Updates to the S3 Encryption Client (#3328)

Co-authored-by: Ryan Emery <[email protected]>
Co-authored-by: Juli Tera <[email protected]>

Author: 3 people

gems/aws-sdk-s3/CHANGELOG.md

@@ -1,6 +1,8 @@
 Unreleased Changes
 ------------------
 
+* Feature - Updates to the S3 Encryption Client. The V3 S3 Encryption Client now requires key committing algorithm suites by default. See migration guide: [link to docs]
+
 1.207.0 (2025-12-15)
 ------------------
 

gems/aws-sdk-s3/README.md

@@ -0,0 +1,135 @@
+# Amazon S3 Encryption Client for Ruby V3
+
+This library provides an S3 client that supports client-side encryption.
+`Aws::S3::EncryptionV3::Client` is the v3 of the Amazon S3 Encryption Client for the Ruby programming language.
+
+The v3 encryption client requires a minimum version of **Ruby >= 2.5**.
+
+Jump To:
+
+* [Getting Started](#getting-started)
+* [Migration](#migration)
+
+## Maintenance and support for SDK major versions
+
+For information about maintenance and support for SDK major versions and their underlying dependencies, see the
+following in the AWS SDKs and Tools Shared Configuration and Credentials Reference Guide:
+
+* [AWS SDKs and Tools Maintenance Policy](https://docs.aws.amazon.com/credref/latest/refdocs/maint-policy.html)
+* [AWS SDKs and Tools Version Support Matrix](https://docs.aws.amazon.com/credref/latest/refdocs/version-support-matrix.html)
+
+### Ruby version support policy
+
+The v3 Encryption Client follows the upstream Ruby [maintenance policy](https://www.ruby-lang.org/en/downloads/branches/)
+with an additional six months of support for the most recently deprecated
+language version.
+
+**AWS reserves the right to drop support for unsupported Ruby versions earlier to
+address critical security issues.**
+
+## Getting Started
+
+1. **Sign up for AWS** – Before you begin, you need to
+   sign up for an AWS account and retrieve your [AWS credentials][docs-signup].
+2. **Minimum requirements** – To run the SDK, your system will need to meet the
+   [minimum requirements][docs-requirements], including having **Ruby >= 2.5**.
+3. **Install the SDK** – Using [Bundler][bundler] is the recommended way to install the
+   AWS SDK for Ruby. The SDK is available via [RubyGems][rubygems] under the
+   [`aws-sdk-s3`][install-rubygems] gem. If Bundler is installed on your system, you can add the following to your Gemfile:
+
+   ```bash
+   gem 'aws-sdk-s3'
+   ```
+
+   Or install the gem directly:
+
+   ```bash
+   gem install aws-sdk-s3
+   ```
+
+   Please see the
+   [Installation section of the Developer Guide][docs-installation] for more
+   detailed information about installing the SDK.
+4. **Using the SDK** – The best way to become familiar with how to use the SDK
+   is to read the [Developer Guide][docs-guide]. The
+   [Getting Started Guide][docs-quickstart] will help you become familiar with
+   the basic concepts.
+
+## Quick Examples
+
+### Create an Amazon S3 Encryption Client
+
+```ruby
+require 'aws-sdk-s3'
+
+# Instantiate an Amazon S3 client.
+s3_client = Aws::S3::Client.new(
+  region: 'us-west-2'
+)
+
+# Instantiate an Amazon S3 Encryption Client V3.
+client = Aws::S3::EncryptionV3::Client.new(
+  client: s3_client,
+  encryption_key: encryption_key,
+  key_wrap_schema: :aes_gcm
+)
+```
+
+### Upload a file to Amazon S3 using client side encryption
+
+```ruby
+require 'aws-sdk-s3'
+require 'aws-sdk-kms'
+
+# Create a KMS client
+kms_client = Aws::KMS::Client.new(
+  region: 'us-east-1'
+)
+
+# Specify your KMS key ID
+kms_key_id = 'your-kms-key-id'
+
+# Create the encryption client
+client = Aws::S3::EncryptionV3::Client.new(
+  kms_key_id: kms_key_id,
+  kms_client: kms_client,
+  key_wrap_schema: :kms_context
+)
+
+# Upload an encrypted object
+bucket = 'the-bucket-name'
+key = 'the-file-name'
+
+result = client.put_object(
+  bucket: bucket,
+  key: key,
+  body: File.open('file-to-encrypt.txt', 'r'),
+  kms_encryption_context: { 'context-key' => 'context-value' }
+)
+```
+
+## Migration
+
+This version of the library supports reading encrypted objects from previous versions with extra configuration.
+It also supports writing objects with non-legacy algorithms.
+The list of legacy modes and operations will be provided below.
+
+* [2.x to 3.x Migration Guide](https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/s3-encryption-migration-v2-v3.html)
+* [1.x to 2.x Migration Guide](https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/s3-encryption-migration-v1-v2.html)
+
+## Security
+
+See [CONTRIBUTING](../../../CONTRIBUTING.md#security-issue-notifications) for more information.
+
+## License
+
+This project is licensed under the Apache-2.0 License.
+
+[docs-signup]: https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/setup-config.html
+[docs-requirements]: https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/setup-install.html
+[docs-installation]: https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/setup-install.html
+[docs-guide]: https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/welcome.html
+[docs-quickstart]: https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/getting-started.html
+[bundler]: https://bundler.io/
+[rubygems]: https://rubygems.org/
+[install-rubygems]: https://rubygems.org/gems/aws-sdk-s3

