Class AmazonS3EncryptionClient

All Implemented Interfaces:
AmazonS3, AmazonS3Encryption, com.amazonaws.services.s3.internal.S3DirectSpi

public class AmazonS3EncryptionClient extends AmazonS3Client implements AmazonS3Encryption
Used to perform client-side encryption for storing data securely in S3. Data encryption is done using a one-time randomly generated content encryption key (CEK) per S3 object.

The encryption materials specified in the constructor will be used to protect the CEK which is then stored along side with the S3 object.

  • Field Details

    • USER_AGENT

      public static final String USER_AGENT
  • Constructor Details

    • AmazonS3EncryptionClient

      public AmazonS3EncryptionClient(EncryptionMaterials encryptionMaterials)

      Constructs a new Amazon S3 Encryption client that will make anonymous requests to Amazon S3. If AmazonS3Client.getObject(String, String) is called, the object contents will be decrypted with the encryption materials provided.

      Only a subset of the Amazon S3 API will work with anonymous (i.e. unsigned) requests, but this can prove useful in some situations. For example:

      Parameters:
      encryptionMaterials - The encryption materials to be used to encrypt and decrypt data.
    • AmazonS3EncryptionClient

      public AmazonS3EncryptionClient(EncryptionMaterialsProvider encryptionMaterialsProvider)

      Constructs a new Amazon S3 Encryption client that will make anonymous requests to Amazon S3. If AmazonS3Client.getObject(String, String) is called, the object contents will be decrypted with the encryption materials provided.

      Only a subset of the Amazon S3 API will work with anonymous (i.e. unsigned) requests, but this can prove useful in some situations. For example:

      Parameters:
      encryptionMaterialsProvider - A provider for the encryption materials to be used to encrypt and decrypt data.
    • AmazonS3EncryptionClient

      public AmazonS3EncryptionClient(EncryptionMaterials encryptionMaterials, CryptoConfiguration cryptoConfig)

      Constructs a new Amazon S3 Encryption client that will make anonymous requests to Amazon S3. If AmazonS3Client.getObject(String, String) is called, the object contents will be decrypted with the encryption materials provided. The encryption implementation of the provided crypto provider will be used to encrypt and decrypt data.

      Only a subset of the Amazon S3 API will work with anonymous (i.e. unsigned) requests, but this can prove useful in some situations. For example:

      Parameters:
      encryptionMaterials - The encryption materials to be used to encrypt and decrypt data.
      cryptoConfig - The crypto configuration whose parameters will be used to encrypt and decrypt data.
    • AmazonS3EncryptionClient

      public AmazonS3EncryptionClient(EncryptionMaterialsProvider encryptionMaterialsProvider, CryptoConfiguration cryptoConfig)

      Constructs a new Amazon S3 Encryption client that will make anonymous requests to Amazon S3. If AmazonS3Client.getObject(String, String) is called, the object contents will be decrypted with the encryption materials provided. The encryption implementation of the provided crypto provider will be used to encrypt and decrypt data.

      Only a subset of the Amazon S3 API will work with anonymous (i.e. unsigned) requests, but this can prove useful in some situations. For example:

      Parameters:
      encryptionMaterialsProvider - A provider for the encryption materials to be used to encrypt and decrypt data.
      cryptoConfig - The crypto configuration whose parameters will be used to encrypt and decrypt data.
    • AmazonS3EncryptionClient

      public AmazonS3EncryptionClient(AWSCredentials credentials, EncryptionMaterials encryptionMaterials)

      Constructs a new Amazon S3 Encryption client using the specified AWS credentials to access Amazon S3. Object contents will be encrypted and decrypted with the encryption materials provided.

      Parameters:
      credentials - The AWS credentials to use when making requests to Amazon S3 with this client.
      encryptionMaterials - The encryption materials to be used to encrypt and decrypt data.
    • AmazonS3EncryptionClient

      public AmazonS3EncryptionClient(AWSCredentials credentials, EncryptionMaterialsProvider encryptionMaterialsProvider)

      Constructs a new Amazon S3 Encryption client using the specified AWS credentials to access Amazon S3. Object contents will be encrypted and decrypted with the encryption materials provided.

