From 9187a089a4d062aab3a1a16127bf9c9618568b00 Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Wed, 1 May 2024 14:06:37 -0700 Subject: [PATCH 1/7] mrk --- .../keyrings/aws_kms_mrk_keyring_example.py | 120 ++++++++++++++++++ .../test_i_aws_kms_mrk_keyring_example.py | 14 ++ 2 files changed, 134 insertions(+) create mode 100644 examples/src/keyrings/aws_kms_mrk_keyring_example.py create mode 100644 examples/test/keyrings/test_i_aws_kms_mrk_keyring_example.py diff --git a/examples/src/keyrings/aws_kms_mrk_keyring_example.py b/examples/src/keyrings/aws_kms_mrk_keyring_example.py new file mode 100644 index 000000000..4333f097a --- /dev/null +++ b/examples/src/keyrings/aws_kms_mrk_keyring_example.py @@ -0,0 +1,120 @@ +# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +""" +This example sets up the KMS MRK Keyring + +KMS MRK keyring interacts with AWS Key Management Service (AWS KMS) to create, encrypt, +and decrypt data keys using AWS KMS defined Customer Master Keys (CMKs). +This example creates a KMS MRK Keyring and then encrypts a custom input EXAMPLE_DATA +with an encryption context. This example also includes some sanity checks for demonstration: +1. Ciphertext and plaintext data are not the same +2. Encryption context is correct in the decrypted message header +3. Decrypted plaintext value matches EXAMPLE_DATA +These sanity checks are for demonstration in the example only. You do not need these in your code. + +AWS KMS MRK keyrings can be used independently or in a multi-keyring with other keyrings +of the same or a different type. + +For more information on how to use KMS keyrings, see +https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-kms-keyring.html +""" +import sys + +import boto3 +from aws_cryptographic_materialproviders.mpl import AwsCryptographicMaterialProviders +from aws_cryptographic_materialproviders.mpl.config import MaterialProvidersConfig +from aws_cryptographic_materialproviders.mpl.models import CreateAwsKmsKeyringInput +from aws_cryptographic_materialproviders.mpl.references import IKeyring +from typing import Dict + +import aws_encryption_sdk +from aws_encryption_sdk import CommitmentPolicy + +# TODO-MPL: Remove this as part of removing PYTHONPATH hacks. +MODULE_ROOT_DIR = '/'.join(__file__.split("/")[:-1]) + +sys.path.append(MODULE_ROOT_DIR) + +EXAMPLE_DATA: bytes = b"Hello World" + + +def encrypt_and_decrypt_with_keyring( + kms_key_id: str +): + """Demonstrate an encrypt/decrypt cycle using an AWS KMS keyring. + + Usage: encrypt_and_decrypt_with_keyring(kms_key_id) + :param kms_key_id: KMS Key identifier for the KMS key you want to use for encryption and + decryption of your data keys. + :type kms_key_id: string + + For more information on KMS Key identifiers, see + https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id + """ + # 1. Instantiate the encryption SDK client. + # This builds the client with the REQUIRE_ENCRYPT_REQUIRE_DECRYPT commitment policy, + # which enforces that this client only encrypts using committing algorithm suites and enforces + # that this client will only decrypt encrypted messages that were created with a committing + # algorithm suite. + # This is the default commitment policy if you were to build the client as + # `client = aws_encryption_sdk.EncryptionSDKClient()`. + client = aws_encryption_sdk.EncryptionSDKClient( + commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT + ) + + # 2. Create a boto3 client for KMS. + kms_client = boto3.client('kms', region_name="us-west-2") + + # 3. Create encryption context. + # Remember that your encryption context is NOT SECRET. + # For more information, see + # https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context + encryption_context: Dict[str, str] = { + "encryption": "context", + "is not": "secret", + "but adds": "useful metadata", + "that can help you": "be confident that", + "the data you are handling": "is what you think it is", + } + + # 4. Create a keyring that will encrypt your data, using a KMS MRK key in the first region.– + mat_prov: AwsCryptographicMaterialProviders = AwsCryptographicMaterialProviders( + config=MaterialProvidersConfig() + ) + + keyring_input: CreateAwsKmsKeyringInput = CreateAwsKmsKeyringInput( + kms_key_id=kms_key_id, + kms_client=kms_client + ) + + kms_keyring: IKeyring = mat_prov.create_aws_kms_keyring( + input=keyring_input + ) + + # 5. Encrypt the data for the encryptionContext. + ciphertext, _ = client.encrypt( + source=EXAMPLE_DATA, + keyring=kms_keyring, + encryption_context=encryption_context + ) + + # 6. Demonstrate that the ciphertext and plaintext are different. + # (This is an example for demonstration; you do not need to do this in your own code.) + assert ciphertext != EXAMPLE_DATA, \ + "Ciphertext and plaintext data are the same. Invalid encryption" + + # 7. Decrypt your encrypted data using the same keyring you used on encrypt. + plaintext_bytes, dec_header = client.decrypt( + source=ciphertext, + keyring=kms_keyring + ) + + # 8. Demonstrate that the encryption context is correct in the decrypted message header + # (This is an example for demonstration; you do not need to do this in your own code.) + for k, v in encryption_context.items(): + assert v == dec_header.encryption_context[k], \ + "Encryption context does not match expected values" + + # 9. Demonstrate that the decrypted plaintext is identical to the original plaintext. + # (This is an example for demonstration; you do not need to do this in your own code.) + assert plaintext_bytes == EXAMPLE_DATA diff --git a/examples/test/keyrings/test_i_aws_kms_mrk_keyring_example.py b/examples/test/keyrings/test_i_aws_kms_mrk_keyring_example.py new file mode 100644 index 000000000..679aad94d --- /dev/null +++ b/examples/test/keyrings/test_i_aws_kms_mrk_keyring_example.py @@ -0,0 +1,14 @@ +# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +"""Test suite for the AWS KMS MRK keyring example.""" +import pytest + +from ...src.keyrings.aws_kms_mrk_keyring_example import encrypt_and_decrypt_with_keyring + +pytestmark = [pytest.mark.examples] + + +def test_encrypt_and_decrypt_with_keyring(): + """Test function for encrypt and