Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

DynamoDB: can we use encryption and cross-region replication together?

DynamoDB: can we use encryption and cross-region replication together?

We are evaluating DynamoDB for our new application. Our requirements are:

  • Data encryption at rest
  • Cross-region replication for disaster recovery. Our app in a region must rely on services in that region only

Our requirements can be met separately with using Java libraries provided by AWS. The solutions are:

  • Client-side Encryption for Amazon DynamoDB
  • DynamoDB Cross-region Replication

However, we are not certain if these solutions can work together. We are concern we won't be able to decrypt cross-region replicated records. The client side encryption solution recommends establishing a key hierarchy with a KMS-managed key at the root. KMS is region-specific, so we won't be able to decrypt records if we replicate them to another region. The encryption key is not accessible in another region.

The questions are:

  • Is it true that the decryption or cross-region replicated records is impossible if the encryption key is in KMS?
  • Is there a recommended approach to replicating encrypted DynamoDB records? Has anyone done this before?
  • Are there any alternatives we should be looking at?
like image 686
ez121sl Avatar asked Nov 09 '16 17:11

ez121sl


1 Answers

You are right. As is, the setup won't work because KMS keys can't be shared across regions.

Let's say you are replicating data from region R1 to R2, which have KMS keys K1 and K2 respectively. I can suggest the following alternatives:

  1. Modify the library a bit, so that it decrypts data from R1 using K1 and re-encrypts using K2, during replication. You'd be interested in the DynamoDBStreamsRecordTransformer class.
  2. Import your own key material in both R1 and R2. Check relevant documentation here.
    • Caveat: Might be operationally painful, depending on your use case.

Update: Adding your thoughts too, so that it can help anyone stumbling onto this question in future:

  1. Create your own plaintext-data-key (possibly using KMS's GenerateRandom API), encrypt it using both K1 and K2 (using the Encrypt API), and store both the resulting cypher-texts along with your data in both the regions.
    • Caveat: Cross-region calls for every update. In option #1, the updates are asynchronous.
like image 121
ketan vijayvargiya Avatar answered Sep 29 '22 08:09

ketan vijayvargiya