main/keyring/mrk_discovery_multi_keyring.rs
1// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
2// SPDX-License-Identifier: Apache-2.0
3
4use crate::test_utils;
5use aws_db_esdk::dynamodb::types::DynamoDbTableEncryptionConfig;
6use aws_db_esdk::intercept::DbEsdkInterceptor;
7use aws_db_esdk::material_providers::client as mpl_client;
8use aws_db_esdk::material_providers::types::material_providers_config::MaterialProvidersConfig;
9use aws_db_esdk::material_providers::types::DiscoveryFilter;
10use aws_db_esdk::CryptoAction;
11use aws_db_esdk::DynamoDbTablesEncryptionConfig;
12use aws_sdk_dynamodb::types::AttributeValue;
13use std::collections::HashMap;
14
15/*
16 This example sets up a MRK discovery multi-keyring to decrypt data using
17 the DynamoDB encryption client. A discovery keyring is not provided with any wrapping
18 keys; instead, it recognizes the KMS key that was used to encrypt a data key,
19 and asks KMS to decrypt with that KMS key. Discovery keyrings cannot be used
20 to encrypt data.
21
22 For more information on discovery keyrings, see
23 https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-kms-keyring.html#kms-keyring-discovery
24
25 This example encrypts an item using an MRK multi-keyring and puts the
26 encrypted item to the configured DynamoDb table. Then, it gets the item
27 from the table and decrypts it using the discovery keyring.
28
29 Running this example requires access to the DDB Table whose name
30 is provided in CLI arguments.
31 This table must be configured with the following
32 primary key configuration:
33 - Partition key is named "partition_key" with type (S)
34 - Sort key is named "sort_key" with type (S)
35*/
36
37pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
38 let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
39 let key_arn = test_utils::TEST_MRK_KEY_ID;
40 let account_ids = vec![test_utils::TEST_AWS_ACCOUNT_ID.to_string()];
41 let regions = vec![test_utils::TEST_AWS_REGION.to_string()];
42
43 // 1. Create a single MRK multi-keyring using the key arn.
44 // Although this example demonstrates use of the MRK discovery multi-keyring,
45 // a discovery keyring cannot be used to encrypt. So we will need to construct
46 // a non-discovery keyring for this example to encrypt. For more information on MRK
47 // multi-keyrings, see the MultiMrkKeyringExample in this directory.
48 // Though this is an "MRK multi-keyring", we do not need to provide multiple keys,
49 // and can use single-region KMS keys. We will provide a single key here; this
50 // can be either an MRK or a single-region key.
51 let mpl_config = MaterialProvidersConfig::builder().build()?;
52 let mpl = mpl_client::Client::from_conf(mpl_config)?;
53 let encrypt_keyring = mpl
54 .create_aws_kms_mrk_multi_keyring()
55 .generator(key_arn)
56 .send()
57 .await?;
58
59 // 2. Configure which attributes are encrypted and/or signed when writing new items.
60 // For each attribute that may exist on the items we plan to write to our DynamoDbTable,
61 // we must explicitly configure how they should be treated during item encryption:
62 // - ENCRYPT_AND_SIGN: The attribute is encrypted and icncluded in the signature
63 // - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
64 // - DO_NOTHING: The attribute is not encrypted and not included in the signature
65 let attribute_actions_on_encrypt = HashMap::from([
66 ("partition_key".to_string(), CryptoAction::SignOnly), // Our partition attribute must be SIGN_ONLY
67 ("sort_key".to_string(), CryptoAction::SignOnly), // Our sort attribute must be SIGN_ONLY
68 ("sensitive_data".to_string(), CryptoAction::EncryptAndSign),
69 ]);
70
71 // 3. Configure which attributes we expect to be included in the signature
72 // when reading items. There are two options for configuring this:
73 //
74 // - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
75 // When defining your DynamoDb schema and deciding on attribute names,
76 // choose a distinguishing prefix (such as ":") for all attributes that
77 // you do not want to include in the signature.
78 // This has two main benefits:
79 // - It is easier to reason about the security and authenticity of data within your item
80 // when all unauthenticated data is easily distinguishable by their attribute name.
81 // - If you need to add new unauthenticated attributes in the future,
82 // you can easily make the corresponding update to your `attributeActionsOnEncrypt`
83 // and immediately start writing to that new attribute, without
84 // any other configuration update needed.
85 // Once you configure this field, it is not safe to update it.
86 //
87 // - Configure `allowedUnsignedAttributes`: You may also explicitly list
88 // a set of attributes that should be considered unauthenticated when encountered
89 // on read. Be careful if you use this configuration. Do not remove an attribute
90 // name from this configuration, even if you are no longer writing with that attribute,
91 // as old items may still include this attribute, and our configuration needs to know
92 // to continue to exclude this attribute from the signature scope.
