5

DynamoDB: can we use encryption and cross-region replication together?

We are evaluating DynamoDB for our new application. Our requirements are:

  • Data encryption at rest
  • Cross-region replication for disaster recovery. Our app in a region must rely on services in that region only

Our requirements can be met separately with using Java libraries provided by AWS. The solutions are:

However, we are not certain if these solutions can work together. We are concern we won't be able to decrypt cross-region replicated records. The client side encryption solution recommends establishing a key hierarchy with a KMS-managed key at the root. KMS is region-specific, so we won't be able to decrypt records if we replicate them to another region. The encryption key is not accessible in another region.

The questions are:

  • Is it true that the decryption or cross-region replicated records is impossible if the encryption key is in KMS?
  • Is there a recommended approach to replicating encrypted DynamoDB records? Has anyone done this before?
  • Are there any alternatives we should be looking at?
ez121sl
  • 2,371
  • 1
  • 21
  • 28
  • I'm voting to close this question as off-topic. I'm not sure but maybe [dba](http://dba.stackexchange.com/) is a better site to ask this on. – President James K. Polk Nov 09 '16 at 17:43
  • Depending on the time frame in which you need to restore the database, you could try backing up to S3 and replicating that. http://stackoverflow.com/questions/23510704/using-amazon-data-pipeline-to-backup-dynamodb-data-to-s3 – BillMan Nov 10 '16 at 20:12

1 Answers1

5

You are right. As is, the setup won't work because KMS keys can't be shared across regions.

Let's say you are replicating data from region R1 to R2, which have KMS keys K1 and K2 respectively. I can suggest the following alternatives:

  1. Modify the library a bit, so that it decrypts data from R1 using K1 and re-encrypts using K2, during replication. You'd be interested in the DynamoDBStreamsRecordTransformer class.
  2. Import your own key material in both R1 and R2. Check relevant documentation here.
    • Caveat: Might be operationally painful, depending on your use case.

Update: Adding your thoughts too, so that it can help anyone stumbling onto this question in future:

  1. Create your own plaintext-data-key (possibly using KMS's GenerateRandom API), encrypt it using both K1 and K2 (using the Encrypt API), and store both the resulting cypher-texts along with your data in both the regions.
    • Caveat: Cross-region calls for every update. In option #1, the updates are asynchronous.
ketan vijayvargiya
  • 5,409
  • 1
  • 21
  • 34
  • Thank you! Interesting idea about the DynamoDBStreamsRecordTransformer. I will look into that in more details. Agreed that dealing with own key material is operationally difficult. There is another possibility of hacking the encryption library such that it stores two copies of the data encryption key - one copy is encrypted with K1 and the other is encrypted with K2. Then the code in R1 uses K1 to decrypt the first copy of the data encryption key, and the code in R2 uses K2 to decrypt the second copy of the data encryption key. The code in both regions can then decrypt the data. – ez121sl Nov 14 '16 at 15:35
  • that can work only if *you* can provide a plaintext-data-key to KMS and it returns an encrypted-data-key. does it supported that? i don't see something like that here: http://docs.aws.amazon.com/kms/latest/APIReference/API_Operations.html – ketan vijayvargiya Nov 14 '16 at 16:10
  • I'm not sure that importing your own key material to KMS in two regions would work. Per the AWS docs, "Ciphertexts are not portable between CMKs. When you encrypt data under a KMS CMK, the ciphertext cannot be decrypted with any other CMK. This applies to all KMS CMKs, and remains true even when you import the same key material into a different CMK." This seems to say that even with the same key material, different CMKs cannot decrypt each other's ciphertexts. Note - from same link that ketan linked to in #2. – Kirkaiya Jan 25 '17 at 23:06