How can I verify that authenticated encryption with data encryption is used for AWS KMS API calls?

1 minute read
0

I want to verify that authenticated encryption with data encryption is used for AWS Key Management Service (AWS KMS) encrypt, decrypt, and re-encrypt API calls.

Short description

AWS KMS provides an encryption context that you can use to verify the authenticity of AWS KMS API calls. You can also use encryption context to verify the integrity of the ciphertext returned by the decrypt API.

Resolution

To verify the integrity of data encrypted with the AWS KMS APIs, you pass a set of key-value pairs as an encryption context during AWS KMS encryption. The data encryption integrity is verified again when you call the decrypt or re-encrypt APIs. If the encryption passed to the decrypt API is identical to the encrypt or re-encrypt APIs, then the integrity of the ciphertext returned is protected.

Related information

How to protect the integrity of your encrypted data by using AWS Key Management Service and EncryptionContext

AWS OFFICIAL
AWS OFFICIALUpdated 6 months ago