I'm exploring KMS for implementing client-side encryption within our Dynamo DB table. While going through the documentation, it's apparent that the MostRecentProvider (MRP) stands out as the favored choice for high-throughput clients. It seems that MRP leverages a MetaStore to store dataKeys, also referred to as "material," with these dataKeys being encrypted using KMS. When the DynamoDB Encryption Client needs to encrypt an item in the DynamoDB, it initially checks the Cache for the most recent dataKeys version. If absent, a call to KMS is made through the meta store.
Despite having a general understanding of this process, few points still elude me:
- I'm uncertain about the necessity of the MetaStore. Why can't MRP directly communicate with KMS to acquire the dataKeys? More component means more ops load/point of failure ?
- I'm seeking clarity on the generation of dataKeys stored within the MetaStore. Could there be two distinct types of KMS Keys involved? One dedicated to encrypting/decrypting MetaStore items, and another responsible for creating the MetaStore item itself, essentially used in the encryption/decryption of DynamoDB items.
- Who controls the rotation of dataKeys stores in MetaStore? I read somewhere it has be a manual rotation. If so, what should be the frequency of doing it?
- If we are creating our own MetaStore (another dynamo db table), will we have to create KMS keys for it?
Thanks
AWS 官方已更新 7 个月前
