aws-sdk-java-v2 icon indicating copy to clipboard operation
aws-sdk-java-v2 copied to clipboard
verified publisher icon aws

Dynamodb Enhanced Client support for Encryption

Open santanugho opened this issue 5 years ago • 9 comments

Describe the issue

Recently we were evaluating to upgrade to enhanced dynamo db client. In production, all our customer information is encrypted. In the existing implementation, we pass the encryption material provider in the constructor of DynamoDBMapper like:

DynamoDBMapper scanMapper = new DynamoDBMapper(dynamoDbCLient, scanConfig, new AttributeEncryptor(encryptionMaterialProvider));

As per my understanding, in the enhanced dynamo db client DynamoDbTable is the replacement, but neither its constructor nor any other method has the flexibility to pass the Encryption material provider.

My question is, isnt encryption supported in the enhanced dynamo db client? If it does, can someone please point me to the right API or may be a sample code?

Your Environment

  • AWS Java SDK version used: dynamodb-enhanced-2.13.27
  • JDK version used: JDK 11
  • Operating System and version: MacOS Mojave

santanugho avatar Jun 02 '20 22:06 santanugho

Client-side encryption is not currently supported by the DynamoDB Enhanced Client, but it is in the roadmap. Marking this as a feature request.

debora-ito avatar Jun 03 '20 17:06 debora-ito

Client-side encryption is not currently supported by the DynamoDB Enhanced Client, but it is in the roadmap. Marking this as a feature request.

Thanks a lot for the prompt reply, is there any planned release date for this feature?

santanugho avatar Jun 03 '20 19:06 santanugho

No timeline for it yet, will update when he have one.

debora-ito avatar Jun 03 '20 20:06 debora-ito

Is it also safe to assume that with enhanced DDB client at its current state, signing DDB objects is also not possible out of the box? Isnt data signing is something recommended for data integrity?

santanugho avatar Jun 23 '20 20:06 santanugho

Hey folks, any news on this? The absence of encryption is a strong enough argument for people to decide in favor of DDB Mapper and wait on DDB enhanced client adoption, which in consequence means delaying SDK v2 adoption. Would it be possible to get this prioritized?

Thanks

imgaray avatar Dec 01 '20 19:12 imgaray

There has been 1.5 years since the release of the EnhancedClient, the client side encryption support seems to be essential for any user that has a more strict security requirement. Can we get this prioritized?

yanzhangusc avatar Sep 02 '21 14:09 yanzhangusc

Hey!

I'm in the process of migration of our services to AWS SDK 2.x and I was just left baffled by the fact that I'm not able to integrate KMS into dynamo enhanced client, meaning that this crucial feature prevents me from otherwise by AWS recommended migration to SDK 2.x.

This is not an ordinary open source project, it's a large cloud provider's proprietary SDK - please assign some dev time to this feature; ticket is almost 2 years old.

bfg avatar Feb 25 '22 14:02 bfg

Hi @bfg @yanzhangusc @imgaray and everyone following this thread: thank you for your feedback, we really appreciate the engagement and the patience.

We understand the pain of lack of encryption support. But in the end it's a matter of prioritization: the team has limited bandwidth (as any development team) and DynamoDB Enhanced client alone has currently 25 feature requests, from a total of 150+ feature requests across the SDK. We are actively working on highly requested features like update expressions, support for polymorphic types, TransferManager copy support, plus some internal enhancements.

We're discussing how to improve the visibility of our roadmap - our current Project board got out-of-date pretty fast. In the meantime, you all can help with prioritization by adding a 👍 in the original issue description (please don't add single comments with +1, they are not helpful). We use the 👍 count as one of the inputs when we plan for feature work.

debora-ito avatar Feb 25 '22 21:02 debora-ito

Hi,

Is using the AWS Enhanced Client a bottleneck regarding data encryption? How is one supposed to encrypt data using the AWS-recommended Enhanced Client library?

lifehetu avatar Aug 04 '22 06:08 lifehetu

The new AWS Database Encryption SDK is out, in developer preview mode.

https://docs.aws.amazon.com/database-encryption-sdk/latest/devguide/what-is-database-encryption-sdk.html

As a reminder, libraries under developer preview are not recommended for production environments because they are subject to change. Feel free to share your feedback here or in the library's Github repo - aws/aws-database-encryption-sdk-dynamodb-java

debora-ito avatar Jul 17 '23 18:07 debora-ito

Update: The AWS Database Encryption SDK for DynamoDB in Java has GA-ed! @debora-ito I believe this issue can be closed.

texastony avatar Aug 25 '23 19:08 texastony