如何使用 DynamoDB 加密客户端为 Java 加密 DynamoDB 列

Question

I'm trying to encrypt data being saved into a dynamo table. This is production PII data that shouldn't be visible even to someone with permissions to view the table data. Things like social security numbers. I'm trying to follow the example here .

This is my code:

AmazonDynamoDBClient client = new AmazonDynamoDBClient();
AWSKMS kmsClient = AWSKMSClientBuilder.defaultClient();
DirectKmsMaterialProvider cmp = new DirectKmsMaterialProvider(kmsClient, "my-key-arn");
DynamoDBEncryptor encryptor = DynamoDBEncryptor.getInstance(cmp);
DynamoDBMapper mapper = new DynamoDBMapper(client, DynamoDBMapperConfig.builder().withSaveBehavior(
    SaveBehavior.PUT).build(),
    new AttributeEncryptor(encryptor));


Customer customer = new Customer();
customer.setCustomerId("some-id");

//set some other values
...

mapper.save(customer);

The customer is saved to the DB but nothing is encrypted and everything is visible. What am I doing wrong?

Answer 1

You haven't encrypted anything. Follow step 5:

final EnumSet<EncryptionFlags> signOnly = EnumSet.of(EncryptionFlags.SIGN);
final EnumSet<EncryptionFlags> encryptAndSign = EnumSet.of(EncryptionFlags.ENCRYPT, EncryptionFlags.SIGN);
final Map<String, Set<EncryptionFlags>> actions = new HashMap<>();

for (final String attributeName : record.keySet()) {
  switch (attributeName) {
    case partitionKeyName: // fall through to the next case
    case sortKeyName:
      // Partition and sort keys must not be encrypted, but should be signed
      actions.put(attributeName, signOnly);
      break;
    case "test":
      // Neither encrypted nor signed
      break;
    default:
      // Encrypt and sign all other attributes
      actions.put(attributeName, encryptAndSign);
      break;
  }
}