-
Notifications
You must be signed in to change notification settings - Fork 86
/
Copy pathaws_kms_discovery_multi_keyring_example.py
173 lines (147 loc) · 7.88 KB
/
aws_kms_discovery_multi_keyring_example.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
"""
This example sets up the AWS KMS Discovery Multi Keyring and demonstrates decryption
using a Multi-Keyring containing multiple AWS KMS Discovery Keyrings.
The AWS Encryption SDK provides a standard AWS KMS discovery keyring and a discovery keyring
for AWS KMS multi-Region keys. For information about using multi-Region keys with the
AWS Encryption SDK, see
https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/configure.html#config-mrks
Because it doesn't specify any wrapping keys, a discovery keyring can't encrypt data.
If you use a discovery keyring to encrypt data, alone or in a multi-keyring, the encrypt
operation fails.
When decrypting, a discovery keyring allows the AWS Encryption SDK to ask AWS KMS to decrypt
any encrypted data key by using the AWS KMS key that encrypted it, regardless of who owns or
has access to that AWS KMS key. The call succeeds only when the caller has kms:Decrypt
permission on the AWS KMS key.
This example creates a KMS Keyring and then encrypts a custom input EXAMPLE_DATA
with an encryption context. This encrypted ciphertext is then decrypted using the Discovery Multi
keyring. This example also includes some sanity checks for demonstration:
1. Ciphertext and plaintext data are not the same
2. Encryption context is correct in the decrypted message header
3. Decrypted plaintext value matches EXAMPLE_DATA
These sanity checks are for demonstration in the example only. You do not need these in your code.
For more information on how to use KMS Discovery keyrings, see
https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-kms-keyring.html#kms-keyring-discovery
"""
import sys
import boto3
from aws_cryptographic_materialproviders.mpl import AwsCryptographicMaterialProviders
from aws_cryptographic_materialproviders.mpl.config import MaterialProvidersConfig
from aws_cryptographic_materialproviders.mpl.models import (
CreateAwsKmsDiscoveryMultiKeyringInput,
CreateAwsKmsKeyringInput,
DiscoveryFilter,
)
from aws_cryptographic_materialproviders.mpl.references import IKeyring
from typing import Dict
import aws_encryption_sdk
from aws_encryption_sdk import CommitmentPolicy
# TODO-MPL: Remove this as part of removing PYTHONPATH hacks.
MODULE_ROOT_DIR = '/'.join(__file__.split("/")[:-1])
sys.path.append(MODULE_ROOT_DIR)
EXAMPLE_DATA: bytes = b"Hello World"
def encrypt_and_decrypt_with_keyring(
kms_key_id: str,
aws_account_id: str,
aws_regions: list[str]
):
"""Demonstrate an encrypt/decrypt cycle using an AWS KMS Discovery Multi Keyring.
Usage: encrypt_and_decrypt_with_keyring(kms_key_id, aws_account_id, aws_regions)
:param kms_key_id: KMS Key identifier for the KMS key you want to use for creating
the kms_keyring used for encryption
:type kms_key_id: string
:param aws_account_id: AWS Account ID to use in the discovery filter
:type aws_account_id: string
:param aws_regions: List of AWS Regions to use for creating the discovery multi keyring
:type aws_regions: list[string]
For more information on KMS Key identifiers, see
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id
"""
# 1. Instantiate the encryption SDK client.
# This builds the client with the REQUIRE_ENCRYPT_REQUIRE_DECRYPT commitment policy,
# which enforces that this client only encrypts using committing algorithm suites and enforces
# that this client will only decrypt encrypted messages that were created with a committing
# algorithm suite.
# This is the default commitment policy if you were to build the client as
# `client = aws_encryption_sdk.EncryptionSDKClient()`.
client = aws_encryption_sdk.EncryptionSDKClient(
commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT
)
# 2. Create a boto3 client for KMS.
kms_client = boto3.client('kms', region_name="us-west-2")
# 3. Create encryption context.
# Remember that your encryption context is NOT SECRET.
# For more information, see
# https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
encryption_context: Dict[str, str] = {
"encryption": "context",
"is not": "secret",
"but adds": "useful metadata",
"that can help you": "be confident that",
"the data you are handling": "is what you think it is",
}
# 4. Create the keyring that determines how your data keys are protected.
# Although this example highlights Discovery keyrings, Discovery keyrings cannot
# be used to encrypt, so for encryption we create a KMS keyring without discovery mode.
mat_prov: AwsCryptographicMaterialProviders = AwsCryptographicMaterialProviders(
config=MaterialProvidersConfig()
)
kms_keyring_input: CreateAwsKmsKeyringInput = CreateAwsKmsKeyringInput(
kms_key_id=kms_key_id,
kms_client=kms_client
)
encrypt_kms_keyring: IKeyring = mat_prov.create_aws_kms_keyring(
input=kms_keyring_input
)
# 5. Encrypt the data with the encryptionContext
ciphertext, _ = client.encrypt(
source=EXAMPLE_DATA,
keyring=encrypt_kms_keyring,
encryption_context=encryption_context
)
# 6. Demonstrate that the ciphertext and plaintext are different.
# (This is an example for demonstration; you do not need to do this in your own code.)
assert ciphertext != EXAMPLE_DATA, \
"Ciphertext and plaintext data are the same. Invalid encryption"
# 7. Now create a Discovery Multi keyring to use for decryption. We'll add a discovery filter
# so that we limit the set of ciphertexts we are willing to decrypt to only ones
# created by KMS keys in our account and partition.
discovery_multi_keyring_input: CreateAwsKmsDiscoveryMultiKeyringInput = \
CreateAwsKmsDiscoveryMultiKeyringInput(
regions=aws_regions,
discovery_filter=DiscoveryFilter(
account_ids=[aws_account_id],
partition="aws"
)
)
# This is a Multi Keyring composed of Discovery Keyrings.
# There is a keyring for every region in `regions`.
# All the keyrings have the same Discovery Filter.
# Each keyring has its own KMS Client, which is created for the keyring's region.
discovery_multi_keyring: IKeyring = mat_prov.create_aws_kms_discovery_multi_keyring(
input=discovery_multi_keyring_input
)
# 8. On Decrypt, the header of the encrypted message (ciphertext) will be parsed.
# The header contains the Encrypted Data Keys (EDKs), which, if the EDK
# was encrypted by a KMS Keyring, includes the KMS Key ARN.
# For each member of the Multi Keyring, every EDK will try to be decrypted until a decryption
# is successful.
# Since every member of the Multi Keyring is a Discovery Keyring:
# Each Keyring will filter the EDKs by the Discovery Filter
# For the filtered EDKs, the keyring will try to decrypt it with the keyring's client.
# All of this is done serially, until a success occurs or all keyrings have
# failed all (filtered) EDKs.
# KMS Discovery Keyrings will attempt to decrypt Multi Region Keys (MRKs) and regular KMS Keys.
plaintext_bytes, dec_header = client.decrypt(
source=ciphertext,
keyring=discovery_multi_keyring
)
# 9. Demonstrate that the encryption context is correct in the decrypted message header
# (This is an example for demonstration; you do not need to do this in your own code.)
for k, v in encryption_context.items():
assert v == dec_header.encryption_context[k], \
"Encryption context does not match expected values"
# 10. Demonstrate that the decrypted plaintext is identical to the original plaintext.
# (This is an example for demonstration; you do not need to do this in your own code.)
assert plaintext_bytes == EXAMPLE_DATA