#[non_exhaustive]pub struct DynamoDbTableEncryptionConfig {
pub algorithm_suite_id: Option<DbeAlgorithmSuiteId>,
pub allowed_unsigned_attribute_prefix: Option<String>,
pub allowed_unsigned_attributes: Option<Vec<String>>,
pub attribute_actions_on_encrypt: Option<HashMap<String, CryptoAction>>,
pub cmm: Option<CryptographicMaterialsManagerRef>,
pub keyring: Option<KeyringRef>,
pub legacy_override: Option<LegacyOverride>,
pub logical_table_name: Option<String>,
pub partition_key_name: Option<String>,
pub plaintext_override: Option<PlaintextOverride>,
pub search: Option<SearchConfig>,
pub sort_key_name: Option<String>,
}Expand description
The configuration for client-side encryption for a particular DynamoDB table.
Fields (Non-exhaustive)§
This struct is marked as non-exhaustive
Non-exhaustive structs could have additional fields added in future. Therefore, non-exhaustive structs cannot be constructed in external crates using the traditional
Struct { .. } syntax; cannot be matched against without a wildcard ..; and struct update syntax will not work.algorithm_suite_id: Option<DbeAlgorithmSuiteId>An ID for the algorithm suite to use during encryption and decryption.
allowed_unsigned_attribute_prefix: Option<String>A prefix such that, if during decryption any attribute has a name with this prefix, it is treated as unsigned.
allowed_unsigned_attributes: Option<Vec<String>>A list of attribute names such that, if encountered during decryption, those attributes are treated as unsigned.
attribute_actions_on_encrypt: Option<HashMap<String, CryptoAction>>A map that describes what attributes should be encrypted and/or signed on encrypt. This map must contain all attributes that might be encountered during encryption.
cmm: Option<CryptographicMaterialsManagerRef>The Cryptographic Materials Manager that is used to obtain materials for encryption and decryption. Either a Keyring or a Cryptographic Materials Manager must be specified.
keyring: Option<KeyringRef>The Keyring that should be used to wrap and unwrap data keys. If specified a Default Cryptographic Materials Manager with this Keyring is used to obtain materials for encryption and decryption. Either a Keyring or a Cryptographic Materials Manager must be specified.
legacy_override: Option<LegacyOverride>A configuration that override encryption and/or decryption to instead perform legacy encryption and/or decryption. Used as part of migration from version 2.x to version 3.x.
logical_table_name: Option<String>The logical table name for this table. This is the name that is cryptographically bound with your data. This can be the same as the actual DynamoDB table name. It’s purpose is to be distinct from the DynamoDB table name so that the data may still be authenticated if being read from different (but logically similar) tables, such as a backup table.
partition_key_name: Option<String>The name of the partition key on this table.
plaintext_override: Option<PlaintextOverride>A configuration that override encryption and/or decryption to instead passthrough and write and/or read plaintext. Used to update plaintext tables to fully use client-side encryption.
search: Option<SearchConfig>The configuration for searchable encryption.
sort_key_name: Option<String>If this table contains a sort key, the name of the sort key on this table.
Implementations§
Source§impl DynamoDbTableEncryptionConfig
impl DynamoDbTableEncryptionConfig
Sourcepub fn algorithm_suite_id(&self) -> &Option<DbeAlgorithmSuiteId>
pub fn algorithm_suite_id(&self) -> &Option<DbeAlgorithmSuiteId>
An ID for the algorithm suite to use during encryption and decryption.
Sourcepub fn allowed_unsigned_attribute_prefix(&self) -> &Option<String>
pub fn allowed_unsigned_attribute_prefix(&self) -> &Option<String>
A prefix such that, if during decryption any attribute has a name with this prefix, it is treated as unsigned.
Sourcepub fn allowed_unsigned_attributes(&self) -> &Option<Vec<String>>
pub fn allowed_unsigned_attributes(&self) -> &Option<Vec<String>>
A list of attribute names such that, if encountered during decryption, those attributes are treated as unsigned.
Sourcepub fn attribute_actions_on_encrypt(
&self,
) -> &Option<HashMap<String, CryptoAction>>
pub fn attribute_actions_on_encrypt( &self, ) -> &Option<HashMap<String, CryptoAction>>
A map that describes what attributes should be encrypted and/or signed on encrypt. This map must contain all attributes that might be encountered during encryption.
Sourcepub fn cmm(&self) -> &Option<CryptographicMaterialsManagerRef>
pub fn cmm(&self) -> &Option<CryptographicMaterialsManagerRef>
The Cryptographic Materials Manager that is used to obtain materials for encryption and decryption. Either a Keyring or a Cryptographic Materials Manager must be specified.
Sourcepub fn keyring(&self) -> &Option<KeyringRef>
pub fn keyring(&self) -> &Option<KeyringRef>
The Keyring that should be used to wrap and unwrap data keys. If specified a Default Cryptographic Materials Manager with this Keyring is used to obtain materials for encryption and decryption. Either a Keyring or a Cryptographic Materials Manager must be specified.
Sourcepub fn legacy_override(&self) -> &Option<LegacyOverride>
pub fn legacy_override(&self) -> &Option<LegacyOverride>
A configuration that override encryption and/or decryption to instead perform legacy encryption and/or decryption. Used as part of migration from version 2.x to version 3.x.
Sourcepub fn logical_table_name(&self) -> &Option<String>
pub fn logical_table_name(&self) -> &Option<String>
The logical table name for this table. This is the name that is cryptographically bound with your data. This can be the same as the actual DynamoDB table name. It’s purpose is to be distinct from the DynamoDB table name so that the data may still be authenticated if being read from different (but logically similar) tables, such as a backup table.
Sourcepub fn partition_key_name(&self) -> &Option<String>
pub fn partition_key_name(&self) -> &Option<String>
The name of the partition key on this table.
Sourcepub fn plaintext_override(&self) -> &Option<PlaintextOverride>
pub fn plaintext_override(&self) -> &Option<PlaintextOverride>
A configuration that override encryption and/or decryption to instead passthrough and write and/or read plaintext. Used to update plaintext tables to fully use client-side encryption.
Sourcepub fn search(&self) -> &Option<SearchConfig>
pub fn search(&self) -> &Option<SearchConfig>
The configuration for searchable encryption.
