2
我试图下载存储在S3存储桶中的CloudTrail日志文件,但是当我收到该文件时,无法读取该文件,直到我意识到它可以按照说here加密并且我不知道如何解密文件。下载并解密存储桶中的加密AWS CloudTrail日志
这里是我的代码:
AWSCredentials credentials = new BasicAWSCredentials(prop.getProperty("provider.aws01.username"), prop.getProperty("provider.aws01.password"));
s3client = new AmazonS3Client(credentials);
S3Object s3object = s3client.getObject(new GetObjectRequest(
bucketName, "examplecloudtraillog.json.gz"));
System.out.println("Encrypted with: " +
s3object.getObjectMetadata().getSSEAlgorithm());
InputStream is = s3object.getObjectContent();
OutputStream outputStream =
new FileOutputStream(new File("test.txt"));
int read = 0;
byte[] bytes = new byte[1024];
while ((read = is.read(bytes)) != -1) {
outputStream.write(bytes, 0, read);
}
System.out.println("Done!");
当我收到它看起来像乱码的文件,这里是输出文件:
‹ ÅUÛ²¢Xý•
_OQr¿øxDÅž‰Ž
{£ÈU6 Xqþ½Ásº«ººª§f¢#&‚13W^ȵòóÈFA^B<šüòy„”U.*q”g£ÉˆúDr£££Rƒ½%ªºÑäó¨ê
Ô[åÃn‡Ê&
PïeM#¨ô#П@
yîøS§£×oÐN”‘4I É4ïP„•&”p½»ìòº'\áoPÞ=Öà "c\§ÈΓ!}ïb£ó[Õ¨&‚Þ Aõ&üÔ,ÂaüÝúÞz”Ï}Øì%ºÕW(ûìU?¡aeŸ|×cöyß‹Š’”‰
|DQ!I±<=÷~r9ÔÊlÒƒN"N&´HR4-J$ÉÓ“Ág,Ã4ʆiõ•y†Ñ,Ai_Ô3[P¢çG Éó¿%vú±Èóm>õŽð1S0˜*ÎúQu.k½mœÍÌÎdö(ëMÆY³é^““±W÷R ÈNsS ˦8Ž—]‘å÷1[R'na60Úé†>øW²Ž5P-²û©8¢:®Z†Kk'ÎwDh¯£ÐòºÙ[email protected]æBƒ¾” ÎiWšb…xm+ÇìVsö|ö,ÕvõZÜR;\ŽYÅÁW4³¥\n*wÖŦ*u{+im¨®USÎÇ×ÇÊ÷뛚:GYZ\ð‹M{w-Œ‹–aòrIÎö
FÙtetÝ]´Óþø’^¬sŠo/;u,šóQÝýó(âA~Ñ7‹Ònzé.;ºÜI’¼‚Øç7öù‡>Ôö‘;Rr_ny;¥Øl=ŸÝ ~Õxööq
Pw0´§E·N÷صÎè%·È¡$8Ë¡ÊS|,û§NpÎ]ìÒ‚tÚ—ÙÅœ‡Á9¸«ÛÄ×ÝlãTÛUwne
o3–Ü«u!CeKzjÜr÷½,³ëã}®®3èÑX§Çêa(”$Ù9Ü8m3*Ÿ:g:{¬¸Òf®öâ
͇|mÎl¤¦|tØ?Xèr†¹?òšpa¯cÀTùF{Èb0}±³„oWüµ•I¾ÝMU>Ëó²-k‰…ÆÞDIÔõüî•«@Ù<ƒ‡K·Ýÿ«&I,‚~)
Ôip èN“u™ÖŽ¦åY3V·ækyàp[D%¨Þ¸j‚î-|ü0(ŠžôÍ}ÍÑëëœÓ¦ƒI€({~Ž`iŽ# h‚¡hB‰
Kþ.Ï ¤$Qá"$XF"‰>Íø>’‚>ŠòúMÞôO¶×?KÒg·yÝgzýÚ«7}QÈÉD“ÍÉä)S¯ÿþ]ßÍw,‘
’äYHQo”‹/ ×€Ù="(Š~ ÐDCaúyHÍèS‚ÏJb¯&ÿ”®I^Ã^W£ä¿‘wŽœ0â?(ï5&ÀÕ´ý‡5þYâÿÆí‡JÿS
®ÀÎ üëóçTÁe•Ÿñ¯ïüõf| ùIåÿÍ´Ù^¡™þÚXÌÆã¶ß¥ÿN3þí“|°Ìa‚sE̦cy\Láê»ÕFÎüFî(ZfO…]ñ¦ã¨õ;ˆíÕx·‡ô,†c™µ(çzÓ-4;çÉVMœn:¯R}=o’0
X…—¦ÍTç\Ï>L“B°Éúê¯/7\ÐÓUÐXšcvl,fŒð‡¢1Ê}lcÑ[Zm±¿YY#ïܽä`xýrMt™Æ÷ã¸ràöD‘×y#×É™/4êTÒ9·5óÅìâ GÓ=S‚ ‹lY3*^$Ö¢=ð)çjS%ÎjÙ‹Kqž6ç«› ÎnÏŽgQ'Q{gJ-;}Ìî´.N3]‘ť… c…Ç5c/ÒìæÕ9åBÙÊUUßVk XrÇ;í°£
