https://docs.aws.amazon.com/kms/latest/developerguide/overview.html
https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/examples-crypto.html
    https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/examples-crypto-masterkey.html
    https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/s3/AmazonS3EncryptionClientBuilder.html
    https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/s3/model/EncryptionMaterials.html
    3 encryption modes when enabling client-side Amazon S3 encryption:
    https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/index.html?com/amazonaws/services/s3/model/CryptoMode.html
        * encryption-only
        * authenticated
            https://aws.amazon.com/blogs/developer/amazon-s3-client-side-authenticated-encryption/
        * strict authenticated

    https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/examples-crypto-kms.html

samples
https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/examples-s3.html
    https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/examples-crypto.html

2019
https://medium.com/@ty0h/client-side-encryption-better-to-be-done-in-nodejs-cd0c84681408