/p>\n\n\n\n\n\n\n\n\n\n
<\/th>\n\u6697\u53f7\u5316\uff0f\u5fa9\u53f7<\/th>\n\u6697\u53f7\u5316\u30ad\u30fc\u7ba1\u7406<\/th>\n<\/tr>\n<\/thead>\n
SSE-S3<\/td>\n\u30b5\u30fc\u30d0\u30fc<\/td>\nS3<\/td>\n<\/tr>\n
SSE-KMS<\/td>\n\u30b5\u30fc\u30d0\u30fc<\/td>\nKMS<\/td>\n<\/tr>\n
SSE-C<\/td>\n\u30b5\u30fc\u30d0\u30fc<\/td>\n\u30af\u30e9\u30a4\u30a2\u30f3\u30c8<\/td>\n<\/tr>\n
CSE-KMS<\/td>\n\u30af\u30e9\u30a4\u30a2\u30f3\u30c8<\/td>\nKMS<\/td>\n<\/tr>\n
CSE-C<\/td>\n\u30af\u30e9\u30a4\u30a2\u30f3\u30c8<\/td>\n\u30af\u30e9\u30a4\u30a2\u30f3\u30c8<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u203bCSE \u306e 2 \u3064\u306e\u65b9\u5f0f\u306f\u660e\u793a\u7684\u306b\u540d\u524d\u3067\u533a\u5225\u3055\u308c\u3066\u3044\u306a\u3044\u3088\u3046\u306a\u306e\u3067\u3001\u4e0a\u8a18\u8868\u3067\u306f\u4eee\u306b -C\u3001-KMS \u3068\u4ed8\u3051\u3066\u3044\u307e\u3059\u3002<\/p>\n

\u4eca\u56de\u306f\u3053\u308c\u3089\u306e\u3046\u3061\u3001\u6697\u53f7\u5316\uff0f\u5fa9\u53f7\u3092\u30b5\u30fc\u30d0\u30fc\u5074\u3067\u62c5\u3046 SSE (Server Side Encryption) \u306b\u3064\u3044\u3066\u3054\u7d39\u4ecb\u3057\u307e\u3059\u3002<\/p>\n

SSE-S3<\/h2>\n

\u6697\u53f7\u5316\u30ad\u30fc\u3092 Amazon S3 \u4e0a\u3067\u81ea\u52d5\u751f\u6210\u3001\u7ba1\u7406\u3059\u308b\u65b9\u5f0f\u3067\u30013 \u3064\u306e\u65b9\u5f0f\u306e\u3046\u3061\u6700\u3082\u904b\u7528\u304c\u7c21\u5358\u3067\u3059\u3002<\/p>\n

AWS-SDK for Java (1.11.63) \u3092\u4f7f\u3063\u305f PutObject \u306e\u30b5\u30f3\u30d7\u30eb\u30b3\u30fc\u30c9\u3067\u3059\u3002<\/p>\n

\r\nObjectMetadata metadata = new ObjectMetadata();\r\nmetadata.setSSEAlgorithm(ObjectMetadata.AES_256_SERVER_SIDE_ENCRYPTION);\r\nPutObjectRequest request = new PutObjectRequest(bucketName, key, file)\r\n        .withMetadata(metadata);\r\nPutObjectResult result = s3.putObject(request);\r\n<\/pre>\n
ObjectMetadata \u306e SSEAlgorithm \u30d7\u30ed\u30d1\u30c6\u30a3\u306b\u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u3092\u6307\u5b9a\u3059\u308b\u3060\u3051\u3067\u3059\u3002\u6307\u5b9a\u3067\u304d\u308b\u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u306f AES-256 (ObjectMetadata.AES_256_SERVER_SIDE_ENCRYPTION) \u306e\u307f\u3067\u3059\u3002<\/p>\n
GetObject \u3067\u306f SSEAlgorithm \u3092\u6307\u5b9a\u3059\u308b\u5fc5\u8981\u306f\u306a\u304f\u3001\u901a\u5e38\u901a\u308a\u306e\u64cd\u4f5c\u3067\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u306e\u53d6\u5f97\u304c\u884c\u3048\u307e\u3059\u3002<\/p>\n
SSE-KMS<\/h2>\n
\u6697\u53f7\u5316\u30ad\u30fc\u3092 AWS KMS (AWS Key Management Service)<\/a> \u3067\u7ba1\u7406\u3059\u308b\u65b9\u6cd5\u3067\u3059\u3002IAM \u30b3\u30f3\u30bd\u30fc\u30eb\u306e\u300c\u6697\u53f7\u5316\u30ad\u30fc\u300d\u30e1\u30cb\u30e5\u30fc\u304b\u3089\u30ad\u30fc\u306e\u4f5c\u6210\u304c\u884c\u3048\u307e\u3059\u3002<\/p>\n
KMS \u306f\u6709\u6599\u3067\u3059\u304c\u3001\u5168\u3066\u306e\u6697\u53f7\u5316\u30ad\u30fc\u306e\u4f7f\u7528\u30ed\u30b0\u3092\u8a18\u9332\u3067\u304d\u308b\u306e\u3067\u3001\u9ad8\u3044\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8981\u6c42\u306b\u3082\u5fdc\u3048\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n
