Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs(data-masking): add docs for data masking utility #3186

Merged
merged 178 commits into from
Feb 1, 2024
Merged
Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
178 commits
Select commit Hold shift + click to select a range
236e223
Skeleton draft of data_masking docs
seshubaws Oct 10, 2023
025fc77
Added example getting started code to data masking docs
seshubaws Oct 11, 2023
0c0c4ac
Added SAM template example and fixed KMS permission info
seshubaws Oct 11, 2023
0112f69
Added clearer file names
seshubaws Oct 11, 2023
a45a4e3
Add testing your code example
seshubaws Oct 12, 2023
7b1645d
Added diagram and fixed highlighting in code examples
seshubaws Oct 12, 2023
3c83aa0
Added SAM template section to md file
seshubaws Oct 12, 2023
36faafb
Merge branch 'develop' into develop
leandrodamascena Oct 18, 2023
a2fbff8
Merge branch 'develop' into develop
leandrodamascena Oct 26, 2023
d26f78d
Merge branch 'develop' into develop
leandrodamascena Nov 6, 2023
3988f10
Separated examples into more tabs, fixed comments
seshubaws Nov 8, 2023
1609105
Fix mypy errors
seshubaws Nov 8, 2023
65a9e9f
Fix mypy errors
seshubaws Nov 14, 2023
9fc33b4
Fix mypy
seshubaws Nov 14, 2023
e631581
Remove itsdangerous
seshubaws Nov 14, 2023
2a959fb
fix mypy
seshubaws Nov 14, 2023
b206873
delete superflous init file
seshubaws Nov 14, 2023
bb1c2a9
Fix mypy
seshubaws Nov 14, 2023
ff8d490
Merge branch 'develop' into develop
seshubaws Nov 14, 2023
e87b05a
Merge branch 'develop' into develop
seshubaws Nov 21, 2023
9f0acb2
Reorganized data masking docs
seshubaws Nov 22, 2023
ae7deb6
nit fixes
seshubaws Nov 22, 2023
b8bd70f
Added itsdangerous as dev dep
seshubaws Nov 22, 2023
2f7c6b7
grammar fixes
seshubaws Dec 5, 2023
3199576
merging from develop
leandrodamascena Dec 8, 2023
b9c2c48
docs: refactor diag to make operations explicit
heitorlessa Dec 8, 2023
b35effd
docs: line editing for intro line
heitorlessa Dec 8, 2023
202d906
docs: line editing for one key feature
heitorlessa Dec 8, 2023
6687ebc
docs: Masking to Possible Operations to remove ambiguity
heitorlessa Dec 8, 2023
5942a70
Removing custom provider
leandrodamascena Dec 8, 2023
619292d
Adding banner
leandrodamascena Dec 8, 2023
c33f18e
docs: remove BYO from key features, highlight best practices
heitorlessa Dec 8, 2023
9ab5a40
Modifying SAM
leandrodamascena Dec 8, 2023
8965413
docs: line editing terminology
heitorlessa Dec 8, 2023
0762ba2
Revise docs
seshubaws Dec 9, 2023
3b49271
Modifying SAM
leandrodamascena Dec 11, 2023
bc97ca8
Merging from develop
leandrodamascena Dec 11, 2023
847c326
Removing itsdangerous dependency - we are not using
leandrodamascena Dec 11, 2023
ed768ca
Fixing mypy errors
leandrodamascena Dec 11, 2023
243e8cb
Adding more information
leandrodamascena Dec 11, 2023
b3f0884
Merge branch 'develop' into develop
leandrodamascena Dec 11, 2023
b6d0470
Added more info about fields param
seshubaws Dec 11, 2023
ef232de
Merge branch 'develop' into develop
leandrodamascena Dec 12, 2023
7111fba
Making error message actionable
leandrodamascena Dec 12, 2023
08fcadc
Making error message actionable
leandrodamascena Dec 12, 2023
3dc9d57
Making error message actionable
leandrodamascena Dec 12, 2023
410ed3b
docs: add first sequence diagram for operations
heitorlessa Dec 12, 2023
42a682b
docs: add encrypt operations sequence diagram
heitorlessa Dec 12, 2023
abe27f1
docs: remove dot notation from mask operation
heitorlessa Dec 12, 2023
a265b64
Adding typing
leandrodamascena Dec 12, 2023
e16833f
Fixes for SAM template comments
seshubaws Dec 13, 2023
ecf505e
Merge branch 'develop' into develop
seshubaws Dec 13, 2023
0cb967a
Add return types for mask()
seshubaws Dec 13, 2023
af86cd0
Merge branch 'develop' into develop
seshubaws Dec 13, 2023
e3c62fd
Addressing Seshu's feedback
leandrodamascena Dec 14, 2023
ebcc343
Merging from develop
leandrodamascena Dec 14, 2023
f41026b
Improving examples
leandrodamascena Dec 14, 2023
9413a26
Improving examples
leandrodamascena Dec 14, 2023
cfae267
docs: improve encrypt ops sequence diagram
heitorlessa Dec 14, 2023
74bbd60
docs: early caching msg before diagram
heitorlessa Dec 14, 2023
db318cd
docs: add caching in encryption sdk ops
heitorlessa Dec 14, 2023
fe184c4
Added max_bytes_encrypted to CMM
seshubaws Dec 14, 2023
65bf540
Fix mypy errors
seshubaws Dec 14, 2023
aacf0db
Adding logging + data type + variable names
leandrodamascena Dec 14, 2023
6970cbf
Added docstrings to baseprovider
seshubaws Dec 15, 2023
20f1315
Explain fields syntax more
