AWS KMS MRK Match for Decrypt

Version

0.2.2

Changelog

0.2.2
- Initial record

Implementations

Language	Confirmed Compatible with Spec Version	Minimum Version Confirmed	Implementation

Overview

Since the AWS Encryption SDK stores the AWS KMS key ARN in the encrypted data key of the message format an AWS KMS component needs to be able to evaluate if a configured ARN matches a stored ARN. This is especially important for multi-Region keys because the match does not need to be exact.

Definitions

Conventions used in this document

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

Implementation

The caller MUST provide:

2 AWS KMS key identifiers

If both identifiers are identical, this function MUST return true. Otherwise if either input is not identified as a multi-Region key, then this function MUST return false. Otherwise if both inputs are identified as a multi-Region keys, this function MUST return the result of comparing the partition, service, accountId, resourceType, and resource parts of both ARN inputs. NOTE: The region part is intentionally omitted.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

aws-kms-mrk-match-for-decrypt.md

aws-kms-mrk-match-for-decrypt.md

AWS KMS MRK Match for Decrypt

Version

Changelog

Implementations

Overview

Definitions

Conventions used in this document

Implementation

Files

aws-kms-mrk-match-for-decrypt.md

Latest commit

History

aws-kms-mrk-match-for-decrypt.md

File metadata and controls

AWS KMS MRK Match for Decrypt

Version

Changelog

Implementations

Overview

Definitions

Conventions used in this document

Implementation