Sourcepub fn sort_key_name(&self) -> &Option<String>
pub fn sort_key_name(&self) -> &Option<String>
If this table contains a sort key, the name of the sort key on this table.
Source§impl DynamoDbTableEncryptionConfig
impl DynamoDbTableEncryptionConfig
Sourcepub fn builder() -> DynamoDbTableEncryptionConfigBuilder
pub fn builder() -> DynamoDbTableEncryptionConfigBuilder
Creates a new builder-style object to manufacture DynamoDbTableEncryptionConfig.
Examples found in repository?
examples/keyring/raw_aes_keyring.rs (line 100)
40pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
41 let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
42 let aes_key_bytes = generate_aes_key_bytes();
43
44 // 1. Create the keyring.
45 // The DynamoDb encryption client uses this to encrypt and decrypt items.
46 let mpl_config = MaterialProvidersConfig::builder().build()?;
47 let mpl = mpl_client::Client::from_conf(mpl_config)?;
48 let raw_aes_keyring = mpl
49 .create_raw_aes_keyring()
50 .key_name("my-aes-key-name")
51 .key_namespace("my-key-namespace")
52 .wrapping_key(aes_key_bytes)
53 .wrapping_alg(AesWrappingAlg::AlgAes256GcmIv12Tag16)
54 .send()
55 .await?;
56
57 // 2. Configure which attributes are encrypted and/or signed when writing new items.
58 // For each attribute that may exist on the items we plan to write to our DynamoDbTable,
59 // we must explicitly configure how they should be treated during item encryption:
60 // - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
61 // - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
62 // - DO_NOTHING: The attribute is not encrypted and not included in the signature
63 let attribute_actions_on_encrypt = HashMap::from([
64 ("partition_key".to_string(), CryptoAction::SignOnly), // Our partition attribute must be SIGN_ONLY
65 ("sort_key".to_string(), CryptoAction::SignOnly), // Our sort attribute must be SIGN_ONLY
66 ("sensitive_data".to_string(), CryptoAction::EncryptAndSign),
67 ]);
68
69 // 3. Configure which attributes we expect to be included in the signature
70 // when reading items. There are two options for configuring this:
71 //
72 // - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
73 // When defining your DynamoDb schema and deciding on attribute names,
74 // choose a distinguishing prefix (such as ":") for all attributes that
75 // you do not want to include in the signature.
76 // This has two main benefits:
77 // - It is easier to reason about the security and authenticity of data within your item
78 // when all unauthenticated data is easily distinguishable by their attribute name.
79 // - If you need to add new unauthenticated attributes in the future,
80 // you can easily make the corresponding update to your `attributeActionsOnEncrypt`
81 // and immediately start writing to that new attribute, without
82 // any other configuration update needed.
83 // Once you configure this field, it is not safe to update it.
84 //
85 // - Configure `allowedUnsignedAttributes`: You may also explicitly list
86 // a set of attributes that should be considered unauthenticated when encountered
87 // on read. Be careful if you use this configuration. Do not remove an attribute
88 // name from this configuration, even if you are no longer writing with that attribute,
89 // as old items may still include this attribute, and our configuration needs to know
90 // to continue to exclude this attribute from the signature scope.
91 // If you add new attribute names to this field, you must first deploy the update to this
92 // field to all readers in your host fleet before deploying the update to start writing
93 // with that new attribute.
94 //
95 // For this example, we currently authenticate all attributes. To make it easier to
96 // add unauthenticated attributes in the future, we define a prefix ":" for such attributes.
97 const UNSIGNED_ATTR_PREFIX: &str = ":";
98
99 // 4. Create the DynamoDb Encryption configuration for the table we will be writing to.
100 let table_config = DynamoDbTableEncryptionConfig::builder()
101 .logical_table_name(ddb_table_name)
102 .partition_key_name("partition_key")
103 .sort_key_name("sort_key")
104 .attribute_actions_on_encrypt(attribute_actions_on_encrypt)
105 .keyring(raw_aes_keyring)
106 .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
107 .build()?;
108
109 let table_configs = DynamoDbTablesEncryptionConfig::builder()
110 .table_encryption_configs(HashMap::from([(ddb_table_name.to_string(), table_config)]))
111 .build()?;
112
113 // 5. Create a new AWS SDK DynamoDb client using the Config above
114 let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
115 let dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
116 .interceptor(DbEsdkInterceptor::new(table_configs)?)
117 .build();
118 let ddb = aws_sdk_dynamodb::Client::from_conf(dynamo_config);
119
120 // 6. Put an item into our table using the above client.
121 // Before the item gets sent to DynamoDb, it will be encrypted
122 // client-side, according to our configuration.
123 let item = HashMap::from([
124 (
125 "partition_key".to_string(),
126 AttributeValue::S("rawAesKeyringItem".to_string()),
127 ),
128 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
129 (
130 "sensitive_data".to_string(),
131 AttributeValue::S("encrypt and sign me!".to_string()),
132 ),
133 ]);
134
135 ddb.put_item()
136 .table_name(ddb_table_name)
137 .set_item(Some(item.clone()))
138 .send()
139 .await?;
140
141 // 7. Get the item back from our table using the same client.
142 // The client will decrypt the item client-side, and return
143 // back the original item.
144 let key_to_get = HashMap::from([
145 (
146 "partition_key".to_string(),
147 AttributeValue::S("rawAesKeyringItem".to_string()),
148 ),
149 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
150 ]);
151
152 let resp = ddb
153 .get_item()
154 .table_name(ddb_table_name)
155 .set_key(Some(key_to_get))
156 // In this example we configure a strongly consistent read
157 // because we perform a read immediately after a write (for demonstrative purposes).
158 // By default, reads are only eventually consistent.
159 // Read our docs to determine which read consistency to use for your application:
160 // https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadConsistency.html
161 .consistent_read(true)
162 .send()
163 .await?;
164
165 assert_eq!(resp.item, Some(item));
166
167 println!("raw_aes_keyring successful.");
168 Ok(())
169}More examples
examples/keyring/raw_rsa_keyring.rs (line 138)
57pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
58 let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
59
60 // You may provide your own RSA key pair in the files located at
61 // - EXAMPLE_RSA_PRIVATE_KEY_FILENAME
62 // - EXAMPLE_RSA_PUBLIC_KEY_FILENAME
63 // If these files are not present, this will generate a pair for you
64 if should_generate_new_rsa_key_pair()? {
65 generate_rsa_key_pair()?;
66 }
67
68 // 1. Load key pair from UTF-8 encoded PEM files.
