AWS AppSync encrypting DynamoDB Data

Question

I'm working with AppSync on a project, and will be capturing relatively sensitive user data which will require encryption at rest in a database.

Currently, I am building with DynamoDB resolvers after a mutation or query, but happy to explore other solutions (such as encrypting with KMS through a Lambda function and then sending to DynamoDB; or using DynamoDB Streams to refactor the data once a new entry is created in a table?)

The KMS would be managed through IAM, with user's assigned through a Cognito user pool (I'm quite new to this, but believe that's the best approach).

Answer 1

this all depends on who you are protecting the data from. if the decrypt is going to actually happen in AWS, then AWS has the decrypt key at least temporarily (because you let them manage the keys, and give them to ciphers that reside in AWS). you can assume that AWS are trusted to forget the key and the decrypted plaintext ASAP, and not backdoor your decrypts. if you are only worried about third-parties (ie: not-AWS) getting in, then this is ok. Just keep in mind that your defenses against the cloud provider if you do not do end-to-end are limited.

If you are actually worried about AWS decrypting your stuff, there are a few major issues, because that demands end-to-end encryption to handle: decrypts would have to happen outside of AWS (ie: decrypt on a phone or a program that runs on a user's laptop), which implies that keys themselves are only decrypted outside of AWS, and if you search data you are not telling AWS what you are searching for (ie: angry-protesters-on-my-last-visit.mp4). The latter is possible do to, but there are very few general purpose products that even attempt to do correct end-to-end encryption.

Answer 2

DynamoDB现在支持静态加密，您可以在表上启用它。