      Parameters:
      credentials - The AWS credentials to use when making requests to Amazon S3 with this client.
      encryptionMaterialsProvider - A provider for the encryption materials to be used to encrypt and decrypt data.
    • AmazonS3EncryptionClient

      public AmazonS3EncryptionClient(AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider encryptionMaterialsProvider)

      Constructs a new Amazon S3 Encryption client using the specified AWS credentials to access Amazon S3. Object contents will be encrypted and decrypted with the encryption materials provided.

      Parameters:
      credentialsProvider - The AWS credentials provider which will provide credentials to authenticate requests with AWS services.
      encryptionMaterialsProvider - A provider for the encryption materials to be used to encrypt and decrypt data.
    • AmazonS3EncryptionClient

      public AmazonS3EncryptionClient(AWSCredentials credentials, EncryptionMaterials encryptionMaterials, CryptoConfiguration cryptoConfig)

      Constructs a new Amazon S3 Encryption client using the specified AWS credentials to access Amazon S3. Object contents will be encrypted and decrypted with the encryption materials provided. The encryption implementation of the provided crypto provider will be used to encrypt and decrypt data.

      Parameters:
      credentials - The AWS credentials to use when making requests to Amazon S3 with this client.
      encryptionMaterials - The encryption materials to be used to encrypt and decrypt data.
      cryptoConfig - The crypto configuration whose parameters will be used to encrypt and decrypt data.
    • AmazonS3EncryptionClient

      public AmazonS3EncryptionClient(AWSCredentials credentials, EncryptionMaterialsProvider encryptionMaterialsProvider, CryptoConfiguration cryptoConfig)

      Constructs a new Amazon S3 Encryption client using the specified AWS credentials to access Amazon S3. Object contents will be encrypted and decrypted with the encryption materials provided. The encryption implementation of the provided crypto provider will be used to encrypt and decrypt data.

      Parameters:
      credentials - The AWS credentials to use when making requests to Amazon S3 with this client.
      encryptionMaterialsProvider - A provider for the encryption materials to be used to encrypt and decrypt data.
      cryptoConfig - The crypto configuration whose parameters will be used to encrypt and decrypt data.
    • AmazonS3EncryptionClient

      public AmazonS3EncryptionClient(AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider encryptionMaterialsProvider, CryptoConfiguration cryptoConfig)

      Constructs a new Amazon S3 Encryption client using the specified AWS credentials to access Amazon S3. Object contents will be encrypted and decrypted with the encryption materials provided. The encryption implementation of the provided crypto provider will be used to encrypt and decrypt data.

      Parameters:
      credentialsProvider - The AWS credentials provider which will provide credentials to authenticate requests with AWS services.
      encryptionMaterialsProvider - A provider for the encryption materials to be used to encrypt and decrypt data.
      cryptoConfig - The crypto configuration whose parameters will be used to encrypt and decrypt data.
    • AmazonS3EncryptionClient

      public AmazonS3EncryptionClient(AWSCredentials credentials, EncryptionMaterials encryptionMaterials, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig)

      Constructs a new Amazon S3 Encryption client using the specified AWS credentials and client configuration to access Amazon S3. Object contents will be encrypted and decrypted with the encryption materials provided. The crypto provider and storage mode denoted in the specified crypto configuration will be used to encrypt and decrypt data.

      Parameters:
      credentials - The AWS credentials to use when making requests to Amazon S3 with this client.
      encryptionMaterials - The encryption materials to be used to encrypt and decrypt data.
      clientConfig - The client configuration options controlling how this client connects to Amazon S3 (ex: proxy settings, retry counts, etc).
      cryptoConfig - The crypto configuration whose parameters will be used to encrypt and decrypt data.
      Throws:
      IllegalArgumentException - If either of the encryption materials or crypto configuration parameters are null.
    • AmazonS3EncryptionClient

      public AmazonS3EncryptionClient(AWSCredentials credentials, EncryptionMaterialsProvider encryptionMaterialsProvider, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig)
    • AmazonS3EncryptionClient

      public AmazonS3EncryptionClient(AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig)
    • AmazonS3EncryptionClient

      public AmazonS3EncryptionClient(AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig, RequestMetricCollector requestMetricCollector)
    • AmazonS3EncryptionClient

      public AmazonS3EncryptionClient(AWSKMSClient kms, AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig, RequestMetricCollector requestMetricCollector)
  • Method Details

    • putObject

      public PutObjectResult putObject(PutObjectRequest req)

      Uploads a new object to the specified Amazon S3 bucket. The PutObjectRequest contains all the details of the request, including the bucket to upload to, the key the object will be uploaded under, and the file or input stream containing the data to upload.

