diff --git a/pkgs/development/python-modules/aws-encryption-sdk/default.nix b/pkgs/development/python-modules/aws-encryption-sdk/default.nix
new file mode 100644
index 0000000000000..6088e22e80d7f
--- /dev/null
+++ b/pkgs/development/python-modules/aws-encryption-sdk/default.nix
@@ -0,0 +1,54 @@
+{ lib
+, buildPythonPackage
+, fetchPypi
+, attrs
+, boto3
+, cryptography
+, setuptools
+, wrapt
+, mock
+, pytest
+, pytest-mock
+, pytestCheckHook
+}:
+
+buildPythonPackage rec {
+  pname = "aws-encryption-sdk";
+  version = "3.1.1";
+
+  src = fetchPypi {
+    inherit pname version;
+    hash = "sha256-jV+/AY/GjWscrL5N0Df9gFKWx3Nqn+RX62hNBT9/lWM=";
+  };
+
+  propagatedBuildInputs = [
+    attrs
+    boto3
+    cryptography
+    setuptools
+    wrapt
+  ];
+
+  doCheck = true;
+
+  nativeCheckInputs = [
+    mock
+    pytest
+    pytest-mock
+    pytestCheckHook
+  ];
+
+  disabledTestPaths = [
+    # requires networking
+    "examples"
+    "test/integration"
+  ];
+
+  meta = with lib; {
+    homepage = "https://aws-encryption-sdk-python.readthedocs.io/";
+    changelog = "https://github.com/aws/aws-encryption-sdk-python/blob/v${version}/CHANGELOG.rst";
+    description = "Fully compliant, native Python implementation of the AWS Encryption SDK.";
+    license = licenses.apsl20;
+    maintainers = with maintainers; [ anthonyroussel ];
+  };
+}
diff --git a/pkgs/development/python-modules/base64io/default.nix b/pkgs/development/python-modules/base64io/default.nix
new file mode 100644
index 0000000000000..8e5b121759fc4
--- /dev/null
+++ b/pkgs/development/python-modules/base64io/default.nix
@@ -0,0 +1,29 @@
+{ lib
+, buildPythonPackage
+, fetchPypi
+, mock
+, pytestCheckHook
+}:
+
+buildPythonPackage rec {
+  pname = "base64io";
+  version = "1.0.3";
+
+  src = fetchPypi {
+    inherit pname version;
+    hash = "sha256-JPLQ/nZcNTOeGy0zqpX5E3sbdltZQWT60QFsFYJ6cHM=";
+  };
+
+  nativeCheckInputs = [
+    mock
+    pytestCheckHook
+  ];
+
+  meta = with lib; {
+    homepage = "https://base64io-python.readthedocs.io/";
+    changelog = "https://github.com/aws/base64io-python/blob/${version}/CHANGELOG.rst";
+    description = "Python stream implementation for base64 encoding/decoding";
+    license = licenses.apsl20;
+    maintainers = with maintainers; [ anthonyroussel ];
+  };
+}
diff --git a/pkgs/tools/admin/aws-encryption-sdk-cli/default.nix b/pkgs/tools/admin/aws-encryption-sdk-cli/default.nix
new file mode 100644
index 0000000000000..29b51a678dbf9
--- /dev/null
+++ b/pkgs/tools/admin/aws-encryption-sdk-cli/default.nix
@@ -0,0 +1,52 @@
+{ lib
+, python3Packages
+, fetchPypi
+, nix-update-script
+, testers
+, aws-encryption-sdk-cli
+}:
+
+python3Packages.buildPythonApplication rec {
+  pname = "aws-encryption-sdk-cli";
+  version = "4.1.0";
+
+  src = fetchPypi {
+    inherit pname version;
+    hash = "sha256-OCbt0OkDVfpzUIogbsKzaPAle2L6l6N3cmZoS2hEaSM=";
+  };
+
+  propagatedBuildInputs = with python3Packages; [
+    attrs
+    aws-encryption-sdk
+    base64io
+  ];
+
+  doCheck = true;
+
+  nativeCheckInputs = with python3Packages; [
+    mock
+    pytest-mock
+    pytestCheckHook
+  ];
+
+  disabledTestPaths = [
+    # requires networking
+    "test/integration"
+  ];
+
+  passthru = {
+    updateScript = nix-update-script { };
+    tests.version = testers.testVersion {
+      package = aws-encryption-sdk-cli;
+      command = "aws-encryption-cli --version";
+    };
+  };
+
+  meta = with lib; {
+    homepage = "https://aws-encryption-sdk-cli.readthedocs.io/";
+    changelog = "https://github.com/aws/aws-encryption-sdk-cli/blob/v${version}/CHANGELOG.rst";
+    description = "CLI wrapper around aws-encryption-sdk-python";
+    license = licenses.apsl20;
+    maintainers = with maintainers; [ anthonyroussel ];
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 66e04b69fb523..ee436c759b8d9 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -3331,6 +3331,8 @@ with pkgs;
 
   aliyun-cli = callPackage ../tools/admin/aliyun-cli { };
 
+  aws-encryption-sdk-cli = callPackage ../tools/admin/aws-encryption-sdk-cli { };
+
   aws-iam-authenticator = callPackage ../tools/security/aws-iam-authenticator { };
 
   awscli = callPackage ../tools/admin/awscli { };
diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index ff7569c7ca031..8910d95ccf57c 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -951,6 +951,8 @@ self: super: with self; {
 
   aws-adfs = callPackage ../development/python-modules/aws-adfs { };
 
+  aws-encryption-sdk = callPackage ../development/python-modules/aws-encryption-sdk { };
+
   aws-lambda-builders = callPackage ../development/python-modules/aws-lambda-builders { };
 
   aws-sam-translator = callPackage ../development/python-modules/aws-sam-translator { };
@@ -1291,6 +1293,8 @@ self: super: with self; {
 
   base58check = callPackage ../development/python-modules/base58check { };
 
+  base64io = callPackage ../development/python-modules/base64io { };
+
   baseline = callPackage ../development/python-modules/baseline { };
 
   baselines = callPackage ../development/python-modules/baselines { };