ddb-item-encryptor.md

DynamoDB Item Encryptor

Version

1.0.0

Changelog

• 1.0.0

  • Initial record

Definitions

Conventions used in this document

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

Overview

This document describes the behavior for the DynamoDB Item Encryptor. It is responsible for the encryption and decryption of DynamoDB Items for a particular DynamoDB Table. The DynamoDB Item Encryptor is publicly exposed and is used to directly encrypt or decrypt DynamoDB Items outside of DynamoDB API calls.

Initialization

On initialization of the DynamoDB Item Encryptor the caller MUST provide:

• DynamoDB Table Name
• DynamoDB Partition Key Name
• Attribute Actions
• A CMM or Keyring

The following are OPTIONAL for the DynamoDB Item Encryptor:

• DynamoDB Sort Key Name
• Unauthenticated Attributes
• Unauthenticated Attribute Name Prefix
• Algorithm Suite
• Legacy Config
• Plaintext Policy

Operation

EncryptItem

The DynamoDB Item Encryptor MUST provide a function that adheres to EncryptItem.

DecryptItem

The DynamoDB Item Encryptor MUST provide a function that adheres to DecryptItem.