AWS KMS CMP does not provide hook to enforce key ID on decrypt #14

mattsb42-aws · 2018-04-26T23:37:28Z

The AWS KMS CMP needs to provide an override mechanism to fail decryption if the decrypted key ID does not match the key ID that the CMP was created for.

https://github.com/awslabs/aws-dynamodb-encryption-java/blob/master/src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/providers/DirectKmsMaterialProvider.java#L129-L130

https://github.com/awslabs/aws-dynamodb-encryption-java/blob/master/src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/providers/DirectKmsMaterialProvider.java#L213-L222

Sync master with public repo

mattsb42-aws added the enhancement label Dec 6, 2018

github-actions bot pushed a commit that referenced this issue May 25, 2021

Merge pull request #14 from aws/sync-public

27d9393

Sync master with public repo

nappelson mentioned this issue Jul 12, 2021

Add option to enforce kms key_id upon decrypting with AwsKmsCryptographicMaterialsProvider #171

Closed

1 task

texastony closed this as completed Dec 9, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

AWS KMS CMP does not provide hook to enforce key ID on decrypt #14

AWS KMS CMP does not provide hook to enforce key ID on decrypt #14

mattsb42-aws commented Apr 26, 2018

AWS KMS CMP does not provide hook to enforce key ID on decrypt #14

AWS KMS CMP does not provide hook to enforce key ID on decrypt #14

Comments

mattsb42-aws commented Apr 26, 2018