I will be using AES-256 symmetric encryption VIA Open SSL. Please have a look at my workflow and let me know if it looks secure.
Encryption workflow
1: APP will encrypt data securely using Open SSL with PHP (A unique key will be generated for each user)
2: APP will encrypt all sensitive user data using the key in step 1.
3: APP will encrypt users generated key with a second key(Client side master key) before sending to AWS. This key will be stored in config file on my server (This keys only function will be preventing AWS from ever seeing the users key)
4 Send key generated by client side master key to AWS API Gateway for encryption.
5 Trigger an AWS lambda function on successful API Gateway Request.
6: Lambda function will encrypt the client side Master key using the AWS KMS Master Key and then store Master Key along with encrypted sensitive user data in Dynamo DB
Decryption workflow
1: Make Call to AWS gateway - trigger lambda function
2: lambda function will retrieve the users sensitive encrypted data, plus key - Lambda function will then decrypt key generated by AWS Master Key
3: Lambda function then will return response to API gateway containing the encrypted card data and encrypted key
4: APP will decrypt the retrieved key with open SSL using client side master key.
5: Decrypted client side key will then decrypt the users card data.
Notes: App will be behind WAF have an IPS, IDS, Anti-virus and a FIM solution in place. FIM will check for any changes to the file system and alert me VIA E-Mail, plus I will add some logic to automatically disable AWS KMS Master Key if FIM detects a change.
Additional Note: Access to AWS API Gateway will be limited to my servers IP address.
Please let me know your thoughts and suggestions.
