DynamoDB:我们可以同时使用加密和跨区域复制吗?
[英]DynamoDB: can we use encryption and cross-region replication together?
问题描述
DynamoDB: can we use encryption and cross-region replication together? 
DynamoDB:我们可以同时使用加密和跨区域复制吗?
We are evaluating DynamoDB for our new application. 我们正在为新应用程序评估DynamoDB。 Our requirements are: 我们的要求是:
- Data encryption at rest 静态数据加密
- Cross-region replication for disaster recovery. 跨区域复制以进行灾难恢复。 Our app in a region must rely on services in that region only 我们在某个地区的应用程序必须仅依赖该地区的服务
Our requirements can be met separately with using Java libraries provided by AWS. 使用AWS提供的Java库可以单独满足我们的要求。 The solutions are: 解决方案是:
- Client-side Encryption for Amazon DynamoDB Amazon DynamoDB的客户端加密
- DynamoDB Cross-region Replication DynamoDB跨区域复制
However, we are not certain if these solutions can work together. 但是,我们不确定这些解决方案是否可以协同工作。 We are concern we won't be able to decrypt cross-region replicated records. 我们担心我们将无法解密跨区域复制的记录。 The client side encryption solution recommends establishing a key hierarchy with a KMS-managed key at the root. 客户端加密解决方案建议建立一个由KMS管理的根作为根的密钥层次结构。 KMS is region-specific, so we won't be able to decrypt records if we replicate them to another region. KMS是特定于区域的,因此如果将记录复制到另一个区域,我们将无法解密记录。 The encryption key is not accessible in another region. 加密密钥在其他区域不可访问。
The questions are: 问题是:
- Is it true that the decryption or cross-region replicated records is impossible if the encryption key is in KMS? 如果加密密钥在KMS中,则解密或跨区域复制的记录是不可能的吗?
- Is there a recommended approach to replicating encrypted DynamoDB records? 是否有推荐的方法来复制加密的DynamoDB记录? Has anyone done this before? 有人做过吗?
- Are there any alternatives we should be looking at? 我们还有其他选择吗?
1 个解决方案
解决方案1
5 已采纳 2016-11-11 08:07:07
You are right. 你是对的。 As is, the setup won't work because KMS keys can't be shared across regions. 照原样,该设置将无法正常工作,因为无法在区域之间共享KMS密钥。
Let's say you are replicating data from region R1 to R2, which have KMS keys K1 and K2 respectively. 假设您要从区域R1到R2复制数据,它们分别具有KMS密钥K1和K2。 I can suggest the following alternatives: 我可以建议以下替代方法:
- Modify the library a bit, so that it decrypts data from R1 using K1 and re-encrypts using K2, during replication. 稍微修改库,以便在复制过程中使用K1从R1解密数据,并使用K2重新加密。 You'd be interested in the DynamoDBStreamsRecordTransformer class. 您将对DynamoDBStreamsRecordTransformer类感兴趣。
- Import your own key material in both R1 and R2. 在R1和R2中导入您自己的密钥材料。 Check relevant documentation here . 在此处检查相关文档。
- Caveat: Might be operationally painful, depending on your use case. 警告:根据使用情况,可能会给操作带来痛苦。
- Caveat: Might be operationally painful, depending on your use case.
Update : Adding your thoughts too, so that it can help anyone stumbling onto this question in future: 更新 :也添加您的想法,以便将来可以帮助任何涉足此问题的人:
- Create your own plaintext-data-key (possibly using KMS's GenerateRandom API), encrypt it using both K1 and K2 (using the Encrypt API), and store both the resulting cypher-texts along with your data in both the regions. 创建您自己的纯文本数据密钥(可能使用KMS的GenerateRandom API),同时使用K1和K2(使用Encrypt API)对其进行加密 ,并将生成的密文和数据一起存储在这两个区域中。
- Caveat: Cross-region calls for every update. 注意:跨区域要求进行每次更新。 In option #1, the updates are asynchronous. 在选项#1中,更新是异步的。
- Caveat: Cross-region calls for every update.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.