decrypt using the AWS KMS MRK Keyring example.""" + kms_key_id = "arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f" + encrypt_and_decrypt_with_keyring(kms_key_id) From 05abfa9823014fe37407affae45671f6f6825b74 Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Thu, 2 May 2024 16:07:45 -0700 Subject: [PATCH 2/7] fix mrk --- .../keyrings/aws_kms_mrk_keyring_example.py | 75 ++++++++++++++----- .../test_i_aws_kms_mrk_keyring_example.py | 7 +- 2 files changed, 60 insertions(+), 22 deletions(-) diff --git a/examples/src/keyrings/aws_kms_mrk_keyring_example.py b/examples/src/keyrings/aws_kms_mrk_keyring_example.py index 4333f097a..07a200051 100644 --- a/examples/src/keyrings/aws_kms_mrk_keyring_example.py +++ b/examples/src/keyrings/aws_kms_mrk_keyring_example.py @@ -23,7 +23,7 @@ import boto3 from aws_cryptographic_materialproviders.mpl import AwsCryptographicMaterialProviders from aws_cryptographic_materialproviders.mpl.config import MaterialProvidersConfig -from aws_cryptographic_materialproviders.mpl.models import CreateAwsKmsKeyringInput +from aws_cryptographic_materialproviders.mpl.models import CreateAwsKmsMrkKeyringInput from aws_cryptographic_materialproviders.mpl.references import IKeyring from typing import Dict @@ -38,15 +38,31 @@ EXAMPLE_DATA: bytes = b"Hello World" +def get_aws_region_from_kms_key_id(kms_key_id: str) -> str: + """ + Get the AWS Region from the KMS Key ID. + Usage: get_aws_region_from_kms_key_id(kms_key_id) + :param kms_key_id: KMS Key identifier for the KMS key you want to use + :type kms_key_id: string + :return: AWS Region + :rtype: string + """ + return kms_key_id.split(":")[3] + + def encrypt_and_decrypt_with_keyring( - kms_key_id: str + encrypt_kms_key_id: str, + decrypt_kms_key_id: str, ): """Demonstrate an encrypt/decrypt cycle using an AWS KMS keyring. - Usage: encrypt_and_decrypt_with_keyring(kms_key_id) - :param kms_key_id: KMS Key identifier for the KMS key you want to use for encryption and - decryption of your data keys. - :type kms_key_id: string + Usage: encrypt_and_decrypt_with_keyring(encrypt_kms_key_id, decrypt_kms_key_id) + :param encrypt_kms_key_id: KMS Key identifier for the KMS key you want to use + for encryption of your data keys. + :type encrypt_kms_key_id: string + :param decrypt_kms_key_id: KMS Key identifier for the KMS key you want to use + for decryption of your data keys. + :type decrypt_kms_key_id: string For more information on KMS Key identifiers, see https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id @@ -62,10 +78,7 @@ def encrypt_and_decrypt_with_keyring( commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT ) - # 2. Create a boto3 client for KMS. - kms_client = boto3.client('kms', region_name="us-west-2") - - # 3. Create encryption context. + # 2. Create encryption context. # Remember that your encryption context is NOT SECRET. # For more information, see # https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context @@ -77,36 +90,58 @@ def encrypt_and_decrypt_with_keyring( "the data you are handling": "is what you think it is", } - # 4. Create a keyring that will encrypt your data, using a KMS MRK key in the first region.– + # 3. Create a keyring that will encrypt your data, using a KMS MRK key in the first region. mat_prov: AwsCryptographicMaterialProviders = AwsCryptographicMaterialProviders( config=MaterialProvidersConfig() ) - keyring_input: CreateAwsKmsKeyringInput = CreateAwsKmsKeyringInput( - kms_key_id=kms_key_id, - kms_client=kms_client + # Create a boto3 client for KMS in the first region. + encrypt_region: str = get_aws_region_from_kms_key_id(encrypt_kms_key_id) + encrypt_kms_client = boto3.client('kms', region_name=encrypt_region) + + encrypt_keyring_input: CreateAwsKmsMrkKeyringInput = CreateAwsKmsMrkKeyringInput( + kms_key_id=encrypt_kms_key_id, + kms_client=encrypt_kms_client ) - kms_keyring: IKeyring = mat_prov.create_aws_kms_keyring( - input=keyring_input + encrypt_keyring: IKeyring = mat_prov.create_aws_kms_mrk_keyring( + input=encrypt_keyring_input ) - # 5. Encrypt the data for the encryptionContext. + # 4. Encrypt the data with the encryptionContext using the encrypt_keyring. ciphertext, _ = client.encrypt( source=EXAMPLE_DATA, - keyring=kms_keyring, + keyring=encrypt_keyring, encryption_context=encryption_context ) - # 6. Demonstrate that the ciphertext and plaintext are different. + # 5. Demonstrate that the ciphertext and plaintext are different. # (This is an example for demonstration; you do not need to do this in your own code.) assert ciphertext != EXAMPLE_DATA, \ "Ciphertext and plaintext data are the same. Invalid encryption" + # 6. Create a keyring that will decrypt your data, using the same KMS MRK key replicated + # to the second region. This example assumes you have already replicated your key + # For more info on this, see the KMS documentation: + # https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html + + # Create a boto3 client for KMS in the second region. + decrypt_region: str = get_aws_region_from_kms_key_id(decrypt_kms_key_id) + decrypt_kms_client = boto3.client('kms', region_name=decrypt_region) + + decrypt_keyring_input: CreateAwsKmsMrkKeyringInput = CreateAwsKmsMrkKeyringInput( + kms_key_id=decrypt_kms_key_id, + kms_client=decrypt_kms_client + ) + + decrypt_keyring: IKeyring = mat_prov.create_aws_kms_mrk_keyring( + input=decrypt_keyring_input + ) + # 7. Decrypt your encrypted data using the same keyring you used on encrypt. plaintext_bytes, dec_header = client.decrypt( source=ciphertext, - keyring=kms_keyring + keyring=decrypt_keyring ) # 8. Demonstrate that the encryption context is correct in the decrypted message header diff --git a/examples/test/keyrings/test_i_aws_kms_mrk_keyring_example.py b/examples/test/keyrings/test_i_aws_kms_mrk_keyring_example.py index 679aad94d..aa33b3745 100644 --- a/examples/test/keyrings/test_i_aws_kms_mrk_keyring_example.py +++ b/examples/test/keyrings/test_i_aws_kms_mrk_keyring_example.py @@ -10,5 +10,8 @@ def test_encrypt_and_decrypt_with_keyring(): """Test function for encrypt and decrypt using the AWS KMS MRK Keyring example.""" - kms_key_id = "arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f" - encrypt_and_decrypt_with_keyring(kms_key_id) + encrypt_kms_key_id = \ + "arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7" + decrypt_kms_key_id = \ + "arn:aws:kms:eu-west-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7" + encrypt_and_decrypt_with_keyring(encrypt_kms_key_id, decrypt_kms_key_id) From 9297b8b3f6358b2c7a7f35088bbf5e54f023ddcf Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Thu, 2 May 2024 17:17:46 -0700 Subject: [PATCH 3/7] added kms mrk and mrk multi keyrings --- .../keyrings/aws_kms_mrk_keyring_example.py | 25 +-- .../aws_kms_mrk_multi_keyring_example.py | 173 ++++++++++++++++++ .../test_i_aws_kms_mrk_keyring_example.py | 7 +- ...est_i_aws_kms_mrk_multi_keyring_example.py | 20 ++ 4 files changed, 209 insertions(+), 16 deletions(-) create mode 100644 examples/src/keyrings/aws_kms_mrk_multi_keyring_example.py create mode 100644 examples/test/keyrings/test_i_aws_kms_mrk_multi_keyring_example.py diff --git a/examples/src/keyrings/aws_kms_mrk_keyring_example.py b/examples/src/keyrings/aws_kms_mrk_keyring_example.py index 07a200051..316b5479f 100644 --- a/examples/src/keyrings/aws_kms_mrk_keyring_example.py +++ b/examples/src/keyrings/aws_kms_mrk_keyring_example.py @@ -38,31 +38,28 @@ EXAMPLE_DATA: bytes = b"Hello World" -def get_aws_region_from_kms_key_id(kms_key_id: str) -> str: - """ - Get the AWS Region from the KMS Key ID. - Usage: get_aws_region_from_kms_key_id(kms_key_id) - :param kms_key_id: KMS Key identifier for the KMS key you want to use - :type kms_key_id: string - :return: AWS Region - :rtype: string - """ - return kms_key_id.split(":")[3] - - def encrypt_and_decrypt_with_keyring( encrypt_kms_key_id: str, decrypt_kms_key_id: str, + encrypt_region: str, + decrypt_region: str ): """Demonstrate an encrypt/decrypt cycle using an AWS KMS keyring. - Usage: encrypt_and_decrypt_with_keyring(encrypt_kms_key_id, decrypt_kms_key_id) + Usage: encrypt_and_decrypt_with_keyring(encrypt_kms_key_id, + decrypt_kms_key_id, + encrypt_region, + decrypt_region) :param encrypt_kms_key_id: KMS Key identifier for the KMS key you want to use for encryption of your data keys. :type encrypt_kms_key_id: string :param decrypt_kms_key_id: KMS Key identifier for the KMS key you want to use for decryption of your data keys. :type decrypt_kms_key_id: string + :param encrypt_region: AWS Region for encryption of your data keys + :type encrypt_region: string + :param decrypt_region: AWS Region for decryption of your data keys + :type decrypt_region: string For more information on KMS Key identifiers, see https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id @@ -96,7 +93,6 @@ def encrypt_and_decrypt_with_keyring( ) # Create a boto3 client for KMS in the first region. - encrypt_region: str = get_aws_region_from_kms_key_id(encrypt_kms_key_id) encrypt_kms_client = boto3.client('kms', region_name=encrypt_region) encrypt_keyring_input: CreateAwsKmsMrkKeyringInput = CreateAwsKmsMrkKeyringInput( @@ -126,7 +122,6 @@ def encrypt_and_decrypt_with_keyring( # https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html # Create a boto3 client for KMS in the second region. - decrypt_region: str = get_aws_region_from_kms_key_id(decrypt_kms_key_id) decrypt_kms_client = boto3.client('kms', region_name=decrypt_region) decrypt_keyring_input: CreateAwsKmsMrkKeyringInput = CreateAwsKmsMrkKeyringInput( diff --git a/examples/src/keyrings/aws_kms_mrk_multi_keyring_example.py b/examples/src/keyrings/aws_kms_mrk_multi_keyring_example.py new file mode 100644 index 000000000..7063de345 --- /dev/null +++ b/examples/src/keyrings/aws_kms_mrk_multi_keyring_example.py @@ -0,0 +1,173 @@ +# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +""" +This example sets up the KMS MRK Multi Keyring + +KMS MRK keyring interacts with AWS Key Management Service (AWS KMS) to create, encrypt, +and decrypt data keys using AWS KMS defined Customer Master Keys (CMKs). +This example creates a KMS MRK Keyring and then encrypts a custom input EXAMPLE_DATA +with an encryption context. This example also includes some sanity checks for demonstration: +1. Ciphertext and plaintext data are not the same +2. Encryption context is correct in the decrypted message header +3. Decrypted plaintext value matches EXAMPLE_DATA +4. Ciphertext can be decrypted using an AwsKmsMrkKeyring containing a replica of the + MRK key (from the multi-keyring used for encryption) copied from the first region into + the second region +These sanity checks are for demonstration in the example only. You do not need these in your code. + +For more information on how to use KMS keyrings, see +https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-kms-keyring.html +""" +import sys + +import boto3 +from aws_cryptographic_materialproviders.mpl import AwsCryptographicMaterialProviders +from aws_cryptographic_materialproviders.mpl.config import MaterialProvidersConfig +from aws_cryptographic_materialproviders.mpl.models import CreateAwsKmsMrkKeyringInput, CreateAwsKmsMrkMultiKeyringInput +from aws_cryptographic_materialproviders.mpl.references import IKeyring +from typing import Dict + +import aws_encryption_sdk +from aws_encryption_sdk import CommitmentPolicy + +# TODO-MPL: Remove this as part of removing PYTHONPATH hacks. +MODULE_ROOT_DIR = '/'.join(__file__.split("/")[:-1]) + +sys.path.append(MODULE_ROOT_DIR) + +EXAMPLE_DATA: bytes = b"Hello World" + + +def encrypt_and_decrypt_with_keyring( + mrk_key_id: str, + kms_key_id: str, + mrk_replica_key_id: str, + second_region: str +): + """Demonstrate an encrypt/decrypt cycle using a Multi-Keyring made + up of multiple AWS KMS MRK Keyrings + + Usage: encrypt_and_decrypt_with_keyring(mrk_key_id, + kms_key_id, + mrk_replica_key_id, + second_region) + :param mrk_key_id: KMS Key identifier for an AWS KMS multi-Region key (MRK) located in your + default region + :type mrk_key_id: string + :param kms_key_id: KMS Key identifier for a KMS key, possibly located in a different region + than the MRK key + :type kms_key_id: string + :param mrk_replica_key_id: KMS Key identifier for an MRK that is a replica of the + `mrk_key_id` in a second