69 // You may provide your own PEM files to use here.
70 // If you do not, the main method in this class will generate PEM
71 // files for example use. Do not use these files for any other purpose.
72
73 let mut file = File::open(Path::new(EXAMPLE_RSA_PUBLIC_KEY_FILENAME))?;
74 let mut public_key_utf8_bytes = Vec::new();
75 file.read_to_end(&mut public_key_utf8_bytes)?;
76
77 let mut file = File::open(Path::new(EXAMPLE_RSA_PRIVATE_KEY_FILENAME))?;
78 let mut private_key_utf8_bytes = Vec::new();
79 file.read_to_end(&mut private_key_utf8_bytes)?;
80
81 // 2. Create the keyring.
82 // The DynamoDb encryption client uses this to encrypt and decrypt items.
83 let mpl_config = MaterialProvidersConfig::builder().build()?;
84 let mpl = mpl_client::Client::from_conf(mpl_config)?;
85 let raw_rsa_keyring = mpl
86 .create_raw_rsa_keyring()
87 .key_name("my-rsa-key-name")
88 .key_namespace("my-key-namespace")
89 .padding_scheme(PaddingScheme::OaepSha256Mgf1)
90 .public_key(public_key_utf8_bytes)
91 .private_key(private_key_utf8_bytes)
92 .send()
93 .await?;
94
95 // 3. Configure which attributes are encrypted and/or signed when writing new items.
96 // For each attribute that may exist on the items we plan to write to our DynamoDbTable,
97 // we must explicitly configure how they should be treated during item encryption:
98 // - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
99 // - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
100 // - DO_NOTHING: The attribute is not encrypted and not included in the signature
101 let attribute_actions_on_encrypt = HashMap::from([
102 ("partition_key".to_string(), CryptoAction::SignOnly), // Our partition attribute must be SIGN_ONLY
103 ("sort_key".to_string(), CryptoAction::SignOnly), // Our sort attribute must be SIGN_ONLY
104 ("sensitive_data".to_string(), CryptoAction::EncryptAndSign),
105 ]);
106
107 // 4. Configure which attributes we expect to be included in the signature
108 // when reading items. There are two options for configuring this:
109 //
110 // - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
111 // When defining your DynamoDb schema and deciding on attribute names,
112 // choose a distinguishing prefix (such as ":") for all attributes that
113 // you do not want to include in the signature.
114 // This has two main benefits:
115 // - It is easier to reason about the security and authenticity of data within your item
116 // when all unauthenticated data is easily distinguishable by their attribute name.
117 // - If you need to add new unauthenticated attributes in the future,
118 // you can easily make the corresponding update to your `attributeActionsOnEncrypt`
119 // and immediately start writing to that new attribute, without
120 // any other configuration update needed.
121 // Once you configure this field, it is not safe to update it.
122 //
123 // - Configure `allowedUnsignedAttributes`: You may also explicitly list
124 // a set of attributes that should be considered unauthenticated when encountered
125 // on read. Be careful if you use this configuration. Do not remove an attribute
126 // name from this configuration, even if you are no longer writing with that attribute,
127 // as old items may still include this attribute, and our configuration needs to know
128 // to continue to exclude this attribute from the signature scope.
129 // If you add new attribute names to this field, you must first deploy the update to this
130 // field to all readers in your host fleet before deploying the update to start writing
131 // with that new attribute.
132 //
133 // For this example, we currently authenticate all attributes. To make it easier to
134 // add unauthenticated attributes in the future, we define a prefix ":" for such attributes.
135 const UNSIGNED_ATTR_PREFIX: &str = ":";
136
137 // 5. Create the DynamoDb Encryption configuration for the table we will be writing to.
138 let table_config = DynamoDbTableEncryptionConfig::builder()
139 .logical_table_name(ddb_table_name)
140 .partition_key_name("partition_key")
141 .sort_key_name("sort_key")
142 .attribute_actions_on_encrypt(attribute_actions_on_encrypt)
143 .keyring(raw_rsa_keyring)
144 .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
145 .build()?;
146
147 let table_configs = DynamoDbTablesEncryptionConfig::builder()
148 .table_encryption_configs(HashMap::from([(ddb_table_name.to_string(), table_config)]))
149 .build()?;
150
151 // 6. Create a new AWS SDK DynamoDb client using the config above
152 let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
153 let dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
154 .interceptor(DbEsdkInterceptor::new(table_configs)?)
155 .build();
156 let ddb = aws_sdk_dynamodb::Client::from_conf(dynamo_config);
157
158 // 7. Put an item into our table using the above client.
159 // Before the item gets sent to DynamoDb, it will be encrypted
160 // client-side, according to our configuration.
161 let item = HashMap::from([
162 (
163 "partition_key".to_string(),
164 AttributeValue::S("rawRsaKeyringItem".to_string()),
165 ),
166 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
167 (
168 "sensitive_data".to_string(),
169 AttributeValue::S("encrypt and sign me!".to_string()),
170 ),
171 ]);
172
173 ddb.put_item()
174 .table_name(ddb_table_name)
175 .set_item(Some(item.clone()))
176 .send()
177 .await?;
178
179 // 8. Get the item back from our table using the same client.
180 // The client will decrypt the item client-side, and return
181 // back the original item.
182
183 let key_to_get = HashMap::from([
184 (
185 "partition_key".to_string(),
186 AttributeValue::S("rawRsaKeyringItem".to_string()),
187 ),
188 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
189 ]);
190
191 let resp = ddb
192 .get_item()
193 .table_name(ddb_table_name)
194 .set_key(Some(key_to_get))
195 // In this example we configure a strongly consistent read
196 // because we perform a read immediately after a write (for demonstrative purposes).
197 // By default, reads are only eventually consistent.
198 // Read our docs to determine which read consistency to use for your application:
199 // https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadConsistency.html
200 .consistent_read(true)
201 .send()
202 .await?;
203
204 assert_eq!(resp.item, Some(item));
205 println!("raw_rsa_keyring successful.");
206 Ok(())
207}examples/basic_get_put_example.rs (line 92)
31pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
32 let kms_key_id = test_utils::TEST_KMS_KEY_ID;
33 let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
34
35 // 1. Create a Keyring. This Keyring will be responsible for protecting the data keys that protect your data.
