[英]DynamoDB: can we use encryption and cross-region replication together?
DynamoDB: can we use encryption and cross-region replication together? DynamoDB:我们可以同时使用加密和跨区域复制吗?
We are evaluating DynamoDB for our new application. 我们正在为新应用程序评估DynamoDB。 Our requirements are: 我们的要求是:
Our requirements can be met separately with using Java libraries provided by AWS. 使用AWS提供的Java库可以单独满足我们的要求。 The solutions are: 解决方案是:
However, we are not certain if these solutions can work together. 但是,我们不确定这些解决方案是否可以协同工作。 We are concern we won't be able to decrypt cross-region replicated records. 我们担心我们将无法解密跨区域复制的记录。 The client side encryption solution recommends establishing a key hierarchy with a KMS-managed key at the root. 客户端加密解决方案建议建立一个由KMS管理的根作为根的密钥层次结构。 KMS is region-specific, so we won't be able to decrypt records if we replicate them to another region. KMS是特定于区域的,因此如果将记录复制到另一个区域,我们将无法解密记录。 The encryption key is not accessible in another region. 加密密钥在其他区域不可访问。
The questions are: 问题是:
You are right. 你是对的。 As is, the setup won't work because KMS keys can't be shared across regions. 照原样,该设置将无法正常工作,因为无法在区域之间共享KMS密钥。
Let's say you are replicating data from region R1 to R2, which have KMS keys K1 and K2 respectively. 假设您要从区域R1到R2复制数据,它们分别具有KMS密钥K1和K2。 I can suggest the following alternatives: 我可以建议以下替代方法:
Update : Adding your thoughts too, so that it can help anyone stumbling onto this question in future: 更新 :也添加您的想法,以便将来可以帮助任何涉足此问题的人:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.