seshubaws Dec 15, 2023
1879abc
Merge branch 'develop' into develop
heitorlessa Dec 15, 2023
5832e49
Merge branch 'develop' into develop
seshubaws Dec 15, 2023
007231a
Clarify fields param
seshubaws Dec 15, 2023
b395f12
docs: add decrypt operation diag
heitorlessa Dec 18, 2023
13a1f5d
docs: add encryption ctx, envelope encryption terminologies
heitorlessa Dec 18, 2023
0d8c530
docs: line editing terminology
heitorlessa Dec 18, 2023
352ed1e
docs: correct getting started, install sections
heitorlessa Dec 18, 2023
1dc130c
docs: add note on min memory and separation of concerns upfront
heitorlessa Dec 18, 2023
fd7fd71
docs: use newer Powertools log level env var
heitorlessa Dec 18, 2023
9b1bf22
docs: add missing logger ctx, remove metrics
heitorlessa Dec 18, 2023
7540dcc
docs: line editing comments
heitorlessa Dec 18, 2023
be60985
docs: add code annotation, further cleanup
heitorlessa Dec 18, 2023
963f8cc
docs: remove unused section
heitorlessa Dec 18, 2023
40644f1
docs: move navigation order, fix encryption typo
heitorlessa Dec 18, 2023
1b1f19b
Merge branch 'develop' into develop
heitorlessa Dec 18, 2023
9a33393
docs: line editing masking data
heitorlessa Dec 18, 2023
7733633
docs: fix file names in data masking
heitorlessa Dec 18, 2023
3d7b237
docs: add symmetric word in required resources
heitorlessa Dec 18, 2023
b816197
docs: line editing encrypting data
heitorlessa Dec 18, 2023
2bae940
docs: line editing decrypting data; code snippet fixes
heitorlessa Dec 18, 2023
8104cb3
docs: move load tests and traces upfront
heitorlessa Dec 18, 2023
a714623
docs: use pascal case for encryption sdk provider
heitorlessa Dec 18, 2023
fa24044
docs: remove redundant info from encryption sdk
heitorlessa Dec 18, 2023
0afe8fa
docs: add encryption message, link provider section
heitorlessa Dec 18, 2023
9b14252
docs: add initial encryption context section
heitorlessa Dec 18, 2023
b5a0aef
docs: add initial encryption context section
heitorlessa Dec 18, 2023
07cf100
docs: remove incorrect info on enc ctx being required, thus allowing …
heitorlessa Dec 18, 2023
24bcef7
docs: rename to AAD and add examples
heitorlessa Dec 18, 2023
ca7897f
docs: rename to AAD and add examples
heitorlessa Dec 18, 2023
fec33a6
Adding support to list/set/tuple fields + renaming the class of the p…
leandrodamascena Dec 18, 2023
74fccd7
Small fix
leandrodamascena Dec 18, 2023
a741e7e
Merge remote-tracking branch 'upstream/develop' into seshubaws/develop
leandrodamascena Dec 18, 2023
189bcba
Fixing typing
leandrodamascena Dec 18, 2023
483c1b4
Fixing typing
leandrodamascena Dec 18, 2023
79db91e
Small fixes
seshubaws Dec 18, 2023
e9d93bf
docs: rename to enc ctx and correct wording for upcoming API change t…
heitorlessa Dec 19, 2023
a0921a3
docs: use Dict as return as that's the expected return type
heitorlessa Dec 19, 2023
d9d9e31
docs: fix highlighting
heitorlessa Dec 19, 2023
93a20f8
docs: add choosing parts of your data section
heitorlessa Dec 19, 2023
e7ae1f1
docs: improve JSON section
heitorlessa Dec 19, 2023
ce37852
docs: break down field syntax into two sections
heitorlessa Dec 19, 2023
06fbb09
Merge branch 'develop' into develop
heitorlessa Dec 19, 2023
ea77812
refactor: allow customers to bring custom serializer/deserializer
heitorlessa Dec 19, 2023
f97ffb5
refactor: DataMasking depend on provider serializers
heitorlessa Dec 19, 2023
8b3c6d2
docs: add custom serializer example
heitorlessa Dec 19, 2023
f1c8dde
refactor: allow arbitrary encryption context
heitorlessa Dec 19, 2023
34f8e1b
docs: rename encryption context example
heitorlessa Dec 19, 2023
8519896
fix: encryption context propagation
heitorlessa Dec 19, 2023
7be9566
refactor: validate encryption context values
heitorlessa Dec 19, 2023
1ab12a2
docs: remove todo
heitorlessa Dec 19, 2023
e6889ba
pull out comparing enc_ctx into new method
seshubaws Dec 20, 2023
840b85b
Adding support to jsonpath-ng + refactoring tests
leandrodamascena Dec 20, 2023
2cad772
refactor: delegate encoding/decoding to shared fn as much as possible…
heitorlessa Dec 20, 2023
a770fa1
refactor: correct typing for encrypt
heitorlessa Dec 20, 2023
a918ced
refactor: correct typing for mask
heitorlessa Dec 20, 2023
f937d80
docs: correct code snippets typing
heitorlessa Dec 20, 2023
e9735d5
Adding flag to support raise on non existing field
leandrodamascena Dec 20, 2023
f763a11
docs: make it explicit the behaviour diff in encrypt & mask
heitorlessa Dec 20, 2023
634cfc2
Adding examples on how to access data
leandrodamascena Dec 20, 2023
4eef61e
Modifying perf test
