Crate aws_db_esdk

Source
Expand description

The AWS Database Encryption SDK provides client side encryption for DynamoDB.

The journey starts with a configuration. For details see the Examples or the Developer Guide

The examples below will use an empty configuration for brevity. This is not something you would do in actual use.

There are two modes of operation.

§DynamoDB Client with Interceptor

By far the most common mode is to add our interceptor to your DynamoDB client.

Once you’ve created your augmented DynamoDB Client, use it as you normally would. Values are automatically encrypted on Put and decrypted on Get.

If configured, Scan Beacons are generated to allow Searchable Encryption

See full example

let table_configs = DynamoDbTablesEncryptionConfig::builder()
.table_encryption_configs(HashMap::new()) // your configuration here
.build()?;

let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
let dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
.interceptor(DbEsdkInterceptor::new(table_configs)?)
.build();
 
let ddb_client = aws_sdk_dynamodb::Client::from_conf(dynamo_config);

§Item Encryptor

Rather than letting things happen automatically, you can manually encrypt and decrypt individual DynamoDB Items. This does NOT allow for Searchable Encryption.

See full example

 let config = DynamoDbItemEncryptorConfig::builder()
// your configuration here
 .build()?;
 
let item_encryptor = enc_client::Client::from_conf(config)?;
 
let encrypted_item = item_encryptor
  .encrypt_item()
  .plaintext_item(original_item)
  .send()
  .await?
  .encrypted_item
  .unwrap();
 
let decrypted_item = item_encryptor
  .decrypt_item()
  .encrypted_item(encrypted_item)
  .send()
  .await?
  .encrypted_item
  .unwrap();
 
assert_eq!(decrypted_item, original_item);

Re-exports§

Modules§

Enums§