36 // For this example, we will create a AWS KMS Keyring with the AWS KMS Key we want to use.
37 // We will use the `CreateMrkMultiKeyring` method to create this keyring,
38 // as it will correctly handle both single region and Multi-Region KMS Keys.
39 let provider_config = MaterialProvidersConfig::builder().build()?;
40 let mat_prov = client::Client::from_conf(provider_config)?;
41 let kms_keyring = mat_prov
42 .create_aws_kms_mrk_multi_keyring()
43 .generator(kms_key_id)
44 .send()
45 .await?;
46
47 // 2. Configure which attributes are encrypted and/or signed when writing new items.
48 // For each attribute that may exist on the items we plan to write to our DynamoDbTable,
49 // we must explicitly configure how they should be treated during item encryption:
50 // - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
51 // - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
52 // - DO_NOTHING: The attribute is not encrypted and not included in the signature
53 let attribute_actions_on_encrypt = HashMap::from([
54 ("partition_key".to_string(), CryptoAction::SignOnly),
55 ("sort_key".to_string(), CryptoAction::SignOnly),
56 ("attribute1".to_string(), CryptoAction::EncryptAndSign),
57 ("attribute2".to_string(), CryptoAction::SignOnly),
58 (":attribute3".to_string(), CryptoAction::DoNothing),
59 ]);
60
61 // 3. Configure which attributes we expect to be included in the signature
62 // when reading items. There are two options for configuring this:
63 //
64 // - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
65 // When defining your DynamoDb schema and deciding on attribute names,
66 // choose a distinguishing prefix (such as ":") for all attributes that
67 // you do not want to include in the signature.
68 // This has two main benefits:
69 // - It is easier to reason about the security and authenticity of data within your item
70 // when all unauthenticated data is easily distinguishable by their attribute name.
71 // - If you need to add new unauthenticated attributes in the future,
72 // you can easily make the corresponding update to your `attributeActionsOnEncrypt`
73 // and immediately start writing to that new attribute, without
74 // any other configuration update needed.
75 // Once you configure this field, it is not safe to update it.
76 //
77 // - Configure `allowedUnsignedAttributes`: You may also explicitly list
78 // a set of attributes that should be considered unauthenticated when encountered
79 // on read. Be careful if you use this configuration. Do not remove an attribute
80 // name from this configuration, even if you are no longer writing with that attribute,
81 // as old items may still include this attribute, and our configuration needs to know
82 // to continue to exclude this attribute from the signature scope.
83 // If you add new attribute names to this field, you must first deploy the update to this
84 // field to all readers in your host fleet before deploying the update to start writing
85 // with that new attribute.
86 //
87 // For this example, we have designed our DynamoDb table such that any attribute name with
88 // the ":" prefix should be considered unauthenticated.
89 const UNSIGNED_ATTR_PREFIX: &str = ":";
90
91 // 4. Create the DynamoDb Encryption configuration for the table we will be writing to.
92 let table_config = DynamoDbTableEncryptionConfig::builder()
93 .logical_table_name(ddb_table_name)
94 .partition_key_name("partition_key")
95 .sort_key_name("sort_key")
96 .attribute_actions_on_encrypt(attribute_actions_on_encrypt)
97 .keyring(kms_keyring)
98 .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
99 // Specifying an algorithm suite is not required,
100 // but is done here to demonstrate how to do so.
101 // We suggest using the
102 // `ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384_SYMSIG_HMAC_SHA384` suite,
103 // which includes AES-GCM with key derivation, signing, and key commitment.
104 // This is also the default algorithm suite if one is not specified in this config.
105 // For more information on supported algorithm suites, see:
106 // https://docs.aws.amazon.com/database-encryption-sdk/latest/devguide/supported-algorithms.html
107 .algorithm_suite_id(
108 DbeAlgorithmSuiteId::AlgAes256GcmHkdfSha512CommitKeyEcdsaP384SymsigHmacSha384,
109 )
110 .build()?;
111
112 let table_configs = DynamoDbTablesEncryptionConfig::builder()
113 .table_encryption_configs(HashMap::from([(ddb_table_name.to_string(), table_config)]))
114 .build()?;
115
116 // 5. Create a new AWS SDK DynamoDb client using the TableEncryptionConfigs
117 let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
118 let dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
119 .interceptor(DbEsdkInterceptor::new(table_configs)?)
120 .build();
121 let ddb = aws_sdk_dynamodb::Client::from_conf(dynamo_config);
122
123 // 6. Put an item into our table using the above client.
124 // Before the item gets sent to DynamoDb, it will be encrypted
125 // client-side, according to our configuration.
126 let item = HashMap::from([
127 (
128 "partition_key".to_string(),
129 AttributeValue::S("BasicPutGetExample".to_string()),
130 ),
131 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
132 (
133 "attribute1".to_string(),
134 AttributeValue::S("encrypt and sign me!".to_string()),
135 ),
136 (
137 "attribute2".to_string(),
138 AttributeValue::S("sign me!".to_string()),
139 ),
140 (
141 ":attribute3".to_string(),
142 AttributeValue::S("ignore me!".to_string()),
143 ),
144 ]);
145
146 ddb.put_item()
147 .table_name(ddb_table_name)
148 .set_item(Some(item.clone()))
149 .send()
150 .await?;
151
152 // 7. Get the item back from our table using the same client.
153 // The client will decrypt the item client-side, and return
154 // back the original item.
155 let key_to_get = HashMap::from([
156 (
157 "partition_key".to_string(),
158 AttributeValue::S("BasicPutGetExample".to_string()),
159 ),
160 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
161 ]);
162
163 let resp = ddb
164 .get_item()
165 .table_name(ddb_table_name)
166 .set_key(Some(key_to_get))
167 // In this example we configure a strongly consistent read
168 // because we perform a read immediately after a write (for demonstrative purposes).
169 // By default, reads are only eventually consistent.
170 // Read our docs to determine which read consistency to use for your application:
171 // https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadConsistency.html
172 .consistent_read(true)
173 .send()
174 .await?;
175
176 assert_eq!(resp.item, Some(item));
177 println!("put_item_get_item successful.");
178 Ok(())
179}examples/keyring/kms_rsa_keyring.rs (line 135)
47pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
48 let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
49 let rsa_key_arn = test_utils::TEST_KMS_RSA_KEY_ID;
50
51 // You may provide your own RSA public key at EXAMPLE_RSA_PUBLIC_KEY_FILENAME.
