I want to verify that authenticated encryption with data encryption is used for AWS Key Management Service (AWS KMS) encrypt, decrypt, and re-encrypt API calls.
Short description
AWS KMS provides an encryption context that you can use to verify the authenticity of AWS KMS API calls. You can also use encryption context to verify the integrity of the ciphertext returned by the decrypt API.
Resolution
To verify the integrity of data encrypted with the AWS KMS APIs, you pass a set of key-value pairs as an encryption context during AWS KMS encryption. The data encryption integrity is verified again when you call the decrypt or re-encrypt APIs. If the encryption passed to the decrypt API is identical to the encrypt or re-encrypt APIs, then the integrity of the ciphertext returned is protected.
Related information
How to protect the integrity of your encrypted data by using AWS Key Management Service and EncryptionContext