verified in test case testRsaKeyringReEncryptInstructionFile that the third-party client is unable toretrieve the encrypted object in s3 if they do not include the overrideConfiguration with their custom instruction file suffix since it will by default use the original instruction file, not theirs.:

Anirav Kareddy · Anirav Kareddy · commit 5b7b3aecd056 · 2025-07-01T10:30:01.000-07:00
diff --git a/src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java b/src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java
@@ -82,7 +82,6 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
-import java.util.Objects;
 import java.util.Optional;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.CompletionException;
@@ -108,6 +107,7 @@ public class S3EncryptionClient extends DelegatingS3Client {
     // Used for request-scoped encryption contexts for supporting keys
     public static final ExecutionAttribute<Map<String, String>> ENCRYPTION_CONTEXT = new ExecutionAttribute<>("EncryptionContext");
     public static final ExecutionAttribute<MultipartConfiguration> CONFIGURATION = new ExecutionAttribute<>("MultipartConfiguration");
+
     public static final ExecutionAttribute<String> CUSTOM_INSTRUCTION_FILE_SUFFIX = new ExecutionAttribute<>("CustomInstructionFileSuffix");
 
     private final S3Client _wrappedClient;
diff --git a/src/test/java/software/amazon/encryption/s3/S3EncryptionClientReEncryptInstructionFileTest.java b/src/test/java/software/amazon/encryption/s3/S3EncryptionClientReEncryptInstructionFileTest.java
@@ -2,7 +2,6 @@
 
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
-import software.amazon.awssdk.core.Response;
 import software.amazon.awssdk.core.ResponseBytes;
 import software.amazon.awssdk.core.sync.RequestBody;
 import software.amazon.awssdk.protocols.jsoncore.JsonNode;
@@ -268,6 +267,16 @@ public void testRsaKeyringReEncryptInstructionFile() {
     assertEquals(clientEncryptedDataKeyAlgorithm, thirdPartyEncryptedDataKeyAlgorithm);
     assertNotEquals(clientEncryptedDataKey, thirdPartyEncryptedDataKey);
 
+    try {
+      ResponseBytes<GetObjectResponse> thirdPartyDecryptObject = thirdPartyClient.getObjectAsBytes(builder -> builder
+        .bucket(BUCKET)
+        .key(objectKey)
+        .build());
+      throw new RuntimeException("Expected exception");
+    } catch (S3EncryptionClientException e) {
+      assertTrue(e.getMessage().contains("Unable to RSA-OAEP-SHA1 unwrap"));
+    }
+
     ResponseBytes<GetObjectResponse> thirdPartyDecryptedObject = thirdPartyClient.getObjectAsBytes(builder -> builder
       .bucket(BUCKET)
       .key(objectKey)
@@ -285,5 +294,8 @@ public void testRsaKeyringReEncryptInstructionFile() {
     assertEquals(objectKey, reEncryptInstructionFileResponse.Key());
     assertEquals(".third-party-access-instruction-file", reEncryptInstructionFileResponse.InstructionFileSuffix());
 
+    deleteObject(BUCKET, objectKey, client);
+
   }
+
 }