52 // This must be the public key for the RSA key represented at rsaKeyArn.
53 // If this file is not present, this will write a UTF-8 encoded PEM file for you.
54 if should_get_new_public_key(DEFAULT_EXAMPLE_RSA_PUBLIC_KEY_FILENAME) {
55 write_public_key_pem_for_rsa_key(
56 test_utils::TEST_KMS_RSA_KEY_ID,
57 DEFAULT_EXAMPLE_RSA_PUBLIC_KEY_FILENAME,
58 )
59 .await?;
60 }
61
62 // 1. Load UTF-8 encoded public key PEM file.
63 // You may have an RSA public key file already defined.
64 // If not, the main method in this class will call
65 // the KMS RSA key, retrieve its public key, and store it
66 // in a PEM file for example use.
67 let mut file = File::open(Path::new(DEFAULT_EXAMPLE_RSA_PUBLIC_KEY_FILENAME))?;
68 let mut public_key_utf8_bytes = Vec::new();
69 file.read_to_end(&mut public_key_utf8_bytes)?;
70
71 // 2. Create a KMS RSA keyring.
72 // This keyring takes in:
73 // - kmsClient
74 // - kmsKeyId: Must be an ARN representing a KMS RSA key
75 // - publicKey: A ByteBuffer of a UTF-8 encoded PEM file representing the public
76 // key for the key passed into kmsKeyId
77 // - encryptionAlgorithm: Must be either RSAES_OAEP_SHA_256 or RSAES_OAEP_SHA_1
78 let mpl_config = MaterialProvidersConfig::builder().build()?;
79 let mpl = mpl_client::Client::from_conf(mpl_config)?;
80 let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
81 let kms_rsa_keyring = mpl
82 .create_aws_kms_rsa_keyring()
83 .kms_key_id(rsa_key_arn)
84 .public_key(public_key_utf8_bytes)
85 .encryption_algorithm(aws_sdk_kms::types::EncryptionAlgorithmSpec::RsaesOaepSha256)
86 .kms_client(aws_sdk_kms::Client::new(&sdk_config))
87 .send()
88 .await?;
89
90 // 3. Configure which attributes are encrypted and/or signed when writing new items.
91 // For each attribute that may exist on the items we plan to write to our DynamoDbTable,
92 // we must explicitly configure how they should be treated during item encryption:
93 // - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
94 // - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
95 // - DO_NOTHING: The attribute is not encrypted and not included in the signature
96 let attribute_actions_on_encrypt = HashMap::from([
97 ("partition_key".to_string(), CryptoAction::SignOnly), // Our partition attribute must be SIGN_ONLY
98 ("sort_key".to_string(), CryptoAction::SignOnly), // Our sort attribute must be SIGN_ONLY
99 ("sensitive_data".to_string(), CryptoAction::EncryptAndSign),
100 ]);
101
102 // 4. Configure which attributes we expect to be included in the signature
103 // when reading items. There are two options for configuring this:
104 //
105 // - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
106 // When defining your DynamoDb schema and deciding on attribute names,
107 // choose a distinguishing prefix (such as ":") for all attributes that
108 // you do not want to include in the signature.
109 // This has two main benefits:
110 // - It is easier to reason about the security and authenticity of data within your item
111 // when all unauthenticated data is easily distinguishable by their attribute name.
112 // - If you need to add new unauthenticated attributes in the future,
113 // you can easily make the corresponding update to your `attributeActions`
114 // and immediately start writing to that new attribute, without
115 // any other configuration update needed.
116 // Once you configure this field, it is not safe to update it.
117 //
118 // - Configure `allowedUnsignedAttributes`: You may also explicitly list
119 // a set of attributes that should be considered unauthenticated when encountered
120 // on read. Be careful if you use this configuration. Do not remove an attribute
121 // name from this configuration, even if you are no longer writing with that attribute,
122 // as old items may still include this attribute, and our configuration needs to know
123 // to continue to exclude this attribute from the signature scope.
124 // If you add new attribute names to this field, you must first deploy the update to this
125 // field to all readers in your host fleet before deploying the update to start writing
126 // with that new attribute.
127 //
128 // For this example, we currently authenticate all attributes. To make it easier to
129 // add unauthenticated attributes in the future, we define a prefix ":" for such attributes.
130 const UNSIGNED_ATTR_PREFIX: &str = ":";
131
132 // 5. Create the DynamoDb Encryption configuration for the table we will be writing to.
133 // Note: To use the KMS RSA keyring, your table config must specify an algorithmSuite
134 // that does not use asymmetric signing.
135 let table_config = DynamoDbTableEncryptionConfig::builder()
136 .logical_table_name(ddb_table_name)
137 .partition_key_name("partition_key")
138 .sort_key_name("sort_key")
139 .attribute_actions_on_encrypt(attribute_actions_on_encrypt)
140 .keyring(kms_rsa_keyring)
141 .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
142 // Specify algorithmSuite without asymmetric signing here
143 // As of v3.0.0, the only supported algorithmSuite without asymmetric signing is
144 // ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_SYMSIG_HMAC_SHA384.
145 .algorithm_suite_id(DbeAlgorithmSuiteId::AlgAes256GcmHkdfSha512CommitKeySymsigHmacSha384)
146 .build()?;
147
148 let table_configs = DynamoDbTablesEncryptionConfig::builder()
149 .table_encryption_configs(HashMap::from([(ddb_table_name.to_string(), table_config)]))
150 .build()?;
151
152 // 6. Create a new AWS SDK DynamoDb client using the DynamoDb Encryption Interceptor above
153 let dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
154 .interceptor(DbEsdkInterceptor::new(table_configs)?)
155 .build();
156 let ddb = aws_sdk_dynamodb::Client::from_conf(dynamo_config);
157
158 // 7. Put an item into our table using the above client.
159 // Before the item gets sent to DynamoDb, it will be encrypted
160 // client-side, according to our configuration.
161 let item = HashMap::from([
162 (
163 "partition_key".to_string(),
164 AttributeValue::S("awsKmsRsaKeyringItem".to_string()),
165 ),
166 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
167 (
168 "sensitive_data".to_string(),
169 AttributeValue::S("encrypt and sign me!".to_string()),
170 ),
171 ]);
172
173 ddb.put_item()
174 .table_name(ddb_table_name)
175 .set_item(Some(item.clone()))
176 .send()
177 .await?;
178
179 // 8. Get the item back from our table using the client.