leandrodamascena Dec 20, 2023
c284d4a
refactor: split lambda in partial + lambda to ease maintenance
heitorlessa Dec 20, 2023
b1da92e
refactor: decryption context for exact match
heitorlessa Dec 20, 2023
65b3d6a
chore: test encryption ctx validation
heitorlessa Dec 20, 2023
e0f4a3a
chore: fix linting on loop variable
heitorlessa Dec 20, 2023
fbed1a1
Adding complex examples + using ext ngjson
leandrodamascena Dec 20, 2023
d89cbcc
Adding text + increasing perf threshold
leandrodamascena Dec 20, 2023
5d1687e
Making utility public
leandrodamascena Dec 20, 2023
49b180a
Merge branch 'develop' into develop
leandrodamascena Dec 20, 2023
b0213a1
Adding chaging algorithm section
leandrodamascena Dec 20, 2023
64d6352
Merge branch 'develop' into develop
seshubaws Dec 20, 2023
95bc7a1
docs: address initial feedback
heitorlessa Dec 20, 2023
ace1c28
docs: re-incorporate initial feedback
heitorlessa Dec 20, 2023
429eb8a
Adding test
leandrodamascena Dec 20, 2023
85766bf
Fixed docstrings, added a test
seshubaws Jan 23, 2024
58c66f9
Merge develop from develop
seshubaws Jan 23, 2024
2328c50
Merge branch 'develop' into develop
leandrodamascena Jan 26, 2024
95098e5
Removed fields param from enc+dec methods
seshubaws Jan 29, 2024
af6932a
trying to fix pytest
seshubaws Jan 29, 2024
fbdcfd1
Merge branch 'develop' into develop
seshubaws Jan 29, 2024
9116ba6
trying to fix pytest
seshubaws Jan 29, 2024
5251e0c
Fix linting
seshubaws Jan 29, 2024
284d340
debug linting
seshubaws Jan 29, 2024
d01b657
debug linting
seshubaws Jan 29, 2024
00f6165
Changing mask to erase in docs, comments, etc
seshubaws Jan 29, 2024
5949cea
Fix for jsonpath upgrade
seshubaws Jan 29, 2024
cfa20c8
Fixing mypy typing
seshubaws Jan 29, 2024
7864bed
Merge branch 'develop' into develop
seshubaws Jan 29, 2024
eb66f19
test e2e
seshubaws Jan 30, 2024
0f01d50
Renaming files
leandrodamascena Jan 30, 2024
0d96349
Fixing examples
leandrodamascena Jan 30, 2024
990e8ad
Fixing examples
leandrodamascena Jan 30, 2024
cbc2b14
Merge branch 'develop' into develop
leandrodamascena Jan 30, 2024
a6bb1e3
Used AWS guidelines safe names in examples
seshubaws Jan 30, 2024
b7a3345
Merge branch 'develop' into develop
seshubaws Jan 30, 2024
62e1aba
Docs cleanup
seshubaws Jan 30, 2024
5ca7f99
Revise docs
seshubaws Jan 30, 2024
160b85f
Merge branch 'develop' into develop
leandrodamascena Jan 31, 2024
f116d3c
Update docs/utilities/data_masking.md
seshubaws Jan 31, 2024
839755a
Update docs/utilities/data_masking.md
seshubaws Jan 31, 2024
2a38326
Update docs/utilities/data_masking.md
seshubaws Jan 31, 2024
a6a975c
Added data masking to features lists, removed unnecessary tabs
seshubaws Jan 31, 2024
4156b3d
Made passing sdk args section more general
seshubaws Jan 31, 2024
f0cc727
Added using multiple keys section
seshubaws Jan 31, 2024
9d1d1e9
Fix lint
seshubaws Jan 31, 2024
581145d
Polishing few things
leandrodamascena Feb 1, 2024
b374d9f
Merge branch 'develop' into develop
leandrodamascena Feb 1, 2024
8f40a15
Addressing Heitor's feedback
leandrodamascena Feb 1, 2024
09f89ea
Adding workflow
leandrodamascena Feb 1, 2024
f19651d
Addressing GH hidden conversations
leandrodamascena Feb 1, 2024
f660683
Documentation
Feb 1, 2024
cfeb833
Final changes
leandrodamascena Feb 1, 2024
007fba7
Lock file
leandrodamascena Feb 1, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ Powertools for AWS Lambda (Python) is a developer toolkit to implement Serverles
* **[Event source data classes](https://docs.powertools.aws.dev/lambda/python/latest/utilities/data_classes/)** - Data classes describing the schema of common Lambda event triggers
* **[Parser](https://docs.powertools.aws.dev/lambda/python/latest/utilities/parser/)** - Data parsing and deep validation using Pydantic
* **[Idempotency](https://docs.powertools.aws.dev/lambda/python/latest/utilities/idempotency/)** - Convert your Lambda functions into idempotent operations which are safe to retry
* **[Data Masking](https://docs.powertools.aws.dev/lambda/python/latest/utilities/data_masking/)** - Protect confidential data with easy removal or encryption
heitorlessa marked this conversation as resolved.
Show resolved Hide resolved
* **[Feature Flags](https://docs.powertools.aws.dev/lambda/python/latest/utilities/feature_flags/)** - A simple rule engine to evaluate when one or multiple features should be enabled depending on the input
* **[Streaming](https://docs.powertools.aws.dev/lambda/python/latest/utilities/streaming/)** - Streams datasets larger than the available memory as streaming data.

