


 Short description
------------------



AWS KMS provides an [encryption context](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) that you can use to verify the authenticity of AWS KMS API calls, and the integrity of the ciphertext returned by the AWS **Decrypt** API.



 Resolution
-----------



To verify the integrity of data encrypted with the AWS KMS APIs, you pass a set of [key-value pairs](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) as an encryption context during AWS KMS encryption, and again when you call the **Decrypt** or **ReEncrypt** APIs. If the encryption context that you pass to the **Decrypt** API is identical to the encryption context that you pass to the **Encrypt** or **ReEncrypt** APIs, the integrity of the ciphertext returned is protected.


To learn more about using encryption context to protect the integrity of encrypted data, see the AWS Security Blog [How to protect the integrity of your encrypted data by using AWS KMS and EncryptionContext](https://aws.amazon.com/blogs/security/how-to-protect-the-integrity-of-your-encrypted-data-by-using-aws-key-management-service-and-encryptioncontext/).





---








How can I verify that authenticated encryption with associated data encryption is used when calling AWS Key Management Service (AWS KMS) Encrypt, Decrypt, and ReEncrypt APIs?

How can I verify that authenticated encryption with associated data encryption is used when calling AWS KMS APIs?

How can I verify that authenticated encryption with associated data encryption is used when calling AWS KMS APIs?

Short description

Resolution

Relevanter Inhalt