region. + :type mrk_replica_key_id: string + :param second_region: The second region where the MRK replica is located + :type second_region: string + + For more information on KMS Key identifiers, see + https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id + """ + # 1. Instantiate the encryption SDK client. + # This builds the client with the REQUIRE_ENCRYPT_REQUIRE_DECRYPT commitment policy, + # which enforces that this client only encrypts using committing algorithm suites and enforces + # that this client will only decrypt encrypted messages that were created with a committing + # algorithm suite. + # This is the default commitment policy if you were to build the client as + # `client = aws_encryption_sdk.EncryptionSDKClient()`. + client = aws_encryption_sdk.EncryptionSDKClient( + commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT + ) + + # 2. Create encryption context. + # Remember that your encryption context is NOT SECRET. + # For more information, see + # https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context + encryption_context: Dict[str, str] = { + "encryption": "context", + "is not": "secret", + "but adds": "useful metadata", + "that can help you": "be confident that", + "the data you are handling": "is what you think it is", + } + + # 3. Create an AwsKmsMrkMultiKeyring that protects your data under two different KMS Keys. + # The Keys can either be regular KMS keys or MRKs. + # Either KMS Key individually is capable of decrypting data encrypted under this keyring. + mat_prov: AwsCryptographicMaterialProviders = AwsCryptographicMaterialProviders( + config=MaterialProvidersConfig() + ) + + kms_mrk_multi_keyring_input: CreateAwsKmsMrkMultiKeyringInput =\ + CreateAwsKmsMrkMultiKeyringInput( + generator=mrk_key_id, + kms_key_ids=[kms_key_id] + ) + + kms_mrk_multi_keyring: IKeyring = mat_prov.create_aws_kms_mrk_multi_keyring( + input=kms_mrk_multi_keyring_input + ) + + # 4. Encrypt the data with the encryptionContext using the kms_mrk_multi_keyring. + ciphertext, _ = client.encrypt( + source=EXAMPLE_DATA, + keyring=kms_mrk_multi_keyring, + encryption_context=encryption_context + ) + + # 5. Demonstrate that the ciphertext and plaintext are different. + # (This is an example for demonstration; you do not need to do this in your own code.) + assert ciphertext != EXAMPLE_DATA, \ + "Ciphertext and plaintext data are the same. Invalid encryption" + + # 6. Decrypt your encrypted data using the same AwsKmsMrkMultiKeyring you used on encrypt. + # It will decrypt the data using the generator KMS key since that is the first available + # KMS key on the keyring that is capable of decrypting the data. + plaintext_bytes, dec_header = client.decrypt( + source=ciphertext, + keyring=kms_mrk_multi_keyring + ) + + # 7. Demonstrate that the encryption context is correct in the decrypted message header + # (This is an example for demonstration; you do not need to do this in your own code.) + for k, v in encryption_context.items(): + assert v == dec_header.encryption_context[k], \ + "Encryption context does not match expected values" + + # 8. Demonstrate that the decrypted plaintext is identical to the original plaintext. + # (This is an example for demonstration; you do not need to do this in your own code.) + assert plaintext_bytes == EXAMPLE_DATA + + # Demonstrate that a single AwsKmsMrkKeyring configured with a replica of the MRK from the + # multi-keyring used to encrypt the data is also capable of decrypting the data. + # Not shown in this example: A KMS Keyring created with `kmsKeyArn` could also + # decrypt this message. + # (This is an example for demonstration; you do not need to do this in your own code.) + + # 9. Create a single AwsKmsMrkKeyring with the replica KMS MRK from the second region. + + # Create a boto3 client for KMS in the second region. + second_region_kms_client = boto3.client('kms', region_name=second_region) + + second_region_mrk_keyring_input: CreateAwsKmsMrkKeyringInput = CreateAwsKmsMrkKeyringInput( + kms_key_id=mrk_replica_key_id, + kms_client=second_region_kms_client + ) + + second_region_mrk_keyring: IKeyring = mat_prov.create_aws_kms_mrk_keyring( + input=second_region_mrk_keyring_input + ) + + # 10. Decrypt your encrypted data using the second region AwsKmsMrkKeyring + plaintext_bytes_second_region, dec_header_second_region = client.decrypt( + source=ciphertext, + keyring=second_region_mrk_keyring + ) + + # 11. Demonstrate that the encryption context is correct in the decrypted message header + # (This is an example for demonstration; you do not need to do this in your own code.) + for k, v in encryption_context.items(): + assert v == dec_header_second_region.encryption_context[k], \ + "Encryption context does not match expected values" + + # 12. Demonstrate that the decrypted plaintext is identical to the original plaintext. + # (This is an example for demonstration; you do not need to do this in your own code.) + assert plaintext_bytes_second_region == EXAMPLE_DATA diff --git a/examples/test/keyrings/test_i_aws_kms_mrk_keyring_example.py b/examples/test/keyrings/test_i_aws_kms_mrk_keyring_example.py index aa33b3745..d8e5aa2ab 100644 --- a/examples/test/keyrings/test_i_aws_kms_mrk_keyring_example.py +++ b/examples/test/keyrings/test_i_aws_kms_mrk_keyring_example.py @@ -14,4 +14,9 @@ def test_encrypt_and_decrypt_with_keyring(): "arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7" decrypt_kms_key_id = \ "arn:aws:kms:eu-west-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7" - encrypt_and_decrypt_with_keyring(encrypt_kms_key_id, decrypt_kms_key_id) + encrypt_region = "us-east-1" + decrypt_region = "eu-west-1" + encrypt_and_decrypt_with_keyring(encrypt_kms_key_id, + decrypt_kms_key_id, + encrypt_region, + decrypt_region) diff --git a/examples/test/keyrings/test_i_aws_kms_mrk_multi_keyring_example.py b/examples/test/keyrings/test_i_aws_kms_mrk_multi_keyring_example.py new file mode 100644 index 000000000..9eacc4aaa --- /dev/null +++ b/examples/test/keyrings/test_i_aws_kms_mrk_multi_keyring_example.py @@ -0,0 +1,20 @@ +# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +"""Test suite for the AWS