180 // The client will decrypt the item client-side using the RSA keyring
181 // and return the original item.
182 let key_to_get = HashMap::from([
183 (
184 "partition_key".to_string(),
185 AttributeValue::S("awsKmsRsaKeyringItem".to_string()),
186 ),
187 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
188 ]);
189
190 let resp = ddb
191 .get_item()
192 .table_name(ddb_table_name)
193 .set_key(Some(key_to_get))
194 .consistent_read(true)
195 .send()
196 .await?;
197
198 assert_eq!(resp.item, Some(item));
199 println!("kms_rsa_keyring successful.");
200 Ok(())
201}examples/keyring/hierarchical_keyring.rs (line 168)
63pub async fn put_item_get_item(
64 tenant1_branch_key_id: &str,
65 tenant2_branch_key_id: &str,
66) -> Result<(), crate::BoxError> {
67 let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
68
69 let keystore_table_name = test_utils::TEST_KEYSTORE_NAME;
70 let logical_keystore_name = test_utils::TEST_LOGICAL_KEYSTORE_NAME;
71 let kms_key_id = test_utils::TEST_KEYSTORE_KMS_KEY_ID;
72
73 // Initial KeyStore Setup: This example requires that you have already
74 // created your KeyStore, and have populated it with two new branch keys.
75 // See the "Create KeyStore Table Example" and "Create KeyStore Key Example"
76 // for an example of how to do this.
77
78 // 1. Configure your KeyStore resource.
79 // This SHOULD be the same configuration that you used
80 // to initially create and populate your KeyStore.
81 let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
82 let key_store_config = KeyStoreConfig::builder()
83 .kms_client(aws_sdk_kms::Client::new(&sdk_config))
84 .ddb_client(aws_sdk_dynamodb::Client::new(&sdk_config))
85 .ddb_table_name(keystore_table_name)
86 .logical_key_store_name(logical_keystore_name)
87 .kms_configuration(KmsConfiguration::KmsKeyArn(kms_key_id.to_string()))
88 .build()?;
89
90 let key_store = keystore_client::Client::from_conf(key_store_config)?;
91
92 // 2. Create a Branch Key ID Supplier. See ExampleBranchKeyIdSupplier in this directory.
93 let dbesdk_config = DynamoDbEncryptionConfig::builder().build()?;
94 let dbesdk = dbesdk_client::Client::from_conf(dbesdk_config)?;
95 let supplier = ExampleBranchKeyIdSupplier::new(tenant1_branch_key_id, tenant2_branch_key_id);
96
97 let branch_key_id_supplier = dbesdk
98 .create_dynamo_db_encryption_branch_key_id_supplier()
99 .ddb_key_branch_key_id_supplier(supplier)
100 .send()
101 .await?
102 .branch_key_id_supplier
103 .unwrap();
104
105 // 3. Create the Hierarchical Keyring, using the Branch Key ID Supplier above.
106 // With this configuration, the AWS SDK Client ultimately configured will be capable
107 // of encrypting or decrypting items for either tenant (assuming correct KMS access).
108 // If you want to restrict the client to only encrypt or decrypt for a single tenant,
109 // configure this Hierarchical Keyring using `.branchKeyId(tenant1BranchKeyId)` instead
110 // of `.branchKeyIdSupplier(branchKeyIdSupplier)`.
111 let mpl_config = MaterialProvidersConfig::builder().build()?;
112 let mpl = mpl_client::Client::from_conf(mpl_config)?;
113
114 let hierarchical_keyring = mpl
115 .create_aws_kms_hierarchical_keyring()
116 .branch_key_id_supplier(branch_key_id_supplier)
117 .key_store(key_store)
118 .ttl_seconds(600)
119 .send()
120 .await?;
121
122 // 4. Configure which attributes are encrypted and/or signed when writing new items.
123 // For each attribute that may exist on the items we plan to write to our DynamoDbTable,
124 // we must explicitly configure how they should be treated during item encryption:
125 // - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
126 // - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
127 // - DO_NOTHING: The attribute is not encrypted and not included in the signature
128 let attribute_actions_on_encrypt = HashMap::from([
129 ("partition_key".to_string(), CryptoAction::SignOnly), // Our partition attribute must be SIGN_ONLY
130 ("sort_key".to_string(), CryptoAction::SignOnly), // Our sort attribute must be SIGN_ONLY
131 (
132 "tenant_sensitive_data".to_string(),
133 CryptoAction::EncryptAndSign,
134 ),
135 ]);
136
137 // 5. Configure which attributes we expect to be included in the signature
138 // when reading items. There are two options for configuring this:
139 //
140 // - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
141 // When defining your DynamoDb schema and deciding on attribute names,
142 // choose a distinguishing prefix (such as ":") for all attributes that
143 // you do not want to include in the signature.
144 // This has two main benefits:
145 // - It is easier to reason about the security and authenticity of data within your item
146 // when all unauthenticated data is easily distinguishable by their attribute name.
147 // - If you need to add new unauthenticated attributes in the future,
148 // you can easily make the corresponding update to your `attributeActionsOnEncrypt`
149 // and immediately start writing to that new attribute, without
150 // any other configuration update needed.
151 // Once you configure this field, it is not safe to update it.
152 //
153 // - Configure `allowedUnsignedAttributes`: You may also explicitly list
154 // a set of attributes that should be considered unauthenticated when encountered
155 // on read. Be careful if you use this configuration. Do not remove an attribute
156 // name from this configuration, even if you are no longer writing with that attribute,
157 // as old items may still include this attribute, and our configuration needs to know
158 // to continue to exclude this attribute from the signature scope.
159 // If you add new attribute names to this field, you must first deploy the update to this
160 // field to all readers in your host fleet before deploying the update to start writing
161 // with that new attribute.
162 //
163 // For this example, we currently authenticate all attributes. To make it easier to
164 // add unauthenticated attributes in the future, we define a prefix ":" for such attributes.
165 const UNSIGNED_ATTR_PREFIX: &str = ":";
166
167 // 6. Create the DynamoDb Encryption configuration for the table we will be writing to.
