1.0.0
-
1.0.0
- Initial record
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
This document describes a set of data used in the initialization of the DynamoDb Item Encryptor as well as the AWS SDK integration with DDB. This data describes how items in a specific DynamoDb Table should be encrypted and decrypted.
The physical DynamoDB Table Name is REQUIRED to be associated with the DynamoDb Table Encryption Configuration.
The following are REQUIRED for DynamoDb Table Encryption Configuration:
The following are OPTIONAL for DynamoDb Table Encryption Configuration:
- DynamoDB Sort Key Name
- Unauthenticated Attributes
- Unauthenticated Attribute Name Prefix
- Algorithm Suite
- Legacy Config
- Plaintext Policy
- Searchable Encryption Config
A Legacy Config and a Plaintext Policy both specified on the same config is invalid, and MUST result in an error.
A Searchable Encryption Config and either a Legacy Config or a Plaintext Policy being specified on the same config is invalid, and MUST result in an error.
The name of the DynamoDB Table where the DynamoDB Items to be decrypted or encrypted are stored or intended to be stored.
This Table Name MUST be a valid DynamoDB Table Name.
If this config is being organized with other table configs in a map, this value MAY exist as a key value to identify other data in this config, instead of existing alongside this data in the same object. We specify this data instead of specifying a more complex but consistent structure in order to give us flexibility for providing the simplest customer experience. Also in the case of a restore from backup, this physical name may not match the logical name for the data stored. So a logical table name exists.
The logical name for the DynamoDB Table. This value can match the DynamoDB Table Name but does not need to. This name is cryptographically bound to all data stored in this table. In the case of a restore from backup the DynamoDB Table Name can change to a new name, but this name must remain the same.
When mapping DynamoDB Table Names to logical table name there MUST a one to one mapping between the two. The purpose of the logical name is to simplify restore type operations, not make it easier to confuse what data comes from what physical table.
The DynamoDB Partition Key Name is the attribute name of the partition key of the DynamoDB Table identified by the input DynamoDB Table Name.
This Partition Key Name MUST be a valid DynamoDB Key Schema Attribute Name
The DynamoDB Sort Key Name is the attribute name of the sort key of the DynamoDB Table identified by the input DynamoDB Table Name.
This Sort Key Name MUST be a valid DynamoDB Key Schema Attribute Name
If any of the Attribute Actions are configured as SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT then the configuration version MUST be 2; otherwise, the configuration version MUST be 1.
if the configuration version is 2, then the key action MUST be SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT; otherwise, the key action MUST be SIGN_ONLY.
Attribute Actions is a map of attribute names to Crypto Actions that describes what Crypto Action applies to a particular attribute (if it exists) during encryption.
The Key Action MUST be configured to the partition attribute and, if present, sort attribute.
A CMM that implements the CMM interface that is responsible for obtaining materials for encryption and decryption.
If not supplied during initialization, the CMM considered "configured" to this Item Encryptor MUST be a default CMM constructed using the supplied keyring as input.
A Keyring that implements the keyring interface.
Unauthenticated Attributes MUST be a set of Attribute Names. With Unauthenticated Attribute Prefix, This identifies Attributes within this table that are not authenticated during decryption.
Unauthenticated Attribute Prefix MUST be a string. With Unauthenticated Attributes, This identifies Attributes within this table that are not authenticated during decryption.
The algorithm suite that SHOULD be used for encryption.
This algorithm suite MUST be a Structured Encryption Library Supported algorithm suite.
A configuration that specifies whether items written in a legacy format in this table are allowed to be decrypted, how those items should be decrypted, and whether new items should be encrypted using the legacy format.
This config MUST contain:
The DynamoDbEncryptor for Java.
A map of attribute names to Crypto Actions, that describes what Crypto Action applies to a particular attribute on any items written in the legacy format.
This map MAY be different from the top level Attribute Actions.
An enum that represent three different ways in which the legacy format should be used with this table.
- FORCE_LEGACY_ENCRYPT_ALLOW_LEGACY_DECRYPT: On encrypt, items are encrypted using the legacy format, using the legacy configuration as input. On decrypt, items written by the legacy format are attempted to be decrypted using the legacy configuration. All other items are attempted to be decrypted using the normal decrypt path.
- FORBID_LEGACY_ENCRYPT_ALLOW_LEGACY_DECRYPT: On encrypt, items are encrypted using the normal encrypt path. On decrypt, items written by the legacy format are attempted to be decrypted using the legacy configuration. All other items are attempted to be decrypted using the normal decrypt path.
- FORBID_LEGACY_ENCRYPT_FORBID_LEGACY_DECRYPT: On encrypt, items are encrypted using the normal encrypt path. On decrypt, items written by the legacy format result in a failure. All other items are attempted to be decrypted using the normal decrypt path.
An enum that indicates whether plaintext is allowed to be read or written to this table:
- FORCE_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ: On write, items are written as plaintext. On read, plaintext items are passed-through and all other items are attempted to be decrypted.
- FORBID_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ: On write, items are encrypted. On read, plaintext items are passed-through and all other items are attempted to be decrypted.
- FORBID_PLAINTEXT_WRITE_FORBID_PLAINTEXT_READ: On write, items are encrypted. On read, attempt to decrypt all items.
If not specified, encryption and decryption MUST behave according to FORBID_PLAINTEXT_WRITE_FORBID_PLAINTEXT_READ.