Expand Down
1 change: 1 addition & 0 deletions docs/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -701,6 +701,7 @@ Core utilities such as Tracing, Logging, Metrics, and Event Handler will be avai
| [**Event source data classes**](./utilities/data_classes.md){target="_blank"} | Data classes describing the schema of common Lambda event triggers |
| [**Parser**](./utilities/parser.md){target="_blank"} | Data parsing and deep validation using Pydantic |
| [**Idempotency**](./utilities/idempotency.md){target="_blank"} | Idempotent Lambda handler |
| [**Data Masking**](./utilities/data_masking.md){target="_blank"} | Protect confidential data with easy removal or encryption |
| [**Feature Flags**](./utilities/feature_flags.md){target="_blank"} | A simple rule engine to evaluate when one or multiple features should be enabled depending on the input |
| [**Streaming**](./utilities/streaming.md){target="_blank"} | Streams datasets larger than the available memory as streaming data. |

Expand Down
93 changes: 58 additions & 35 deletions docs/utilities/data_masking.md
seshubaws marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -128,20 +128,19 @@ To encrypt, you will need an [encryption provider](#providers). Here, we will us
Under the hood, we delegate a [number of operations](#encrypt-operation-with-encryption-sdk-kms) to AWS Encryption SDK to authenticate, create a portable encryption message, and actual data encryption.