\u4e0b\u8a18\u304c PutObject \u306e\u30b5\u30f3\u30d7\u30eb\u30b3\u30fc\u30c9\u3067\u3059\u3002String \u578b\u306e\u5909\u6570 keyId \u306b\u306f\u3001KMS \u306b\u4f5c\u6210\u6e08\u307f\u306e\u6697\u53f7\u5316\u30ad\u30fc\u306e ARN \u3092\u8a2d\u5b9a\u3057\u307e\u3059\u3002<\/p>\n
\r\nSSEAwsKeyManagementParams kmParams = new SSEAwsKeyManagementParams(keyId);\r\nPutObjectRequest request = new PutObjectRequest(bucketName, key, file)\r\n        .withSSEAwsKeyManagementParams(kmParams);\r\nPutObjectResult result = s3.putObject(request);\r\n<\/pre>\n
SSE-KMS \u3067\u3082 GetObject \u3067\u306f\u6697\u53f7\u5316\u30ad\u30fc\u3092\u6307\u5b9a\u3059\u308b\u5fc5\u8981\u306f\u306a\u304f\u3001\u901a\u5e38\u901a\u308a\u306e\u64cd\u4f5c\u3067\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u306e\u53d6\u5f97\u304c\u884c\u3048\u307e\u3059\u3002<\/p>\n
SSE-C<\/h2>\n
\u6697\u53f7\u5316\u30ad\u30fc\u306e\u4f5c\u6210\u3001\u7ba1\u7406\u3092\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u5074\uff08\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u5074\uff09\u3067\u884c\u3046\u65b9\u5f0f\u3067\u3059\u3002\u4f5c\u6210\u3057\u305f\u6697\u53f7\u5316\u30ad\u30fc\u3092\u6e21\u305b\u3070 S3 \u304c\u6697\u53f7\u5316\u3068\u5fa9\u53f7\u3092\u884c\u3044\u307e\u3059\u3002<\/p>\n
PutObject \u306e\u30b5\u30f3\u30d7\u30eb\u3067\u3059\u3002<\/p>\n
\r\nKeyGenerator generator = KeyGenerator.getInstance(\"AES\");\r\ngenerator.init(256, new SecureRandom());\r\nSecretKey secretKey = generator.generateKey();\r\nSSECustomerKey customerKey = new SSECustomerKey(secretKey);\r\nPutObjectRequest request = new PutObjectRequest(bucketName, key, file)\r\n        .withSSECustomerKey(customerKey);\r\nPutObjectResult result = s3.putObject(request);\r\n<\/pre>\n
\u6697\u53f7\u5316\u30ad\u30fc\u4f5c\u6210\u6642\u306b\u306f\u3001\u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\uff08\u304a\u3088\u3073\u30ad\u30fc\u9577\uff09\u306b AES-256 \u3092\u6307\u5b9a\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n
GetObject \u3067\u3082\u540c\u3058\u6697\u53f7\u5316\u30ad\u30fc\u3092\u6307\u5b9a\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n
\r\nGetObjectRequest request = new GetObjectRequest(bucketName, key)\r\n        .withSSECustomerKey(customerKey);\r\nS3Object result = s3.getObject(request);\r\n<\/pre>\n
\u6697\u53f7\u5316\u306e\u5f37\u5236<\/h2>\n
\u30d0\u30b1\u30c3\u30c8\u30dd\u30ea\u30b7\u30fc\u3067  x-amz-server-side-encryption \u30d8\u30c3\u30c0\u30fc\u306e\u30c1\u30a7\u30c3\u30af\u3092\u884c\u3048\u3070\u3001S3 \u3078\u306e\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u4fdd\u5b58\u6642\u306b\u6697\u53f7\u5316\u3092\u5f37\u5236\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n
\u6b21\u306e\u30dd\u30ea\u30b7\u30fc\u306f AWS Documentation \u304b\u3089\u306e\u5f15\u7528\u3067\u3059\u3002<\/p>\n