      Amazon S3 never stores partial objects; if during this call an exception wasn't thrown, the entire object was stored.

      If you are uploading or accessing AWS KMS-encrypted objects, you need to specify the correct region of the bucket on your client and configure AWS Signature Version 4 for added security. For more information on how to do this, see http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html# specify-signature-version

      Depending on whether a file or input stream is being uploaded, this method has slightly different behavior.

      When uploading a file:

      • The client automatically computes a checksum of the file. Amazon S3 uses checksums to validate the data in each file.
      • Using the file extension, Amazon S3 attempts to determine the correct content type and content disposition to use for the object.

      When uploading directly from an input stream:

      • Be careful to set the correct content type in the metadata object before directly sending a stream. Unlike file uploads, content types from input streams cannot be automatically determined. If the caller doesn't explicitly set the content type, it will not be set in Amazon S3.
      • Content length must be specified before data can be uploaded to Amazon S3. Amazon S3 explicitly requires that the content length be sent in the request headers before it will accept any of the data. If the caller doesn't provide the length, the library must buffer the contents of the input stream in order to calculate it.

      If versioning is enabled for the specified bucket, this operation will never overwrite an existing object with the same key, but will keep the existing object as an older version until that version is explicitly deleted (see AmazonS3.deleteVersion(String, String, String).

      If versioning is not enabled, this operation will overwrite an existing object with the same key; Amazon S3 will store the last write request. Amazon S3 does not provide object locking. If Amazon S3 receives multiple write requests for the same object nearly simultaneously, all of the objects might be stored. However, a single object will be stored with the final write request.

      When specifying a location constraint when creating a bucket, all objects added to the bucket are stored in the bucket's region. For example, if specifying a Europe (EU) region constraint for a bucket, all of that bucket's objects are stored in the EU region.

      The specified bucket must already exist and the caller must have Permission.Write permission to the bucket to upload an object.

      Use EncryptedPutObjectRequest to specify materialsDescription for the EncryptionMaterials to be used for this request.AmazonS3EncryptionClient would use EncryptionMaterialsAccessor.getEncryptionMaterials(java.util.Map) to retrieve encryption materials corresponding to the materialsDescription specified in the current request.

      Specified by:
      putObject in interface AmazonS3
      Specified by:
      putObject in interface com.amazonaws.services.s3.internal.S3DirectSpi
      Overrides:
      putObject in class AmazonS3Client
      Parameters:
      req - The request object containing all the parameters to upload a new object to Amazon S3.
      Returns:
      A PutObjectResult object containing the information returned by Amazon S3 for the newly created object.
      See Also:
    • getObject

      public S3Object getObject(GetObjectRequest req)
      Description copied from interface: AmazonS3

      Gets the object stored in Amazon S3 under the specified bucket and key. Returns null if the specified constraints weren't met.

      Callers should be very careful when using this method; the returned Amazon S3 object contains a direct stream of data from the HTTP connection. The underlying HTTP connection cannot be closed until the user finishes reading the data and closes the stream. Callers should therefore:

      • Use the data from the input stream in Amazon S3 object as soon as possible,
      • Close the input stream in Amazon S3 object as soon as possible.

      If callers do not follow those rules, then the client can run out of resources if allocating too many open, but unused, HTTP connections.

      To get an object from Amazon S3, the caller must have Permission.Read access to the object.

      If the object fetched is publicly readable, it can also read it by pasting its URL into a browser.

      When specifying constraints in the request object, the client needs to be prepared to handle this method returning null if the provided constraints aren't met when Amazon S3 receives the request.

      If the advanced options provided in GetObjectRequest aren't needed, use the simpler AmazonS3.getObject(String bucketName, String key) method.

