From ea50c733234e6a73146c773b7d53d9dfaf2767b4 Mon Sep 17 00:00:00 2001 From: Valerie Lambert Date: Fri, 15 Jan 2021 11:02:16 -0800 Subject: [PATCH 1/2] chore: Clarify StrictAwsKmsMasterKeyProvider docs --- README.rst | 10 +++++----- src/aws_encryption_sdk/key_providers/kms.py | 10 +++++++--- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/README.rst b/README.rst index 50a654273..062cec756 100644 --- a/README.rst +++ b/README.rst @@ -116,7 +116,11 @@ StrictAwsKmsMasterKeyProvider A ``StrictAwsKmsMasterKeyProvider`` is configured with an explicit list of AWS KMS CMKs with which to encrypt and decrypt data. On encryption, it encrypts the plaintext with all configured CMKs. On decryption, it only attempts to decrypt ciphertexts that have been wrapped -with one of the configured CMKs. +with a CMK that matches one of the configured CMK ARNs. + +To create a ``StrictAwsKmsMasterKeyProvider`` you must provide one or more CMKs. For providers that will only +be used for encryption, you can use any valid `KMS key identifier`_. For providers that will be used for decryption, you +must use the key ARN; key ids, alias names, and alias ARNs are not supported. Because the ``StrictAwsKmsMasterKeyProvider`` uses the `boto3 SDK`_ to interact with `AWS KMS`_, it requires AWS Credentials. @@ -125,10 +129,6 @@ pre-existing instance of a ``botocore session`` to the ``StrictAwsKmsMasterKeyPr This latter option can be useful if you have an alternate way to store your AWS credentials or you want to reuse an existing instance of a botocore session in order to decrease startup costs. -To create a ``StrictAwsKmsMasterKeyProvider`` you must provide one or more CMKs. For providers that will only -be used for encryption, you can use any valid `KMS key identifier`_. For providers that will be used for decryption, you -must use the key ARN; key ids, alias names, and alias ARNs are not supported. - If you configure the the ``StrictAwsKmsMasterKeyProvider`` with multiple CMKs, the `final message`_ will include a copy of the data key encrypted by each configured CMK. diff --git a/src/aws_encryption_sdk/key_providers/kms.py b/src/aws_encryption_sdk/key_providers/kms.py index 29a86760a..bdc481be8 100644 --- a/src/aws_encryption_sdk/key_providers/kms.py +++ b/src/aws_encryption_sdk/key_providers/kms.py @@ -228,9 +228,13 @@ def _new_master_key(self, key_id): class StrictAwsKmsMasterKeyProvider(BaseKMSMasterKeyProvider): """Strict Master Key Provider for KMS. It is configured with an explicit list of AWS KMS master keys that - should be used for encryption in decryption. On encryption, the plaintext will be encrypted with all configured - master keys. On decryption, the ciphertext will be decrypted with the first master key that can decrypt. If the - ciphertext is encrypted with a master key that was not explicitly configured, decryption will fail. + should be used for encryption and decryption. On encryption, the plaintext will be encrypted with all configured + master keys. On decryption, it only attempts to decrypt ciphertexts that have been wrapped with a CMK that + matches one of the configured CMK ARNs. If the ciphertext is encrypted with a master key that was not + explicitly configured, decryption will fail. To create a Strict Aws Kms Master Key Provider you must provide + one or more CMKs. For providers that will only be used for encryption, you can use any valid KMS key + identifier. For providers that will be used for decryption, you must use the key ARN; key ids, alias names, and + alias ARNs are not supported. >>> import aws_encryption_sdk >>> kms_key_provider = aws_encryption_sdk.StrictAwsKmsMasterKeyProvider(key_ids=[ From 4364b4e2f9bb9c61979ee69018738e1663e76cf1 Mon Sep 17 00:00:00 2001 From: Valerie Lambert Date: Tue, 26 Jan 2021 16:03:08 -0800 Subject: [PATCH 2/2] PR feedback --- src/aws_encryption_sdk/key_providers/kms.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/aws_encryption_sdk/key_providers/kms.py b/src/aws_encryption_sdk/key_providers/kms.py index bdc481be8..0ff71ff3e 100644 --- a/src/aws_encryption_sdk/key_providers/kms.py +++ b/src/aws_encryption_sdk/key_providers/kms.py @@ -231,7 +231,7 @@ class StrictAwsKmsMasterKeyProvider(BaseKMSMasterKeyProvider): should be used for encryption and decryption. On encryption, the plaintext will be encrypted with all configured master keys. On decryption, it only attempts to decrypt ciphertexts that have been wrapped with a CMK that matches one of the configured CMK ARNs. If the ciphertext is encrypted with a master key that was not - explicitly configured, decryption will fail. To create a Strict Aws Kms Master Key Provider you must provide + explicitly configured, decryption will fail. To create a StrictAwsKmsMasterKeyProvider you must provide one or more CMKs. For providers that will only be used for encryption, you can use any valid KMS key identifier. For providers that will be used for decryption, you must use the key ARN; key ids, alias names, and alias ARNs are not supported.