SSE-S3 \u5411\u3051\u30d0\u30b1\u30c3\u30c8\u30dd\u30ea\u30b7\u30fc\u30b5\u30f3\u30d7\u30eb<\/a><\/p>\n
\r\n{\r\n  \"Version\": \"2012-10-17\",\r\n  \"Id\": \"PutObjPolicy\",\r\n  \"Statement\": [\r\n    {\r\n      \"Sid\": \"DenyIncorrectEncryptionHeader\",\r\n      \"Effect\": \"Deny\",\r\n      \"Principal\": \"*\",\r\n      \"Action\": \"s3:PutObject\",\r\n      \"Resource\": \"arn:aws:s3:::YourBucket\/*\",\r\n      \"Condition\": {\r\n        \"StringNotEquals\": {\r\n          \"s3:x-amz-server-side-encryption\": \"AES256\"\r\n        }\r\n      }\r\n    },\r\n    {\r\n      \"Sid\": \"DenyUnEncryptedObjectUploads\",\r\n      \"Effect\": \"Deny\",\r\n      \"Principal\": \"*\",\r\n      \"Action\": \"s3:PutObject\",\r\n      \"Resource\": \"arn:aws:s3:::YourBucket\/*\",\r\n      \"Condition\": {\r\n        \"Null\": {\r\n          \"s3:x-amz-server-side-encryption\": \"true\"\r\n        }\r\n      }\r\n    }\r\n  ]\r\n}\r\n<\/pre>\n
SSE-KMS \u5411\u3051\u30d0\u30b1\u30c3\u30c8\u30dd\u30ea\u30b7\u30fc\u30b5\u30f3\u30d7\u30eb<\/a><\/p>\n
\r\n{\r\n   \"Version\":\"2012-10-17\",\r\n   \"Id\":\"PutObjPolicy\",\r\n   \"Statement\":[{\r\n         \"Sid\":\"DenyUnEncryptedObjectUploads\",\r\n         \"Effect\":\"Deny\",\r\n         \"Principal\":\"*\",\r\n         \"Action\":\"s3:PutObject\",\r\n         \"Resource\":\"arn:aws:s3:::YourBucket\/*\",\r\n         \"Condition\":{\r\n            \"StringNotEquals\":{\r\n               \"s3:x-amz-server-side-encryption\":\"aws:kms\"\r\n            }\r\n         }\r\n      }\r\n   ]\r\n}\r\n<\/pre>\n
\u3068\u3053\u308d\u3067 AES \u3063\u3066\uff1f<\/h2>\n
AES (Advanced Encryption Standard)\u306f\u3001\u30a2\u30e1\u30ea\u30ab\u5408\u8846\u56fd\u5546\u52d9\u7701\u914d\u4e0b\u306e\u6280\u8853\u90e8\u9580\u3067\u3042\u308b\u56fd\u7acb\u6a19\u6e96\u6280\u8853\u7814\u7a76\u6240 (NIST : National Institute of Standards and Technology) \u306b\u3088\u3063\u3066\u30a2\u30e1\u30ea\u30ab\u5408\u8846\u56fd\u6a19\u6e96\u898f\u683c\u3068\u3057\u3066\u5c0e\u5165\u3055\u308c\u305f\u6a19\u6e96\u6697\u53f7\u306e\u7dcf\u79f0\u3067\u3059\uff08DES (Data Encryption Standard) \u306e\u5f8c\u7d99\uff09\u3002<\/p>\n
\u65e5\u672c\u3067\u3082\u6697\u53f7\u6280\u8853\u691c\u8a0e\u4f1a\uff08\u7d4c\u6e08\u7523\u696d\u7701\u3001\u7dcf\u52d9\u7701\uff09\u3068\u3001\u6697\u53f7\u6280\u8853\u8a55\u4fa1\u59d4\u54e1\u4f1a\uff08NICT\u3001IPA\uff09\u3001\u6697\u53f7\u6280\u8853\u6d3b\u7528\u59d4\u54e1\u4f1a\u3067\u69cb\u6210\u3055\u308c\u308b\u65e5\u672c\u767a\u306e\u6697\u53f7\u6280\u8853\u8a55\u4fa1\u30d7\u30ed\u30b8\u30a7\u30af\u30c8 CRYPTREC<\/a> (Cryptography Research and Evaluation Committees) \u306b\u3088\u3063\u3066\u7b56\u5b9a\u3055\u308c\u305f\u96fb\u5b50\u653f\u5e9c\u63a8\u5968\u6697\u53f7\u30ea\u30b9\u30c8<\/a>\u306b AES \u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n
\u307e\u3068\u3081<\/h2>\n