      If you are accessing AWS KMS-encrypted objects, you need to specify the correct region of the bucket on your client and configure AWS Signature Version 4 for added security. For more information on how to do this, see http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html# specify-signature-version

      Specified by:
      getObject in interface AmazonS3
      Specified by:
      getObject in interface com.amazonaws.services.s3.internal.S3DirectSpi
      Overrides:
      getObject in class AmazonS3Client
      Parameters:
      req - The request object containing all the options on how to download the object.
      Returns:
      The object stored in Amazon S3 in the specified bucket and key. Returns null if constraints were specified but not met.
      See Also:
    • getObject

      public ObjectMetadata getObject(GetObjectRequest req, File dest)
      Description copied from interface: AmazonS3

      Gets the object metadata for the object stored in Amazon S3 under the specified bucket and key, and saves the object contents to the specified file. Returns null if the specified constraints weren't met.

      Instead of using AmazonS3.getObject(GetObjectRequest), use this method to ensure that the underlying HTTP stream resources are automatically closed as soon as possible. The Amazon S3 clients handles immediate storage of the object contents to the specified file.

      To get an object from Amazon S3, the caller must have Permission.Read access to the object.

      If the object fetched is publicly readable, it can also read it by pasting its URL into a browser.

      When specifying constraints in the request object, the client needs to be prepared to handle this method returning null if the provided constraints aren't met when Amazon S3 receives the request.

      If you are accessing AWS KMS-encrypted objects, you need to specify the correct region of the bucket on your client and configure AWS Signature Version 4 for added security. For more information on how to do this, see http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html# specify-signature-version

      Specified by:
      getObject in interface AmazonS3
      Specified by:
      getObject in interface com.amazonaws.services.s3.internal.S3DirectSpi
      Overrides:
      getObject in class AmazonS3Client
      Parameters:
      req - The request object containing all the options on how to download the Amazon S3 object content.
      dest - Indicates the file (which might already exist) where to save the object content being downloading from Amazon S3.
      Returns:
      All S3 object metadata for the specified object. Returns null if constraints were specified but not met.
      See Also:
    • deleteObject

      public void deleteObject(DeleteObjectRequest req)
      Description copied from interface: AmazonS3

      Deletes the specified object in the specified bucket. Once deleted, the object can only be restored if versioning was enabled when the object was deleted.

      If attempting to delete an object that does not exist, Amazon S3 will return a success message instead of an error message.

      Specified by:
      deleteObject in interface AmazonS3
      Overrides:
      deleteObject in class AmazonS3Client
      Parameters:
      req - The request object containing all options for deleting an Amazon S3 object.
      See Also:
    • completeMultipartUpload

      public CompleteMultipartUploadResult completeMultipartUpload(CompleteMultipartUploadRequest req)
      Description copied from interface: AmazonS3
      Completes a multipart upload by assembling previously uploaded parts.

      You first upload all parts using the AmazonS3.uploadPart(UploadPartRequest) method. After successfully uploading all individual parts of an upload, you call this operation to complete the upload. Upon receiving this request, Amazon S3 concatenates all the parts in ascending order by part number to create a new object. In the CompleteMultipartUpload request, you must provide the parts list. For each part in the list, you provide the part number and the ETag header value, returned after that part was uploaded.

      Processing of a CompleteMultipartUpload request may take several minutes to complete.

      If you are perfoming a complete multipart upload for AWS KMS-encrypted objects, you need to specify the correct region of the bucket on your client and configure AWS Signature Version 4 for added security. For more information on how to do this, see http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html# specify-signature-version

      Specified by:
      completeMultipartUpload in interface AmazonS3
      Specified by:
      completeMultipartUpload in interface com.amazonaws.services.s3.internal.S3DirectSpi
      Overrides:
      completeMultipartUpload in class AmazonS3Client
      Parameters:
      req - The CompleteMultipartUploadRequest object that specifies all the parameters of this operation.
      Returns:
      A CompleteMultipartUploadResult from S3 containing the ETag for the new object composed of the individual parts.
    • initiateMultipartUpload

      public InitiateMultipartUploadResult initiateMultipartUpload(InitiateMultipartUploadRequest req)
      Initiates a multipart upload and returns an InitiateMultipartUploadResult which contains an upload ID. This upload ID associates all the parts in the specific upload and is used in each of your subsequent AmazonS3.uploadPart(UploadPartRequest) requests. You also include this upload ID in the final request to either complete, or abort the multipart upload request.