168 let table_config = DynamoDbTableEncryptionConfig::builder()
169 .logical_table_name(ddb_table_name)
170 .partition_key_name("partition_key")
171 .sort_key_name("sort_key")
172 .attribute_actions_on_encrypt(attribute_actions_on_encrypt)
173 .keyring(hierarchical_keyring)
174 .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
175 .build()?;
176
177 let table_configs = DynamoDbTablesEncryptionConfig::builder()
178 .table_encryption_configs(HashMap::from([(ddb_table_name.to_string(), table_config)]))
179 .build()?;
180
181 // 7. Create a new AWS SDK DynamoDb client using the DynamoDb Encryption Interceptor above
182 let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
183 let dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
184 .interceptor(DbEsdkInterceptor::new(table_configs)?)
185 .build();
186 let ddb = aws_sdk_dynamodb::Client::from_conf(dynamo_config);
187
188 // 8. Put an item into our table using the above client.
189 // Before the item gets sent to DynamoDb, it will be encrypted
190 // client-side, according to our configuration.
191 // Because the item we are writing uses "tenantId1" as our partition value,
192 // based on the code we wrote in the ExampleBranchKeySupplier,
193 // `tenant1BranchKeyId` will be used to encrypt this item.
194 let item = HashMap::from([
195 (
196 "partition_key".to_string(),
197 AttributeValue::S("tenant1Id".to_string()),
198 ),
199 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
200 (
201 "tenant_sensitive_data".to_string(),
202 AttributeValue::S("encrypt and sign me!".to_string()),
203 ),
204 ]);
205
206 ddb.put_item()
207 .table_name(ddb_table_name)
208 .set_item(Some(item.clone()))
209 .send()
210 .await?;
211
212 // 9. Get the item back from our table using the same client.
213 // The client will decrypt the item client-side, and return
214 // back the original item.
215 // Because the returned item's partition value is "tenantId1",
216 // based on the code we wrote in the ExampleBranchKeySupplier,
217 // `tenant1BranchKeyId` will be used to decrypt this item.
218 let key_to_get = HashMap::from([
219 (
220 "partition_key".to_string(),
221 AttributeValue::S("tenant1Id".to_string()),
222 ),
223 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
224 ]);
225
226 let resp = ddb
227 .get_item()
228 .table_name(ddb_table_name)
229 .set_key(Some(key_to_get))
230 .consistent_read(true)
231 .send()
232 .await?;
233
234 assert_eq!(resp.item, Some(item));
235 println!("hierarchical_keyring successful.");
236 Ok(())
237}examples/keyring/mrk_discovery_multi_keyring.rs (line 102)
37pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
38 let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
39 let key_arn = test_utils::TEST_MRK_KEY_ID;
40 let account_ids = vec![test_utils::TEST_AWS_ACCOUNT_ID.to_string()];
41 let regions = vec![test_utils::TEST_AWS_REGION.to_string()];
42
43 // 1. Create a single MRK multi-keyring using the key arn.
44 // Although this example demonstrates use of the MRK discovery multi-keyring,
45 // a discovery keyring cannot be used to encrypt. So we will need to construct
46 // a non-discovery keyring for this example to encrypt. For more information on MRK
47 // multi-keyrings, see the MultiMrkKeyringExample in this directory.
48 // Though this is an "MRK multi-keyring", we do not need to provide multiple keys,
49 // and can use single-region KMS keys. We will provide a single key here; this
50 // can be either an MRK or a single-region key.
51 let mpl_config = MaterialProvidersConfig::builder().build()?;
52 let mpl = mpl_client::Client::from_conf(mpl_config)?;
53 let encrypt_keyring = mpl
54 .create_aws_kms_mrk_multi_keyring()
55 .generator(key_arn)
56 .send()
57 .await?;
58
59 // 2. Configure which attributes are encrypted and/or signed when writing new items.
60 // For each attribute that may exist on the items we plan to write to our DynamoDbTable,
61 // we must explicitly configure how they should be treated during item encryption:
62 // - ENCRYPT_AND_SIGN: The attribute is encrypted and icncluded in the signature
63 // - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
64 // - DO_NOTHING: The attribute is not encrypted and not included in the signature
65 let attribute_actions_on_encrypt = HashMap::from([
66 ("partition_key".to_string(), CryptoAction::SignOnly), // Our partition attribute must be SIGN_ONLY
67 ("sort_key".to_string(), CryptoAction::SignOnly), // Our sort attribute must be SIGN_ONLY
68 ("sensitive_data".to_string(), CryptoAction::EncryptAndSign),
69 ]);
70
71 // 3. Configure which attributes we expect to be included in the signature
72 // when reading items. There are two options for configuring this:
73 //
74 // - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
75 // When defining your DynamoDb schema and deciding on attribute names,
76 // choose a distinguishing prefix (such as ":") for all attributes that
77 // you do not want to include in the signature.
78 // This has two main benefits:
79 // - It is easier to reason about the security and authenticity of data within your item
80 // when all unauthenticated data is easily distinguishable by their attribute name.
81 // - If you need to add new unauthenticated attributes in the future,
82 // you can easily make the corresponding update to your `attributeActionsOnEncrypt`
83 // and immediately start writing to that new attribute, without
84 // any other configuration update needed.
85 // Once you configure this field, it is not safe to update it.
86 //
87 // - Configure `allowedUnsignedAttributes`: You may also explicitly list
88 // a set of attributes that should be considered unauthenticated when encountered
89 // on read. Be careful if you use this configuration. Do not remove an attribute
90 // name from this configuration, even if you are no longer writing with that attribute,
91 // as old items may still include this attribute, and our configuration needs to know
92 // to continue to exclude this attribute from the signature scope.
93 // If you add new attribute names to this field, you must first deploy the update to this
94 // field to all readers in your host fleet before deploying the update to start writing
95 // with that new attribute.
96 //
97 // For this example, we currently authenticate all attributes. To make it easier to
98 // add unauthenticated attributes in the future, we define a prefix ":" for such attributes.
99 const UNSIGNED_ATTR_PREFIX: &str = ":";
100
101 // 4. Create the DynamoDb Encryption configuration for the table we will be writing to.