KMS MRK Multi keyring example.""" +import pytest + +from ...src.keyrings.aws_kms_mrk_multi_keyring_example import encrypt_and_decrypt_with_keyring + +pytestmark = [pytest.mark.examples] + + +def test_encrypt_and_decrypt_with_keyring(): + """Test function for encrypt and decrypt using the AWS KMS MRK Multi Keyring example.""" + mrk_key_id = \ + "arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7" + kms_key_id = \ + "arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f" + mrk_replica_key_id = \ + "arn:aws:kms:eu-west-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7" + second_region = "eu-west-1" + encrypt_and_decrypt_with_keyring(mrk_key_id, kms_key_id, mrk_replica_key_id, second_region) From c5f249e60b424a51e4bcdcd529fd2b15f4bba2ab Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Fri, 3 May 2024 10:33:18 -0700 Subject: [PATCH 4/7] minor fix --- examples/src/keyrings/aws_kms_mrk_keyring_example.py | 7 ++++--- .../src/keyrings/aws_kms_mrk_multi_keyring_example.py | 8 ++++---- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/examples/src/keyrings/aws_kms_mrk_keyring_example.py b/examples/src/keyrings/aws_kms_mrk_keyring_example.py index 316b5479f..103686f7f 100644 --- a/examples/src/keyrings/aws_kms_mrk_keyring_example.py +++ b/examples/src/keyrings/aws_kms_mrk_keyring_example.py @@ -1,7 +1,7 @@ # Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 """ -This example sets up the KMS MRK Keyring +This example sets up the KMS MRK (multi-region key) Keyring KMS MRK keyring interacts with AWS Key Management Service (AWS KMS) to create, encrypt, and decrypt data keys using AWS KMS defined Customer Master Keys (CMKs). @@ -17,6 +17,9 @@ For more information on how to use KMS keyrings, see https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-kms-keyring.html + +For more info on KMS MRK (multi-region keys), see the KMS documentation: +https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html """ import sys @@ -118,8 +121,6 @@ def encrypt_and_decrypt_with_keyring( # 6. Create a keyring that will decrypt your data, using the same KMS MRK key replicated # to the second region. This example assumes you have already replicated your key - # For more info on this, see the KMS documentation: - # https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html # Create a boto3 client for KMS in the second region. decrypt_kms_client = boto3.client('kms', region_name=decrypt_region) diff --git a/examples/src/keyrings/aws_kms_mrk_multi_keyring_example.py b/examples/src/keyrings/aws_kms_mrk_multi_keyring_example.py index 7063de345..7ffcf13a4 100644 --- a/examples/src/keyrings/aws_kms_mrk_multi_keyring_example.py +++ b/examples/src/keyrings/aws_kms_mrk_multi_keyring_example.py @@ -5,7 +5,7 @@ KMS MRK keyring interacts with AWS Key Management Service (AWS KMS) to create, encrypt, and decrypt data keys using AWS KMS defined Customer Master Keys (CMKs). -This example creates a KMS MRK Keyring and then encrypts a custom input EXAMPLE_DATA +This example creates a KMS MRK Multi Keyring and then encrypts a custom input EXAMPLE_DATA with an encryption context. This example also includes some sanity checks for demonstration: 1. Ciphertext and plaintext data are not the same 2. Encryption context is correct in the decrypted message header @@ -51,7 +51,7 @@ def encrypt_and_decrypt_with_keyring( kms_key_id, mrk_replica_key_id, second_region) - :param mrk_key_id: KMS Key identifier for an AWS KMS multi-Region key (MRK) located in your + :param mrk_key_id: KMS Key identifier for an AWS KMS multi-region key (MRK) located in your default region :type mrk_key_id: string :param kms_key_id: KMS Key identifier for a KMS key, possibly located in a different region @@ -119,7 +119,7 @@ def encrypt_and_decrypt_with_keyring( "Ciphertext and plaintext data are the same. Invalid encryption" # 6. Decrypt your encrypted data using the same AwsKmsMrkMultiKeyring you used on encrypt. - # It will decrypt the data using the generator KMS key since that is the first available + # It will decrypt the data using the generator KMS MRK key since that is the first available # KMS key on the keyring that is capable of decrypting the data. plaintext_bytes, dec_header = client.decrypt( source=ciphertext, @@ -138,7 +138,7 @@ def encrypt_and_decrypt_with_keyring( # Demonstrate that a single AwsKmsMrkKeyring configured with a replica of the MRK from the # multi-keyring used to encrypt the data is also capable of decrypting the data. - # Not shown in this example: A KMS Keyring created with `kmsKeyArn` could also + # Not shown in this example: A KMS Keyring created with `kms_key_id` could also # decrypt this message. # (This is an example for demonstration; you do not need to do this in your own code.) From aa727aba595a0f507d73747fecf42404a1570fed Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Fri, 3 May 2024 11:23:43 -0700 Subject: [PATCH 5/7] minor fix --- .../keyrings/aws_kms_mrk_keyring_example.py | 53 ++++++++++--------- .../aws_kms_mrk_multi_keyring_example.py | 14 ++--- .../test_i_aws_kms_mrk_keyring_example.py | 16 +++--- 3 files changed, 43 insertions(+), 40 deletions(-) diff --git a/examples/src/keyrings/aws_kms_mrk_keyring_example.py b/examples/src/keyrings/aws_kms_mrk_keyring_example.py index 103686f7f..93aa6a469 100644 --- a/examples/src/keyrings/aws_kms_mrk_keyring_example.py +++ b/examples/src/keyrings/aws_kms_mrk_keyring_example.py @@ -3,8 +3,8 @@ """ This example sets up the KMS MRK (multi-region key) Keyring -KMS MRK keyring interacts with AWS Key Management Service (AWS KMS) to create, encrypt, -and decrypt data keys using AWS KMS defined Customer Master Keys (CMKs). +The AWS Key Management Service (AWS KMS) MRK keyring interacts with AWS KMS to +create, encrypt, and decrypt data keys with multi-region AWS KMS keys (MRKs). This example creates a KMS MRK Keyring and then encrypts a custom input EXAMPLE_DATA with an encryption context. This example also includes some sanity checks for demonstration: 1. Ciphertext and plaintext data are not the same @@ -42,27 +42,28 @@ def encrypt_and_decrypt_with_keyring( - encrypt_kms_key_id: str, - decrypt_kms_key_id: str, - encrypt_region: str, - decrypt_region: str + mrk_key_id_encrypt: str, + mrk_replica_key_id_decrypt: str, + default_region: str, + second_region: str ): - """Demonstrate an encrypt/decrypt cycle using an AWS KMS keyring. - - Usage: encrypt_and_decrypt_with_keyring(encrypt_kms_key_id, - decrypt_kms_key_id, - encrypt_region, - decrypt_region) - :param encrypt_kms_key_id: KMS Key identifier for the KMS key you want to use - for encryption of your data keys. - :type encrypt_kms_key_id: string - :param decrypt_kms_key_id: KMS Key identifier for the KMS key you want to use - for decryption of your data keys. - :type decrypt_kms_key_id: string - :param encrypt_region: AWS Region for encryption of your data keys - :type encrypt_region: string - :param decrypt_region: AWS Region for decryption of your data keys - :type decrypt_region: string + """Demonstrate an encrypt/decrypt cycle using an AWS KMS MRK keyring. + + Usage: encrypt_and_decrypt_with_keyring(mrk_key_id_encrypt, + mrk_replica_key_id_decrypt, + default_region, + second_region) + :param mrk_key_id_encrypt: KMS Key identifier for the KMS key located in your + default region, which you want to use for encryption of your data keys + :type mrk_key_id_encrypt: string + :param mrk_replica_key_id_decrypt: KMS Key identifier for the KMS key KMS Key + that is a replica of the `mrk_key_id_encrypt` in a second region, which you + want to use for decryption of your data keys + :type mrk_replica_key_id_decrypt: string + :param default_region: AWS Region for encryption of your data keys + :type default_region: string + :param second_region: AWS Region for decryption of your data keys + :type second_region: string For more information on KMS Key identifiers, see https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id @@ -96,10 +97,10 @@ def encrypt_and_decrypt_with_keyring( ) # Create a boto3 client for KMS in the first region. - encrypt_kms_client = boto3.client('kms', region_name=encrypt_region) + encrypt_kms_client = boto3.client('kms', region_name=default_region) encrypt_keyring_input: CreateAwsKmsMrkKeyringInput = CreateAwsKmsMrkKeyringInput( - kms_key_id=encrypt_kms_key_id, + kms_key_id=mrk_key_id_encrypt, kms_client=encrypt_kms_client ) @@ -123,10 +124,10 @@ def encrypt_and_decrypt_with_keyring( # to the second region. This example assumes you have already replicated your key # Create a boto3 client for KMS in the second region. - decrypt_kms_client = boto3.client('kms', region_name=decrypt_region) + decrypt_kms_client = boto3.client('kms', region_name=second_region) decrypt_keyring_input: CreateAwsKmsMrkKeyringInput = CreateAwsKmsMrkKeyringInput( - kms_key_id=decrypt_kms_key_id, + kms_key_id=mrk_replica_key_id_decrypt, kms_client=decrypt_kms_client ) diff --git a/examples/src/keyrings/aws_kms_mrk_multi_keyring_example.py b/examples/src/keyrings/aws_kms_mrk_multi_keyring_example.py index 7ffcf13a4..838a3fb8b 100644 --- a/examples/src/keyrings/aws_kms_mrk_multi_keyring_example.py +++ b/examples/src/keyrings/aws_kms_mrk_multi_keyring_example.py @@ -3,10 +3,11 @@ """ This example sets up the KMS MRK Multi Keyring -KMS MRK keyring interacts with AWS Key Management Service (AWS KMS) to create, encrypt, -and decrypt data keys using AWS KMS defined Customer Master Keys (CMKs). -This example creates a KMS MRK Multi Keyring and then encrypts a custom input EXAMPLE_DATA -with an encryption context. This example also includes some sanity checks for demonstration: +The AWS Key Management Service (AWS KMS) MRK keyring interacts with AWS KMS to +create, encrypt, and decrypt data keys with multi-region AWS KMS keys (MRKs). +This example creates a KMS MRK Multi Keyring using an mrk_key_id (generator) and +a kms_key_id, and then encrypts a custom input EXAMPLE_DATA with an encryption context. +This example also includes some sanity checks for demonstration: 1. Ciphertext and plaintext data are not the same 2. Encryption context is correct in the decrypted message header 3. Decrypted plaintext value matches EXAMPLE_DATA @@ -138,8 +139,6 @@ def encrypt_and_decrypt_with_keyring( # Demonstrate that a single AwsKmsMrkKeyring configured with a replica of the MRK from the # multi-keyring used to encrypt the data is also capable of decrypting the data. - # Not shown in this example: A KMS Keyring created with `kms_key_id` could also - # decrypt this message. # (This is an example for demonstration; you do not need to do this in your own code.) # 9. Create a single AwsKmsMrkKeyring with the replica KMS MRK from the second region. @@ -171,3 +170,6 @@ def encrypt_and_decrypt_with_keyring( # 12. Demonstrate that the decrypted plaintext is identical to the original plaintext. # (This is an example for demonstration; you do not need to do this in your own code.) assert plaintext_bytes_second_region == EXAMPLE_DATA + + # Not shown in this example: A KMS Keyring created with `kms_key_id` could also + # decrypt this message. diff --git a/examples/test/keyrings/test_i_aws_kms_mrk_keyring_example.py b/examples/test/keyrings/test_i_aws_kms_mrk_keyring_example.py index d8e5aa2ab..1b140543f 100644 --- a/examples/test/keyrings/test_i_aws_kms_mrk_keyring_example.py +++ b/examples/test/keyrings/test_i_aws_kms_mrk_keyring_example.py @@ -10,13 +10,13 @@ def test_encrypt_and_decrypt_with_keyring(): """Test function for encrypt and decrypt using the AWS KMS MRK Keyring example.""" - encrypt_kms_key_id = \ + mrk_key_id_encrypt = \ "arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7" - decrypt_kms_key_id = \ + mrk_replica_key_id_decrypt = \ "arn:aws:kms:eu-west-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7" - encrypt_region = "us-east-1" - decrypt_region = "eu-west-1" - encrypt_and_decrypt_with_keyring(encrypt_kms_key_id, - decrypt_kms_key_id, - encrypt_region, - decrypt_region) + default_region = "us-east-1" + second_region = "eu-west-1" + encrypt_and_decrypt_with_keyring(mrk_key_id_encrypt, + mrk_replica_key_id_decrypt, + default_region, + second_region) From 88ee2c0f287cdc34f5f87a1daee3b7a9b82b100d Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Fri, 3 May 2024 12:06:26 -0700 Subject: [PATCH 6/7] fix --- .../keyrings/aws_kms_mrk_keyring_example.py | 32 ++++++++++--------- .../aws_kms_mrk_multi_keyring_example.py | 24 +++++++++----- .../test_i_aws_kms_mrk_keyring_example.py | 8 ++--- 3 files changed, 37 insertions(+), 27 deletions(-) diff --git a/examples/src/keyrings/aws_kms_mrk_keyring_example.py b/examples/src/keyrings/aws_kms_mrk_keyring_example.py index 93aa6a469..e1bb256f3 100644 --- a/examples/src/keyrings/aws_kms_mrk_keyring_example.py +++ b/examples/src/keyrings/aws_kms_mrk_keyring_example.py @@ -44,28 +44,30 @@ def encrypt_and_decrypt_with_keyring( mrk_key_id_encrypt: str, mrk_replica_key_id_decrypt: str, - default_region: str, - second_region: str + mrk_encrypt_region: str, + mrk_replica_decrypt_region: str ): """Demonstrate an encrypt/decrypt cycle using an AWS KMS MRK keyring. Usage: encrypt_and_decrypt_with_keyring(mrk_key_id_encrypt, mrk_replica_key_id_decrypt, - default_region, - second_region) + mrk_encrypt_region, + mrk_replica_decrypt_region) :param mrk_key_id_encrypt: KMS Key identifier for the KMS key located in your default region, which you want to use for encryption of your data keys :type mrk_key_id_encrypt: string - :param mrk_replica_key_id_decrypt: KMS Key identifier for the KMS key KMS Key + :param mrk_replica_key_id_decrypt: KMS Key identifier for the KMS key that is a replica of the `mrk_key_id_encrypt` in a second region, which you want to use for decryption of your data keys :type mrk_replica_key_id_decrypt: string - :param default_region: AWS Region for encryption of your data keys - :type default_region: string - :param second_region: AWS Region for decryption of your data keys - :type second_region: string - - For more information on KMS Key identifiers, see + :param mrk_encrypt_region: AWS Region for encryption of your data keys. This should + be the region of the mrk_key_id_encrypt. + :type mrk_encrypt_region: string + :param mrk_replica_decrypt_region: AWS Region for decryption of your data keys. This should + be the region of the mrk_replica_key_id_decrypt. + :type mrk_replica_decrypt_region: string + + For more information on KMS Key identifiers for multi-region keys, see https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id """ # 1. Instantiate the encryption SDK client. @@ -91,13 +93,13 @@ def encrypt_and_decrypt_with_keyring( "the data you are handling": "is what you think it is", } - # 3. Create a keyring that will encrypt your data, using a KMS MRK key in the first region. + # 3. Create a keyring that will encrypt your data, using a KMS MRK in the first region. mat_prov: AwsCryptographicMaterialProviders = AwsCryptographicMaterialProviders( config=MaterialProvidersConfig() ) # Create a boto3 client for KMS in the first region. - encrypt_kms_client = boto3.client('kms', region_name=default_region) + encrypt_kms_client = boto3.client('kms', region_name=mrk_encrypt_region) encrypt_keyring_input: CreateAwsKmsMrkKeyringInput = CreateAwsKmsMrkKeyringInput( kms_key_id=mrk_key_id_encrypt, @@ -120,11 +122,11 @@ def encrypt_and_decrypt_with_keyring( assert ciphertext != EXAMPLE_DATA, \ "Ciphertext and plaintext data are the same. Invalid encryption" - # 6. Create a keyring that will decrypt your data, using the same KMS MRK key replicated + # 6. Create a keyring that will decrypt your data, using the same KMS MRK replicated # to the second region. This example assumes you have already replicated your key # Create a boto3 client for KMS in the second region. - decrypt_kms_client = boto3.client('kms', region_name=second_region) + decrypt_kms_client = boto3.client('kms', region_name=mrk_replica_decrypt_region) decrypt_keyring_input: CreateAwsKmsMrkKeyringInput = CreateAwsKmsMrkKeyringInput( kms_key_id=mrk_replica_key_id_decrypt, diff --git a/examples/src/keyrings/aws_kms_mrk_multi_keyring_example.py b/examples/src/keyrings/aws_kms_mrk_multi_keyring_example.py index 838a3fb8b..a42a00109 100644 --- a/examples/src/keyrings/aws_kms_mrk_multi_keyring_example.py +++ b/examples/src/keyrings/aws_kms_mrk_multi_keyring_example.py @@ -4,20 +4,28 @@ This example sets up the KMS MRK Multi Keyring The AWS Key Management Service (AWS KMS) MRK keyring interacts with AWS KMS to -create, encrypt, and decrypt data keys with multi-region AWS KMS keys (MRKs). -This example creates a KMS MRK Multi Keyring using an mrk_key_id (generator) and -a kms_key_id, and then encrypts a custom input EXAMPLE_DATA with an encryption context. +create, encrypt, and decrypt data keys with AWS KMS MRK keys. +The KMS MRK multi-keyring consists of one or more individual keyrings of the +same or different type. The keys can either be regular KMS keys or MRKs. +The effect is like using several keyrings in a series. + +This example creates a AwsKmsMrkMultiKeyring using an mrk_key_id (generator) and a kms_key_id +as a child key, and then encrypts a custom input EXAMPLE_DATA with an encryption context. +Either KMS Key individually is capable of decrypting data encrypted under this keyring. This example also includes some sanity checks for demonstration: 1. Ciphertext and plaintext data are not the same 2. Encryption context is correct in the decrypted message header 3. Decrypted plaintext value matches EXAMPLE_DATA 4. Ciphertext can be decrypted using an AwsKmsMrkKeyring containing a replica of the - MRK key (from the multi-keyring used for encryption) copied from the first region into + MRK (from the multi-keyring used for encryption) copied from the first region into the second region These sanity checks are for demonstration in the example only. You do not need these in your code. For more information on how to use KMS keyrings, see https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-kms-keyring.html + +For more info on KMS MRK (multi-region keys), see the KMS documentation: +https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html """ import sys @@ -56,7 +64,7 @@ def encrypt_and_decrypt_with_keyring( default region :type mrk_key_id: string :param kms_key_id: KMS Key identifier for a KMS key, possibly located in a different region - than the MRK key + than the MRK :type kms_key_id: string :param mrk_replica_key_id: KMS Key identifier for an MRK that is