rÇÂ’Ò–‚'ÆTH5_?K%>ÂóõºB13f-иU“ŹxZøÇóXÔ
›`k$”$ØoÇÙB•œŽ›[ÝúŠöi’ˆR—øʻڱó*,i-‘¹P}Øýº'Íà°œûžÏõúò×Û‚ÙYSMWSWVy³åf“¯¶öã@Š¯¨ÑSûj¼C?A‘ñ×tøæ@&” € ×Æ'(
„Oú4!Ë …@ÿt †>EÑ!"[email protected]’!0>Ë@DSÿÛø<ÿÿ_‡€ìÏ KJ„("ÑkƒHø(äˆ@$¸°·õY_©¤"a
如何下载和解密CloudTrail的日志文件?
UPDATE
我添加几行代码如下:
AWSCredentialsProvider cp = new StaticCredentialsProvider(credentials);
InputStream is = s3object2.getObjectContent();
byte[] bytes = IOUtils.toByteArray(is);
ByteBuffer ciphertextBlob = ByteBuffer.wrap(bytes);
AWSKMS kms = AWSKMSClientBuilder.standard().withCredentials(cp).withRegion("eu-central-1").build();
DecryptRequest req = new DecryptRequest().withCiphertextBlob(ciphertextBlob);
ByteBuffer plainText = kms.decrypt(req).getPlaintext();
这给了我错误如下:
Exception in thread "main" com.amazonaws.services.kms.model.InvalidCiphertextException: null (Service: AWSKMS; Status Code: 400; Error Code: InvalidCiphertextException; Request ID: 3260fbb1-51b0-11e7-a1e6-f561a86f2a15)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1588)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1258)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1030)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:742)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:716)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667)
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513)
at com.amazonaws.services.kms.AWSKMSClient.doInvoke(AWSKMSClient.java:3036)
at com.amazonaws.services.kms.AWSKMSClient.invoke(AWSKMSClient.java:3012)
at com.amazonaws.services.kms.AWSKMSClient.executeDecrypt(AWSKMSClient.java:811)
at com.amazonaws.services.kms.AWSKMSClient.decrypt(AWSKMSClient.java:787)
at awslogdownloader.TestOne.main(TestOne.java:92)
我查了S3Object的元数据看看它是否被加密,并且返回getSSEAlgorithm的AES256,但getSSEAwsKmsKeyID返回null。
我需要以解密它还是会自动加载首先下载并获得KMS密钥?我尝试获取用于加密日志文件的KMS密钥ID,但它返回空值 –
我尝试了您的建议(请参阅更新),但它给了我错误的InvalidCiphertextException,因为密文可能已损坏或无效。我甚至不确定日志文件是否被正确加密。 –