93 // If you add new attribute names to this field, you must first deploy the update to this
94 // field to all readers in your host fleet before deploying the update to start writing
95 // with that new attribute.
96 //
97 // For this example, we currently authenticate all attributes. To make it easier to
98 // add unauthenticated attributes in the future, we define a prefix ":" for such attributes.
99 const UNSIGNED_ATTR_PREFIX: &str = ":";
100
101 // 4. Create the DynamoDb Encryption configuration for the table we will be writing to.
102 let table_config = DynamoDbTableEncryptionConfig::builder()
103 .logical_table_name(ddb_table_name)
104 .partition_key_name("partition_key")
105 .sort_key_name("sort_key")
106 .attribute_actions_on_encrypt(attribute_actions_on_encrypt.clone())
107 .keyring(encrypt_keyring)
108 .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
109 .build()?;
110
111 let table_configs = DynamoDbTablesEncryptionConfig::builder()
112 .table_encryption_configs(HashMap::from([(ddb_table_name.to_string(), table_config)]))
113 .build()?;
114
115 // 5. Create a new AWS SDK DynamoDb client using the config above
116 let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
117 let dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
118 .interceptor(DbEsdkInterceptor::new(table_configs)?)
119 .build();
120 let ddb = aws_sdk_dynamodb::Client::from_conf(dynamo_config);
121
122 // 6. Put an item into our table using the above client.
123 // Before the item gets sent to DynamoDb, it will be encrypted
124 // client-side using the MRK multi-keyring.
125 let item = HashMap::from([
126 (
127 "partition_key".to_string(),
128 AttributeValue::S("awsKmsMrkDiscoveryMultiKeyringItem".to_string()),
129 ),
130 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
131 (
132 "sensitive_data".to_string(),
133 AttributeValue::S("encrypt and sign me!".to_string()),
134 ),
135 ]);
136
137 ddb.put_item()
138 .table_name(ddb_table_name)
139 .set_item(Some(item.clone()))
140 .send()
141 .await?;
142
143 // 7. Construct a discovery filter.
144 // A discovery filter limits the set of encrypted data keys
145 // the keyring can use to decrypt data.
146 // We will only let the keyring use keys in the selected AWS accounts
147 // and in the `aws` partition.
148 // This is the suggested config for most users; for more detailed config, see
149 // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-kms-keyring.html#kms-keyring-discovery
150 let discovery_filter = DiscoveryFilter::builder()
151 .partition("aws")
152 .account_ids(account_ids)
153 .build()?;
154
155 // 8. Construct a discovery keyring.
156 // Note that we choose to use the MRK discovery multi-keyring, even though
157 // our original keyring used a single KMS key.
158
159 let decrypt_keyring = mpl
160 .create_aws_kms_mrk_discovery_multi_keyring()
161 .discovery_filter(discovery_filter)
162 .regions(regions)
163 .send()
164 .await?;
165
166 // 9. Create new DDB config and client using the decrypt discovery keyring.
167 // This is the same as the above config, except we pass in the decrypt keyring.
168 let table_config_for_decrypt = DynamoDbTableEncryptionConfig::builder()
169 .logical_table_name(ddb_table_name)
170 .partition_key_name("partition_key")
171 .sort_key_name("sort_key")
172 .attribute_actions_on_encrypt(attribute_actions_on_encrypt)
173 .keyring(decrypt_keyring)
174 .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
175 .build()?;
176
177 let table_configs_for_decrypt = DynamoDbTablesEncryptionConfig::builder()
178 .table_encryption_configs(HashMap::from([(
179 ddb_table_name.to_string(),
180 table_config_for_decrypt,
181 )]))
182 .build()?;
183
184 let dynamo_config_for_decrypt = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
185 .interceptor(DbEsdkInterceptor::new(table_configs_for_decrypt)?)
186 .build();
187 let ddb_for_decrypt = aws_sdk_dynamodb::Client::from_conf(dynamo_config_for_decrypt);
188
189 // 10. Get the item back from our table using the client.
190 // The client will retrieve encrypted items from the DDB table, then
191 // detect the KMS key that was used to encrypt their data keys.
192 // The client will make a request to KMS to decrypt with the encrypting KMS key.
193 // If the client has permission to decrypt with the KMS key,
194 // the client will decrypt the item client-side using the keyring
195 // and return the original item.
196 let key_to_get = HashMap::from([
197 (
198 "partition_key".to_string(),
199 AttributeValue::S("awsKmsMrkDiscoveryMultiKeyringItem".to_string()),
200 ),
201 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
202 ]);
203
204 let resp = ddb_for_decrypt
205 .get_item()
206 .table_name(ddb_table_name)
207 .set_key(Some(key_to_get))
208 .consistent_read(true)
209 .send()
210 .await?;
211
212 assert_eq!(resp.item, Some(item));
213
214 println!("mrk_discovery_multi_keyring successful.");
215 Ok(())
216}