a replica of the `mrk_key_id` in a second region. @@ -64,7 +72,7 @@ def encrypt_and_decrypt_with_keyring( :param second_region: The second region where the MRK replica is located :type second_region: string - For more information on KMS Key identifiers, see + For more information on KMS Key identifiers for multi-region keys, see https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id """ # 1. Instantiate the encryption SDK client. @@ -120,8 +128,8 @@ def encrypt_and_decrypt_with_keyring( "Ciphertext and plaintext data are the same. Invalid encryption" # 6. Decrypt your encrypted data using the same AwsKmsMrkMultiKeyring you used on encrypt. - # It will decrypt the data using the generator KMS MRK key since that is the first available - # KMS key on the keyring that is capable of decrypting the data. + # It will decrypt the data using the generator key (in this case, the MRK), since that is + # the first available KMS key on the keyring that is capable of decrypting the data. plaintext_bytes, dec_header = client.decrypt( source=ciphertext, keyring=kms_mrk_multi_keyring diff --git a/examples/test/keyrings/test_i_aws_kms_mrk_keyring_example.py b/examples/test/keyrings/test_i_aws_kms_mrk_keyring_example.py index 1b140543f..ab81d9c10 100644 --- a/examples/test/keyrings/test_i_aws_kms_mrk_keyring_example.py +++ b/examples/test/keyrings/test_i_aws_kms_mrk_keyring_example.py @@ -14,9 +14,9 @@ def test_encrypt_and_decrypt_with_keyring(): "arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7" mrk_replica_key_id_decrypt = \ "arn:aws:kms:eu-west-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7" - default_region = "us-east-1" - second_region = "eu-west-1" + mrk_encrypt_region = "us-east-1" + mrk_replica_decrypt_region = "eu-west-1" encrypt_and_decrypt_with_keyring(mrk_key_id_encrypt, mrk_replica_key_id_decrypt, - default_region, - second_region) + mrk_encrypt_region, + mrk_replica_decrypt_region) From 8e152e3a647866421ec36ad1f45c355e4b8f6b03 Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Fri, 3 May 2024 12:22:28 -0700 Subject: [PATCH 7/7] fix (2) --- .../src/keyrings/aws_kms_mrk_keyring_example.py | 2 +- .../keyrings/aws_kms_mrk_multi_keyring_example.py | 14 +++++++------- .../test_i_aws_kms_mrk_multi_keyring_example.py | 7 +++++-- 3 files changed, 13 insertions(+), 10 deletions(-) diff --git a/examples/src/keyrings/aws_kms_mrk_keyring_example.py b/examples/src/keyrings/aws_kms_mrk_keyring_example.py index e1bb256f3..b82748cf9 100644 --- a/examples/src/keyrings/aws_kms_mrk_keyring_example.py +++ b/examples/src/keyrings/aws_kms_mrk_keyring_example.py @@ -1,7 +1,7 @@ # Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 """ -This example sets up the KMS MRK (multi-region key) Keyring +This example sets up the AWS KMS MRK (multi-region key) Keyring The AWS Key Management Service (AWS KMS) MRK keyring interacts with AWS KMS to create, encrypt, and decrypt data keys with multi-region AWS KMS keys (MRKs). diff --git a/examples/src/keyrings/aws_kms_mrk_multi_keyring_example.py b/examples/src/keyrings/aws_kms_mrk_multi_keyring_example.py index a42a00109..38c5b1232 100644 --- a/examples/src/keyrings/aws_kms_mrk_multi_keyring_example.py +++ b/examples/src/keyrings/aws_kms_mrk_multi_keyring_example.py @@ -1,7 +1,7 @@ # Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 """ -This example sets up the KMS MRK Multi Keyring +This example sets up the AWS KMS MRK Multi Keyring The AWS Key Management Service (AWS KMS) MRK keyring interacts with AWS KMS to create, encrypt, and decrypt data keys with AWS KMS MRK keys. @@ -51,7 +51,7 @@ def encrypt_and_decrypt_with_keyring( mrk_key_id: str, kms_key_id: str, mrk_replica_key_id: str, - second_region: str + mrk_replica_decrypt_region: str ): """Demonstrate an encrypt/decrypt cycle using a Multi-Keyring made up of multiple AWS KMS MRK Keyrings @@ -59,7 +59,7 @@ def encrypt_and_decrypt_with_keyring( Usage: encrypt_and_decrypt_with_keyring(mrk_key_id, kms_key_id, mrk_replica_key_id, - second_region) + mrk_replica_decrypt_region) :param mrk_key_id: KMS Key identifier for an AWS KMS multi-region key (MRK) located in your default region :type mrk_key_id: string @@ -69,8 +69,8 @@ def encrypt_and_decrypt_with_keyring( :param mrk_replica_key_id: KMS Key identifier for an MRK that is a replica of the `mrk_key_id` in a second region. :type mrk_replica_key_id: string - :param second_region: The second region where the MRK replica is located - :type second_region: string + :param mrk_replica_decrypt_region: The second region where the MRK replica is located + :type mrk_replica_decrypt_region: string For more information on KMS Key identifiers for multi-region keys, see https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id @@ -151,8 +151,8 @@ def encrypt_and_decrypt_with_keyring( # 9. Create a single AwsKmsMrkKeyring with the replica KMS MRK from the second region. - # Create a boto3 client for KMS in the second region. - second_region_kms_client = boto3.client('kms', region_name=second_region) + # Create a boto3 client for KMS in the second region which is the region for mrk_replica_key_id. + second_region_kms_client = boto3.client('kms', region_name=mrk_replica_decrypt_region) second_region_mrk_keyring_input: CreateAwsKmsMrkKeyringInput = CreateAwsKmsMrkKeyringInput( kms_key_id=mrk_replica_key_id, diff --git a/examples/test/keyrings/test_i_aws_kms_mrk_multi_keyring_example.py b/examples/test/keyrings/test_i_aws_kms_mrk_multi_keyring_example.py index 9eacc4aaa..8272f3987 100644 --- a/examples/test/keyrings/test_i_aws_kms_mrk_multi_keyring_example.py +++ b/examples/test/keyrings/test_i_aws_kms_mrk_multi_keyring_example.py @@ -16,5 +16,8 @@ def test_encrypt_and_decrypt_with_keyring(): "arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f" mrk_replica_key_id = \ "arn:aws:kms:eu-west-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7" - second_region = "eu-west-1" - encrypt_and_decrypt_with_keyring(mrk_key_id, kms_key_id, mrk_replica_key_id, second_region) + mrk_replica_decrypt_region = "eu-west-1" + encrypt_and_decrypt_with_keyring(mrk_key_id, + kms_key_id, + mrk_replica_key_id, + mrk_replica_decrypt_region)