My team is working on a customer facing piece of hardware which will store various physical items. To gain access to this hardware, the customer will enter a pin - the pin that was created by a manager from an internal amazon dashboard. We are trying to determine the best way to encrypt these pins from the dashboard into our RDS and decrypt from the customer entry entry. Here are our current workflows but looking for guidance on if we're thinking about this;
From Dashboard (Pin Creation): Managers enters pin > Triggers api call into Gateway > Triggers Lambda which triggers the createalias and encryptkey API for KMS and imports it into KMS.
From Hardware (Customer Entry) Customer enters pin > triggers API call into gateway > triggers lambda which triggers the decrypt API into KMS > once the password has been decrypted we need a way for this decryption to then trigger various workflows that will take place in our RDS eventually leading to a door on the locker open
The question we have here is once the key has been decrypted within KMS at customer entry, what is the best way to then trigger the next RDS function? Can KMS make API calls out? Do I need a lambda function in between the KMS and RDS? Also want to ensure our thought process about the workflow above makes sense. Any advice is appreciated.