      Note: After you initiate a multipart upload and upload one or more parts, you must either complete or abort the multipart upload in order to stop getting charged for storage of the uploaded parts. Once you complete or abort the multipart upload Amazon S3 will release the stored parts and stop charging you for their storage.

      If you are initiating a multipart upload for AWS KMS-encrypted objects, you need to specify the correct region of the bucket on your client and configure AWS Signature Version 4 for added security. For more information on how to do this, see http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html# specify-signature-version

      Use EncryptedInitiateMultipartUploadRequest to specify materialsDescription for the EncryptionMaterials to be used for this request. AmazonS3EncryptionClient would use EncryptionMaterialsAccessor.getEncryptionMaterials(java.util.Map) to retrieve encryption materials corresponding to the materialsDescription specified in the current request.

      Specified by:
      initiateMultipartUpload in interface AmazonS3
      Specified by:
      initiateMultipartUpload in interface com.amazonaws.services.s3.internal.S3DirectSpi
      Overrides:
      initiateMultipartUpload in class AmazonS3Client
      Parameters:
      req - The InitiateMultipartUploadRequest object that specifies all the parameters of this operation.
      Returns:
      An InitiateMultipartUploadResult from Amazon S3.
    • uploadPart

      public UploadPartResult uploadPart(UploadPartRequest uploadPartRequest) throws AmazonClientException, AmazonServiceException
      Uploads a part in a multipart upload. You must initiate a multipart upload before you can upload any part.

      Your UploadPart request must include an upload ID and a part number. The upload ID is the ID returned by Amazon S3 in response to your Initiate Multipart Upload request. Part number can be any number between 1 and 10,000, inclusive. A part number uniquely identifies a part and also defines its position within the object being uploaded. If you upload a new part using the same part number that was specified in uploading a previous part, the previously uploaded part is overwritten.

      To ensure data is not corrupted traversing the network, specify the Content-MD5 header in the Upload Part request. Amazon S3 checks the part data against the provided MD5 value. If they do not match, Amazon S3 returns an error.

      When you upload a part, the returned UploadPartResult contains an ETag property. You should record this ETag property value and the part number. After uploading all parts, you must send a CompleteMultipartUpload request. At that time Amazon S3 constructs a complete object by concatenating all the parts you uploaded, in ascending order based on the part numbers. The CompleteMultipartUpload request requires you to send all the part numbers and the corresponding ETag values.

      Note: After you initiate a multipart upload and upload one or more parts, you must either complete or abort the multipart upload in order to stop getting charged for storage of the uploaded parts. Once you complete or abort the multipart upload Amazon S3 will release the stored parts and stop charging you for their storage.

      If you are performing upload part for AWS KMS-encrypted objects, you need to specify the correct region of the bucket on your client and configure AWS Signature Version 4 for added security. For more information on how to do this, see http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html# specify-signature-version

      NOTE: Because the encryption process requires context from block N-1 in order to encrypt block N, parts uploaded with the AmazonS3EncryptionClient (as opposed to the normal AmazonS3Client) must be uploaded serially, and in order. Otherwise, the previous encryption context isn't available to use when encrypting the current part.

      Specified by:
      uploadPart in interface AmazonS3
      Specified by:
      uploadPart in interface com.amazonaws.services.s3.internal.S3DirectSpi
      Overrides:
      uploadPart in class AmazonS3Client
      Parameters:
      uploadPartRequest - The UploadPartRequest object that specifies all the parameters of this operation.
      Returns:
      An UploadPartResult from Amazon S3 containing the part number and ETag of the new part.
      Throws:
      AmazonClientException - If any errors are encountered in the client while making the request or handling the response.
      AmazonServiceException - If any errors occurred in Amazon S3 while processing the request.
    • copyPart

      public CopyPartResult copyPart(CopyPartRequest copyPartRequest)
      Description copied from class: AmazonS3Client
      Copies a source object to a part of a multipart upload. To copy an object, the caller's account must have read access to the source object and write access to the destination bucket.

      If constraints are specified in the CopyPartRequest (e.g. CopyPartRequest.setMatchingETagConstraints(List)) and are not satisfied when Amazon S3 receives the request, this method returns null. This method returns a non-null result under all other circumstances.

