Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

DynamoDB: can we use encryption and cross-region replication together?

Tags:

amazon-web-services

encryption

replication

amazon-dynamodb

aws-kms

DynamoDB: can we use encryption and cross-region replication together?

We are evaluating DynamoDB for our new application. Our requirements are:

  • Data encryption at rest
  • Cross-region replication for disaster recovery. Our app in a region must rely on services in that region only

Our requirements can be met separately with using Java libraries provided by AWS. The solutions are:

  • Client-side Encryption for Amazon DynamoDB
  • DynamoDB Cross-region Replication

However, we are not certain if these solutions can work together. We are concern we won't be able to decrypt cross-region replicated records. The client side encryption solution recommends establishing a key hierarchy with a KMS-managed key at the root. KMS is region-specific, so we won't be able to decrypt records if we replicate them to another region. The encryption key is not accessible in another region.

The questions are:

  • Is it true that the decryption or cross-region replicated records is impossible if the encryption key is in KMS?
  • Is there a recommended approach to replicating encrypted DynamoDB records? Has anyone done this before?
  • Are there any alternatives we should be looking at?
like image 686
ez121sl Avatar asked Nov 09 '16 17:11

ez121sl

1 Answers

You are right. As is, the setup won't work because KMS keys can't be shared across regions.

Let's say you are replicating data from region R1 to R2, which have KMS keys K1 and K2 respectively. I can suggest the following alternatives:

  1. Modify the library a bit, so that it decrypts data from R1 using K1 and re-encrypts using K2, during replication. You'd be interested in the DynamoDBStreamsRecordTransformer class.
  2. Import your own key material in both R1 and R2. Check relevant documentation here.
    • Caveat: Might be operationally painful, depending on your use case.

Update: Adding your thoughts too, so that it can help anyone stumbling onto this question in future:

  1. Create your own plaintext-data-key (possibly using KMS's GenerateRandom API), encrypt it using both K1 and K2 (using the Encrypt API), and store both the resulting cypher-texts along with your data in both the regions.
    • Caveat: Cross-region calls for every update. In option #1, the updates are asynchronous.
like image 121
ketan vijayvargiya Avatar answered Sep 29 '22 08:09

ketan vijayvargiya
Sign in to Comment

Related questions

aws cli s3 sync, exclude not working
Getting emr-ddb-hadoop.jar to connect DynamoDB with EMR Spark
AWS User Pool Setup (Swift)
User Pool and Federated Identity
Using API Gateway to publish SNS topics / multiple lambda function with API Gateway
Connect to AWS MySQL database via Node JS
What's the purpose of the Metadata section in a CloudFormation Template?
Redshift DEFAULT GETDATE() working on INSERT but not COPY
AWS Elastic Beanstalk .ebextensions order of precedence
Can AWS CloudFormation call the AWS API?
Unable to compile AWS CustomIdentityProvider on xcode 8 beta 6
How to use a second Elastic Network Interface on the same subnet
How to create application load balancer on aws for kubernetes
Can we verify (or have ) same domain in Amazon SES from different AWS account?
How to get client ip from node.js express application deployed on AWS Elastic beanstalk?
Is there a way to create AWS Dashboard using cloudformation or AWS CLI
AWS Lambda function was trigger twice by CloudWatch event
Aws passing credentials to ansible s3 module
Failed to run a Shiny app on AWS Ubuntu instance. xdg-open: no method available for opening 'http://127.0.0.1:3572'
Use Prometheus operator with DB volume for k8s

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!