-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AwsKmsCryptographicMaterialsProvider Design/Behavior Improvements #176
Comments
Related Java Issue: aws/aws-dynamodb-encryption-java#151 |
Thanks @lavaleri - do you have any suggestions for us while using the library in its current state to enforce the key_id? Is there some further validation we could do? |
Hi @nappelson, Unfortunately there isn't a workaround to enforce the use of a
|
Problem:
The correct behavior of the DirectKMSMaterialProvider is to use the configured CMK on encrypt, and to let KMS determine the correct CMK to use on Decrypt (this is a common KMS pattern, as KMS ciphertext stores the CMK used as metadata).
However, this behavior for DirectKMSMaterialProvider is potentially confusing, as customers may expect that the CMK configured on the CMP is also "used" to decrypt, and may be surprised if decryption succeeds even though the configured CMK was not the CMK used to encrypt the data.
Solution:
Since the original DirectKMSMaterialProvider was designed, KMS has introduced a
keyId
param on Decrypt that ensures the call fails if a different key was used to encrypt the ciphertext.We should consider either updating or replacing the DirectKMSMaterialProvider to allow enforcing a particular key on decrypt, similar to the Strict vs. Discovery modes expressed by the AWS Encryption SDK's Keyrings and Master Key Providers.
Our new design should:
The text was updated successfully, but these errors were encountered: