-
Notifications
You must be signed in to change notification settings - Fork 122
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: AWS KMS multi-Region Key support (#254)
Added new the master key AwsKmsMrkAwareMasterKey and the new master key provider AwsKmsMrkAwareMasterKeyProvider that support AWS KMS multi-Region Keys. See https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html for more details about AWS KMS multi-Region Keys. See https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/configure.html#config-mrks for more details about how the AWS Encryption SDK interoperates with AWS KMS multi-Region keys. Co-authored-by: seebees <ryanemer@amazon.com>
- Loading branch information
Showing
55 changed files
with
4,915 additions
and
133 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,4 +5,7 @@ target/ | |
.classpath | ||
/bin/ | ||
.idea/ | ||
*.iml | ||
*.iml | ||
/.history | ||
/.DS_Store | ||
/specification_compliance_report.html |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,6 @@ | ||
[submodule "src/test/resources/aws-encryption-sdk-test-vectors"] | ||
path = src/test/resources/aws-encryption-sdk-test-vectors | ||
url = https://github.com/awslabs/private-aws-encryption-sdk-test-vectors-staging.git | ||
[submodule "aws-encryption-sdk-specification"] | ||
path = aws-encryption-sdk-specification | ||
url = https://github.com/awslabs/private-aws-encryption-sdk-specification-staging.git |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Submodule aws-encryption-sdk-specification
added at
ef3420
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
version: 0.2 | ||
|
||
phases: | ||
install: | ||
runtime-versions: | ||
nodejs: 12 | ||
build: | ||
commands: | ||
- ./util/test-conditions.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
104 changes: 104 additions & 0 deletions
104
compliance_exceptions/aws-kms-mrk-aware-multi-keyrings.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. | ||
// SPDX-License-Identifier: Apache-2.0 | ||
|
||
// The AWS Encryption SDK - Java does not implement | ||
// any of the Keyring interface at this time. | ||
|
||
//= compliance/framework/aws-kms/aws-kms-mrk-aware-multi-keyrings.txt#2.5 | ||
//= type=exception | ||
//# The caller MUST provide: | ||
//# | ||
//# * A set of Region strings | ||
//# | ||
//# * An optional discovery filter that is an AWS partition and a set of | ||
//# AWS accounts | ||
//# | ||
//# * An optional method that can take a region string and return an AWS | ||
//# KMS client e.g. a regional client supplier | ||
//# | ||
//# * An optional list of AWS KMS grant tokens | ||
//# | ||
//# If an empty set of Region is provided this function MUST fail. If | ||
//# any element of the set of regions is null or an empty string this | ||
//# function MUST fail. If a regional client supplier is not passed, | ||
//# then a default MUST be created that takes a region string and | ||
//# generates a default AWS SDK client for the given region. | ||
//# | ||
//# A set of AWS KMS clients MUST be created by calling regional client | ||
//# supplier for each region in the input set of regions. | ||
//# | ||
//# Then a set of AWS KMS MRK Aware Symmetric Region Discovery Keyring | ||
//# (aws-kms-mrk-aware-symmetric-region-discovery-keyring.md) MUST be | ||
//# created for each AWS KMS client by initializing each keyring with | ||
//# | ||
//# * The AWS KMS client | ||
//# | ||
//# * The input discovery filter | ||
//# | ||
//# * The input AWS KMS grant tokens | ||
//# | ||
//# Then a Multi-Keyring (../multi-keyring.md#inputs) MUST be initialize | ||
//# by using this set of discovery keyrings as the child keyrings | ||
//# (../multi-keyring.md#child-keyrings). This Multi-Keyring MUST be | ||
//# this functions output. | ||
|
||
//= compliance/framework/aws-kms/aws-kms-mrk-aware-multi-keyrings.txt#2.6 | ||
//= type=exception | ||
//# The caller MUST provide: | ||
//# | ||
//# * An optional AWS KMS key identifiers to use as the generator. | ||
//# | ||
//# * An optional set of AWS KMS key identifiers to us as child | ||
//# keyrings. | ||
//# | ||
//# * An optional method that can take a region string and return an AWS | ||
//# KMS client e.g. a regional client supplier | ||
//# | ||
//# * An optional list of AWS KMS grant tokens | ||
//# | ||
//# If any of the AWS KMS key identifiers is null or an empty string this | ||
//# function MUST fail. At least one non-null or non-empty string AWS | ||
//# KMS key identifiers exists in the input this function MUST fail. All | ||
//# AWS KMS identifiers are passed to Assert AWS KMS MRK are unique (aws- | ||
//# kms-mrk-are-unique.md#Implementation) and the function MUST return | ||
//# success otherwise this MUST fail. If a regional client supplier is | ||
//# not passed, then a default MUST be created that takes a region string | ||
//# and generates a default AWS SDK client for the given region. | ||
//# | ||
//# If there is a generator input then the generator keyring MUST be a | ||
//# AWS KMS MRK Aware Symmetric Keyring (aws-kms-mrk-aware-symmetric- | ||
//# keyring.md) initialized with | ||
//# | ||
//# * The generator input. | ||
//# | ||
//# * The AWS KMS client that MUST be created by the regional client | ||
//# supplier when called with the region part of the generator ARN or | ||
//# a signal for the AWS SDK to select the default region. | ||
//# | ||
//# * The input list of AWS KMS grant tokens | ||
//# | ||
//# If there is a set of child identifiers then a set of AWS KMS MRK | ||
//# Aware Symmetric Keyring (aws-kms-mrk-aware-symmetric-keyring.md) MUST | ||
//# be created for each AWS KMS key identifier by initialized each | ||
//# keyring with | ||
//# | ||
//# * AWS KMS key identifier. | ||
//# | ||
//# * The AWS KMS client that MUST be created by the regional client | ||
//# supplier when called with the region part of the AWS KMS key | ||
//# identifier or a signal for the AWS SDK to select the default | ||
//# region. | ||
//# | ||
//# * The input list of AWS KMS grant tokens | ||
//# | ||
//# NOTE: The AWS Encryption SDK SHOULD NOT attempt to evaluate its own | ||
//# default region. | ||
//# | ||
//# Then a Multi-Keyring (../multi-keyring.md#inputs) MUST be initialize | ||
//# by using this generator keyring as the generator keyring (../multi- | ||
//# keyring.md#generator-keyring) and this set of child keyrings as the | ||
//# child keyrings (../multi-keyring.md#child-keyrings). This Multi- | ||
//# Keyring MUST be this functions output. | ||
|
||
|
||
|
Oops, something went wrong.