All geek questions in one place

DynamoDB: can we use encryption and inter-regional replication together?

DynamoDB: can encryption and cross-domain sharing be used?

We are evaluating DynamoDB for our new application. Our requirements:

  • Rest encryption
  • Replication by region for disaster recovery. Our application in a region should only rely on services in that region.

Our requirements can be met separately using the Java libraries provided by AWS. Solutions:

However, we are not sure that these solutions can work together. We are concerned that we will not be able to decipher the replicated records by region. The client-side encryption solution recommends installing a key hierarchy with a KMS-managed key in the root. KMS is region-specific, so we cannot decrypt records if we replicate them to another region. The encryption key is not available in another region.

Questions:

  • Is it true that replicated records with extension or cross-region are not possible if the encryption key is in KMS?
  • Is there a recommended approach for replicating DynamoDB encrypted records? Has anyone done this before?
  • Are there any alternatives we should look at?
+5
source share
1 answer

You're right. As in the case, the setting will not work, since KMS keys cannot be shared between regions.

Let's say you copy data from region R1 to R2, which have KMS keys K1 and K2, respectively. I can offer the following options:

  • Modify the library slightly so that it decrypts data from R1 using K1 and re-encrypts using K2 during replication. You will be interested in the DynamoDBStreamsRecordTransformer class.
  • Import your own key material in both R1 and R2. Check the relevant documentation here .
    • Caution: it can be painfully operative, depending on your use case.

Update : adding your thoughts so that it helps someone stumble on this question in the future:

  1. Create your own plaintext key (possibly using the KMS GenerateRandom API), encrypt it using K1 and K2 (using the Encrypt API) and save as received cypher texts along with your data in both regions.
    • Caution: calls throughout the region for each update. In option # 1, updates are asynchronous.
+5
source

Source: https://habr.com/ru/post/1259517/

More articles:


All Articles