Does DocumentDB support client side encryption?

Question

I understand DocumentDB supports SSE via KMS (1 key per cluster).  However, does it support client-side encryption or the AWS encryption SDK?

Answer

You can use Transport Layer Security (TLS) to encrypt the connection between your application and an Amazon DocumentDB cluster. By default, encryption in transit is enabled for newly created Amazon DocumentDB clusters. It can optionally be disabled when the cluster is created, or at a later time. When encryption in transit is enabled, secure connections using TLS are required to connect to the cluster. For more information connecting to Amazon DocumentDB using TLS, all details can be found https://docs.aws.amazon.com/documentdb/latest/developerguide/security.encryption.ssl.html

Answer

The AWS Encryption SDK is a client-side encryption library designed to make it easy for everyone to encrypt and decrypt data using industry standards and best practices. It enables you to focus on the core functionality of your application, rather than on how to best encrypt and decrypt your data.

As mentioned in this link , albeit for S3,  it can be used to encrypt or decrypt data to be stored anywhere and gives an explanation on how the SDK works.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html

This answers both the questions, however, you have to be aware that the data has to be encrypted and decrypted using the Encryption SDK and the AWS Encryption SDK cannot interoperate with other libraries because each library returns encrypted data in a different format. 
Read the developer guide and be sure you understand the concepts and how it works.

https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html

Looking at use cases,  you can also enable TLS as previously answered which is in the DocumentDB documentation if the concern was to encrypt data in transit and enable encryption at rest for the DocumentDB cluster.

https://docs.aws.amazon.com/documentdb/latest/developerguide/encryption-at-rest.html

https://docs.aws.amazon.com/documentdb/latest/developerguide/security.encryption.ssl.html

Answer

The[ latest release](https://aws.amazon.com/about-aws/whats-new/2023/03/amazon-documentdb-mongodb-5-0-wire-protocol-client-side-encryption/) of Amazon DocumentDB supports CSFLE. 
To get started with CSFLE, please refer to this [blog](https://aws.amazon.com/blogs/database/introducing-client-side-field-level-encryption-and-mongodb-5-0-api-compatibility-in-amazon-documentdb/#:~:text=Getting%20started%20with%20CSFLE)

Does DocumentDB support client side encryption?

相关内容