\u672c\u8a18\u4e8b\u3092\u66f8\u304f\u306b\u5f53\u305f\u3063\u3066\u6697\u53f7\u5316\u306b\u95a2\u3059\u308b\u8a18\u4e8b\u3092\u3044\u304f\u3064\u304b\u898b\u3066\u3044\u308b\u6642\u306b\u3001\u300c\u5fa9\u53f7\u5316\u300d\u3068\u3044\u3046\u8a00\u8449\u304c\u8aa4\u308a\u3067\u3001\u6b63\u3057\u304f\u306f\u300c\u5fa9\u53f7\u300d\u3060\u3068\u3044\u3046\u8a18\u4e8b\u3092\u3044\u304f\u3064\u304b\u898b\u304b\u3051\u307e\u3057\u305f\u3002<\/p>\n
\u79c1\u81ea\u8eab\u3001\u4ee5\u524d\u306b\u3042\u308b\u4eba\u304b\u3089\u6307\u6458\u3092\u53d7\u3051\u3066\u300c\u5fa9\u53f7\u300d\u3068\u3044\u3046\u8a00\u8449\u3092\u4f7f\u3046\u3088\u3046\u306b\u306a\u308a\u307e\u3057\u305f\u3002\u300c\u6697\u53f7\u5316\u300d\u3068\u3044\u3046\u64cd\u4f5c\u3092\u884c\u3046\u3053\u3068\u3067\u300c\u6697\u53f7\u300d\u3068\u3044\u3046\u72b6\u614b\u306b\u5909\u5316\u3055\u305b\u308b\u8a33\u3067\u3059\u304c\u3001\u300c\u5fa9\u53f7\u300d\u3068\u3044\u3046\u72b6\u614b\u306f\u306a\u3044\u306e\u3067\u300c\u5fa9\u53f7\u5316\u300d\u3059\u308b\u3053\u3068\u306f\u51fa\u6765\u306a\u3044\u3068\u8003\u3048\u308b\u304b\u3089\u3067\u3059\u3002<\/p>\n
\u305f\u3060\u8272\u3005\u3068\u8abf\u3079\u3066\u307f\u308b\u3068\u3001\u30cd\u30c3\u30c8\u4e0a\u306e\u8f9e\u66f8\u306b\u300c\u5fa9\u53f7\u5316\u300d\u3068\u3044\u3046\u8a00\u8449\u304c\u3042\u3063\u305f\u308a\u3001Microsoft \u306e\u30c7\u30a3\u30d9\u30ed\u30c3\u30d1\u30fc\u5411\u3051\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u306b\u306f\u300c\u5fa9\u53f7\u5316\u300d\u3068\u3044\u3046\u8a00\u8449\u304c\u4f7f\u308f\u308c\u3066\u3082\u3044\u307e\u3059<\/a>\u3002<\/p>\n
\u8a00\u8449\u3068\u3044\u3046\u306e\u306f\u306a\u304b\u306a\u304b\u9762\u767d\u3044\u3082\u306e\u3060\u306a\u3042\u2026\u2026\u3068\u3001\u7279\u306b\u30aa\u30c1\u306e\u7121\u3044\u8a71\u3067\u3057\u305f\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
\u3053\u3093\u306b\u3061\u306f\u3002\u677e\u672c\u3067\u3059\u3002
\n\u3053\u306e\u8a18\u4e8b\u306f TECHSCORE Advent Calendar 2016 \u306e 12 \u65e5\u76ee\u306e\u8a18\u4e8b\u3067\u3059\u3002<\/p>\n
Amazon S3 \u3067\u30b9\u30c8\u30ec\u30fc\u30b8\u4e0a\u306e\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u3092\u6697\u53f7\u5316\u3057\u3066\u4fdd\u5b58\u3059\u308b\u65b9\u6cd5\u306f 5 \u901a\u308a\u3042\u308a\u307e\u3059\u3002
\u7d9a\u304d\u3092\u8aad\u3080...<\/a><\/p>\n","protected":false},"author":14,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[239,18],"tags":[141,119,57,191],"_links":{"self":[{"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/posts\/12791"}],"collection":[{"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/comments?post=12791"}],"version-history":[{"count":53,"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/posts\/12791\/revisions"}],"predecessor-version":[{"id":12993,"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/posts\/12791\/revisions\/12993"}],"wp:attachment":[{"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/media?parent=12791"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/categories?post=12791"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/tags?post=12791"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}