      Specified by:
      copyPart in interface AmazonS3
      Specified by:
      copyPart in interface com.amazonaws.services.s3.internal.S3DirectSpi
      Overrides:
      copyPart in class AmazonS3Client
      Parameters:
      copyPartRequest - The request object containing all the options for copying an Amazon S3 object.
      Returns:
      A CopyPartResult object containing the information returned by Amazon S3 about the newly created object, or null if constraints were specified that weren't met when Amazon S3 attempted to copy the object.
      See Also:
    • abortMultipartUpload

      public void abortMultipartUpload(AbortMultipartUploadRequest req)
      Description copied from interface: AmazonS3
      Aborts a multipart upload. After a multipart upload is aborted, no additional parts can be uploaded using that upload ID. The storage consumed by any previously uploaded parts will be freed. However, if any part uploads are currently in progress, those part uploads may or may not succeed. As a result, it may be necessary to abort a given multipart upload multiple times in order to completely free all storage consumed by all parts.
      Specified by:
      abortMultipartUpload in interface AmazonS3
      Specified by:
      abortMultipartUpload in interface com.amazonaws.services.s3.internal.S3DirectSpi
      Overrides:
      abortMultipartUpload in class AmazonS3Client
      Parameters:
      req - The AbortMultipartUploadRequest object that specifies all the parameters of this operation.
    • putInstructionFile

      public PutObjectResult putInstructionFile(PutInstructionFileRequest req)
      Creates a new crypto instruction file by re-encrypting the CEK of an existing encrypted S3 object with a new encryption material identifiable via a new set of material description.

      User of this method is responsible for explicitly deleting/updating the instruction file so created should the corresponding S3 object is deleted/created.

      Returns:
      the result of the put (instruction file) operation.
    • shutdown

      public void shutdown()
      Shuts down this client object, releasing any resources that might be held open. This is an optional method, and callers are not expected to call it, but can if they want to explicitly release any open resources. Once a client has been shutdown, it should not be used to make any more requests.

      If the a default internal KMS client has been constructed, it will also be shut down by calling this method. Otherwise, users who provided the KMS client would be responsible to shut down the KMS client extrinsic to this method.

      Overrides:
      shutdown in class AmazonWebServiceClient
    • uploadObject

      Used to encrypt data first to disk with pipelined concurrent multi-part uploads to S3. This method enables significant speed-up of encrypting and uploading large payloads to Amazon S3 via pipelining and parallel uploads by consuming temporary disk space.

      There are many ways you can customize the behavior of this method, including

      • the configuration of your own custom thread pool
      • the part size of each multi-part upload request; By default, a temporary ciphertext file is generated per part and gets uploaded immediately to S3
      • the maximum temporary disk space that must not be exceeded by execution of this request; By default, the encryption will block upon hitting the limit and will only resume when the in-flight uploads catch up by releasing the temporary disk space upon successful uploads of the completed parts
      • the configuration of your own MultiFileOutputStream for custom pipeline behavior
      • the configuration of your own UploadObjectObserver for custom multi-part upload behavior

      A request is handled with the following life cycle, calling the necessary Service Provider Interface:

      1. A thread pool is constructed (or retrieved from the request) for the execution of concurrent upload tasks to be submitted by the UploadObjectObserver
      2. An UploadObjectObserver is constructed (or retrieved from the request) for execution of concurrent uploads to S3
      3. Initialize the UploadObjectObserver
      4. Initialize a multi-part upload request to S3 by calling UploadObjectObserver.onUploadInitiation(UploadObjectRequest)
      5. A MultiFileOutputStream is constructed (or retrieved from the request) which serves as the pipeline for incremental (but serial) encryption to disk with concurrent multipart uploads to S3 whenever the parts on the disk are ready
      6. Initialize the MultiFileOutputStream
      7. Kicks off the pipeline for incremental encryption to disk with pipelined concurrent multi-part uploads to S3
      8. For every part encrypted into a temporary file on disk, it is uploaded by calling UploadObjectObserver.onPartCreate(PartCreationEvent)
      9. Finally, clean up and complete the multi-part upload by calling UploadObjectObserver.onCompletion(List).
      Returns:
      the result of the completed muti-part uploads
      Throws:
      IOException - if the encryption to disk failed
      InterruptedException - if the current thread was interrupted while waiting
      ExecutionException - if the concurrent uploads threw an exception