102 let table_config = DynamoDbTableEncryptionConfig::builder()
103 .logical_table_name(ddb_table_name)
104 .partition_key_name("partition_key")
105 .sort_key_name("sort_key")
106 .attribute_actions_on_encrypt(attribute_actions_on_encrypt.clone())
107 .keyring(encrypt_keyring)
108 .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
109 .build()?;
110
111 let table_configs = DynamoDbTablesEncryptionConfig::builder()
112 .table_encryption_configs(HashMap::from([(ddb_table_name.to_string(), table_config)]))
113 .build()?;
114
115 // 5. Create a new AWS SDK DynamoDb client using the config above
116 let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
117 let dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
118 .interceptor(DbEsdkInterceptor::new(table_configs)?)
119 .build();
120 let ddb = aws_sdk_dynamodb::Client::from_conf(dynamo_config);
121
122 // 6. Put an item into our table using the above client.
123 // Before the item gets sent to DynamoDb, it will be encrypted
124 // client-side using the MRK multi-keyring.
125 let item = HashMap::from([
126 (
127 "partition_key".to_string(),
128 AttributeValue::S("awsKmsMrkDiscoveryMultiKeyringItem".to_string()),
129 ),
130 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
131 (
132 "sensitive_data".to_string(),
133 AttributeValue::S("encrypt and sign me!".to_string()),
134 ),
135 ]);
136
137 ddb.put_item()
138 .table_name(ddb_table_name)
139 .set_item(Some(item.clone()))
140 .send()
141 .await?;
142
143 // 7. Construct a discovery filter.
144 // A discovery filter limits the set of encrypted data keys
145 // the keyring can use to decrypt data.
146 // We will only let the keyring use keys in the selected AWS accounts
147 // and in the `aws` partition.
148 // This is the suggested config for most users; for more detailed config, see
149 // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-kms-keyring.html#kms-keyring-discovery
150 let discovery_filter = DiscoveryFilter::builder()
151 .partition("aws")
152 .account_ids(account_ids)
153 .build()?;
154
155 // 8. Construct a discovery keyring.
156 // Note that we choose to use the MRK discovery multi-keyring, even though
157 // our original keyring used a single KMS key.
158
159 let decrypt_keyring = mpl
160 .create_aws_kms_mrk_discovery_multi_keyring()
161 .discovery_filter(discovery_filter)
162 .regions(regions)
163 .send()
164 .await?;
165
166 // 9. Create new DDB config and client using the decrypt discovery keyring.
167 // This is the same as the above config, except we pass in the decrypt keyring.
168 let table_config_for_decrypt = DynamoDbTableEncryptionConfig::builder()
169 .logical_table_name(ddb_table_name)
170 .partition_key_name("partition_key")
171 .sort_key_name("sort_key")
172 .attribute_actions_on_encrypt(attribute_actions_on_encrypt)
173 .keyring(decrypt_keyring)
174 .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
175 .build()?;
176
177 let table_configs_for_decrypt = DynamoDbTablesEncryptionConfig::builder()
178 .table_encryption_configs(HashMap::from([(
179 ddb_table_name.to_string(),
180 table_config_for_decrypt,
181 )]))
182 .build()?;
183
184 let dynamo_config_for_decrypt = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
185 .interceptor(DbEsdkInterceptor::new(table_configs_for_decrypt)?)
186 .build();
187 let ddb_for_decrypt = aws_sdk_dynamodb::Client::from_conf(dynamo_config_for_decrypt);
188
189 // 10. Get the item back from our table using the client.
190 // The client will retrieve encrypted items from the DDB table, then
191 // detect the KMS key that was used to encrypt their data keys.
192 // The client will make a request to KMS to decrypt with the encrypting KMS key.
193 // If the client has permission to decrypt with the KMS key,
194 // the client will decrypt the item client-side using the keyring
195 // and return the original item.
196 let key_to_get = HashMap::from([
197 (
198 "partition_key".to_string(),
199 AttributeValue::S("awsKmsMrkDiscoveryMultiKeyringItem".to_string()),
200 ),
201 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
202 ]);
203
204 let resp = ddb_for_decrypt
205 .get_item()
206 .table_name(ddb_table_name)
207 .set_key(Some(key_to_get))
208 .consistent_read(true)
209 .send()
210 .await?;
211
212 assert_eq!(resp.item, Some(item));
213
214 println!("mrk_discovery_multi_keyring successful.");
215 Ok(())
216}Additional examples can be found in:
- examples/keyring/multi_keyring.rs
- examples/multi_get_put_example.rs
- examples/clientsupplier/client_supplier_example.rs
- examples/keyring/multi_mrk_keyring.rs
- examples/searchableencryption/compound_beacon_searchable_encryption.rs
- examples/searchableencryption/beacon_styles_searchable_encryption.rs
- examples/searchableencryption/virtual_beacon_searchable_encryption.rs
- examples/searchableencryption/basic_searchable_encryption.rs
- examples/searchableencryption/complexexample/beacon_config.rs
Trait Implementations§
Source§impl Clone for DynamoDbTableEncryptionConfig
impl Clone for DynamoDbTableEncryptionConfig
Source§fn clone(&self) -> DynamoDbTableEncryptionConfig
fn clone(&self) -> DynamoDbTableEncryptionConfig
Returns a duplicate of the value. Read more
1.0.0 · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
Performs copy-assignment from
source. Read moreSource§impl PartialEq for DynamoDbTableEncryptionConfig
impl PartialEq for DynamoDbTableEncryptionConfig
Source§fn eq(&self, other: &DynamoDbTableEncryptionConfig) -> bool
fn eq(&self, other: &DynamoDbTableEncryptionConfig) -> bool
Tests for
self and other values to be equal, and is used by ==.impl StructuralPartialEq for DynamoDbTableEncryptionConfig
Auto Trait Implementations§
impl Freeze for DynamoDbTableEncryptionConfig
impl !RefUnwindSafe for DynamoDbTableEncryptionConfig
impl Send for DynamoDbTableEncryptionConfig
impl Sync for DynamoDbTableEncryptionConfig
impl Unpin for DynamoDbTableEncryptionConfig
impl !UnwindSafe for DynamoDbTableEncryptionConfig
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Mutably borrows from an owned value. Read more
Source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
Source§impl<T> Instrument for T
impl<T> Instrument for T
Source§fn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
Source§fn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
Source§impl<T> IntoEither for T
impl<T> IntoEither for T
Source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
Converts
self into a Left variant of Either<Self, Self>
if into_left is true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read moreSource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
Converts
self into a Left variant of Either<Self, Self>
if into_left(&self) returns true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read moreCreates a shared type from an unshared type.