gems/aws-sdk-s3/S3_EC_SUPPORT_POLICY.md

@@ -0,0 +1,21 @@
+# Amazon S3 Encryption Client for Ruby - Support Policy
+
+## Overview
+
+This page describes the support policy for the Amazon S3 Encryption Client for Ruby. We regularly provide the Amazon S3 Encryption Client for Ruby with updates that may contain support for new or updated APIs, new features, enhancements, bug fixes, security patches, or documentation updates. Updates may also address changes with dependencies, language runtimes, and operating systems.
+
+We recommend users to stay up-to-date with Amazon S3 Encryption Client for Ruby releases to keep up with the latest features, security updates, and underlying dependencies. Continued use of an unsupported SDK version is not recommended and is done at the user's discretion.
+
+## Major Version Lifecycle
+
+The Amazon S3 Encryption Client for Ruby follows the same major version lifecycle as the AWS SDK. For details on this lifecycle, see [AWS SDKs and Tools Maintenance Policy](https://docs.aws.amazon.com/sdkref/latest/guide/maint-policy.html#version-life-cycle).
+
+## Version Support Matrix
+
+This table describes the current support status of each major version of the Amazon S3 Encryption Client for Ruby. It also shows the next status each major version will transition to, and the date at which that transition will happen.
+
+| Major version | Current status        | Next status   | Next status date |
+|---------------|-----------------------|---------------|------------------|
+| 3.x           | General Availability  |               |                  |
+| 2.x           | General Availability  | Maintenance   | 2026-06-15       |
+| 1.x           | End of Support        |               |                  |

gems/aws-sdk-s3/lib/aws-sdk-s3/customizations.rb

@@ -6,6 +6,7 @@ module S3
     autoload :BucketRegionCache, 'aws-sdk-s3/bucket_region_cache'
     autoload :Encryption, 'aws-sdk-s3/encryption'
     autoload :EncryptionV2, 'aws-sdk-s3/encryption_v2'
+    autoload :EncryptionV3, 'aws-sdk-s3/encryption_v3'
     autoload :FilePart, 'aws-sdk-s3/file_part'
     autoload :DefaultExecutor, 'aws-sdk-s3/default_executor'
     autoload :FileUploader, 'aws-sdk-s3/file_uploader'

gems/aws-sdk-s3/lib/aws-sdk-s3/encryption/client.rb

@@ -6,9 +6,9 @@ module Aws
   module S3
 
     # [MAINTENANCE MODE] There is a new version of the Encryption Client.
-    # AWS strongly recommends upgrading to the {Aws::S3::EncryptionV2::Client},
+    # AWS strongly recommends upgrading to the {Aws::S3::EncryptionV3::Client},
     # which provides updated data security best practices.
-    # See documentation for {Aws::S3::EncryptionV2::Client}.
+    # See documentation for {Aws::S3::EncryptionV3::Client}.
     # Provides an encryption client that encrypts and decrypts data client-side,
     # storing the encrypted data in Amazon S3.
     #

gems/aws-sdk-s3/lib/aws-sdk-s3/encryption/default_cipher_provider.rb

@@ -16,6 +16,8 @@ def initialize(options = {})
         #   envelope and encryption cipher.
         def encryption_cipher
           cipher = Utils.aes_encryption_cipher(:CBC)
+          ##= ../specification/s3-encryption/data-format/content-metadata.md#algorithm-suite-and-message-format-version-compatibility
+          ##% Objects encrypted with ALG_AES_256_CBC_IV16_NO_KDF MAY use either the V1 or V2 message format version.
           envelope = {
             'x-amz-key' => encode64(encrypt(envelope_key(cipher))),
             'x-amz-iv' => encode64(envelope_iv(cipher)),

gems/aws-sdk-s3/lib/aws-sdk-s3/encryption/encrypt_handler.rb

@@ -38,6 +38,8 @@ def apply_encryption_cipher(context, cipher)
           io = StringIO.new(io) if String === io
           context.params[:body] = IOEncrypter.new(cipher, io)
           context.params[:metadata] ||= {}
+          ##= ../specification/s3-encryption/data-format/content-metadata.md#content-metadata-mapkeys
+          ##% - The mapkey "x-amz-unencrypted-content-length" SHOULD be present for V1 format objects.
           context.params[:metadata]['x-amz-unencrypted-content-length'] = io.size
           if context.params.delete(:content_md5)
             warn('Setting content_md5 on client side encrypted objects is deprecated')

gems/aws-sdk-s3/lib/aws-sdk-s3/encryption/kms_cipher_provider.rb

@@ -26,6 +26,8 @@ def encryption_cipher
           end
           cipher = Utils.aes_encryption_cipher(:CBC)
           cipher.key = key_data.plaintext
+          ##= ../specification/s3-encryption/data-format/content-metadata.md#algorithm-suite-and-message-format-version-compatibility
+          ##% Objects encrypted with ALG_AES_256_CBC_IV16_NO_KDF MAY use either the V1 or V2 message format version.
           envelope = {
             'x-amz-key-v2' => encode64(key_data.ciphertext_blob),
             'x-amz-iv' => encode64(cipher.iv = cipher.random_iv),