Crate aws_db_esdk

Source
Expand description

The AWS Database Encryption SDK provides client side encryption for DynamoDB.

The journey starts with a configuration. For details see the Examples or the Developer Guide

The examples below will use an empty configuration for brevity. This is not something you would do in actual use.

There are two modes of operation.

§DynamoDB Client with Interceptor

By far the most common mode is to add our interceptor to your DynamoDB client.

Once you’ve created your augmented DynamoDB Client, use it as you normally would. Values are automatically encrypted on Put and decrypted on Get.

If configured, Scan Beacons are generated to allow Searchable Encryption

See full example

let table_configs = DynamoDbTablesEncryptionConfig::builder()
.table_encryption_configs(HashMap::new()) // your configuration here
.build()?;

let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
let dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
.interceptor(DbEsdkInterceptor::new(table_configs)?)
.build();

let ddb_client = aws_sdk_dynamodb::Client::from_conf(dynamo_config);

§Item Encryptor

Rather than letting things happen automatically, you can manually encrypt and decrypt individual DynamoDB Items. This does NOT allow for Searchable Encryption.

See full example

 let config = DynamoDbItemEncryptorConfig::builder()
// your configuration here
 .build()?;

let item_encryptor = enc_client::Client::from_conf(config)?;

let encrypted_item = item_encryptor
  .encrypt_item()
  .plaintext_item(original_item)
  .send()
  .await?
  .encrypted_item
  .unwrap();

let decrypted_item = item_encryptor
  .decrypt_item()
  .encrypted_item(encrypted_item)
  .send()
  .await?
  .encrypted_item
  .unwrap();

assert_eq!(decrypted_item, original_item);

Re-exports§

pub use client::Client;
pub use types::dynamo_db_tables_encryption_config::DynamoDbTablesEncryptionConfig;

Modules§

client
Client for use with the various low level transform operations
com_amazonaws_kms
Rarely needed internal KMS Client, needed for ClientSupplier
dynamodb
Configuration types etc.
error
Errors and error handling utilities.
intercept
the DbEsdkInterceptor type for use with the aws_sdk_dynamodb interceptor
item_encryptor
Low level interface to encrypt or decrypt individual Items.
key_store
Branch key support. See Key Stores
material_providers
Key Rings and other fundamentals.
operation
All the transform operations. Rarely useful.
types
Types for the transform client. Rarely useful.

Enums§

CryptoAction