=== "getting_started_encrypt_data.py"

```python hl_lines="6-8 14-15 26"
--8<-- "examples/data_masking/src/getting_started_encrypt_data.py"
```

1. You can use more than one KMS Key for higher availability but increased latency. </br></br>Encryption SDK will ensure the data key is encrypted with both keys.

=== "generic_data_input.json"
```json hl_lines="7-9 14"
```json
--8<-- "examples/data_masking/src/generic_data_input.json"
```

=== "encrypt_data_output.json"
```json hl_lines="5-7 12"
```json
--8<-- "examples/data_masking/src/encrypt_data_output.json"
```

Expand All @@ -165,21 +164,23 @@ Under the hood, we delegate a [number of operations](#decrypt-operation-with-enc
1. Note that KMS key alias or key ID won't work.
2. You can use more than one KMS Key for higher availability but increased latency. </br></br>Encryption SDK will call `Decrypt` API with all master keys when trying to decrypt the data key.

=== "encrypt_data_output.json"
=== "getting_started_decrypt_data_input.json"

```json hl_lines="5-7 12"
--8<-- "examples/data_masking/src/encrypt_data_output.json"
```json
--8<-- "examples/data_masking/src/getting_started_decrypt_data_input.json"
```

=== "getting_started_decrypt_data_output.json"

```json hl_lines="5-7 12-17"
```json
--8<-- "examples/data_masking/src/getting_started_decrypt_data_output.json"
```

### Encryption context for integrity and authenticity
seshubaws marked this conversation as resolved.
Show resolved Hide resolved

For a stronger security posture, you can add metadata to each encryption operation, and verify them during decryption. This is known as additional authenticated data (AAD). These are non-sensitive data that can help protect authenticity and integrity of your encrypted data, and even help to prevent a [confused deputy](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html) situation.
<!-- markdownlint-disable MD013 -->
For a stronger security posture, you can add metadata to each encryption operation, and verify them during decryption. This is known as additional authenticated data (AAD). These are non-sensitive data that can help protect authenticity and integrity of your encrypted data, and even help to prevent a [confused deputy](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html){target="_blank"} situation.
<!-- markdownlint-enable MD013 -->

???+ danger "Important considerations you should know"
1. **Exact match verification on decrypt**. Be careful using random data like `timestamps` as encryption context if you can't provide them on decrypt.
Expand All @@ -204,24 +205,23 @@ For a stronger security posture, you can add metadata to each encryption operati

### Choosing parts of your data

!!! note "We support `JSON` data types only - see [data serialization for more details](#data-serialization-and-preservation)."

???+ note "Current limitations"
1. The `fields` parameter is currently only available to use with the `erase` method, with the potential for it to be added to the `encrypt` and `decrypt` methods in the future.
1. The `fields` parameter is currently exclusive to the `erase` method, with potential future inclusion into `encrypt` and `decrypt`.
heitorlessa marked this conversation as resolved.
Show resolved Hide resolved
2. We support `JSON` data types only - see [data serialization for more details](#data-serialization)."
heitorlessa marked this conversation as resolved.
Show resolved Hide resolved

You can use the `fields` parameter with dot notation `.` to choose one or more parts of your data to `erase`. This is useful when you want to keep data structure intact except the confidential fields.
You can use the `fields` parameter with the dot notation `.` to choose one or more parts of your data to `erase`. This is useful when you want to keep data structure intact except the confidential fields.

When `fields` is present, `erase` behaves differently:

| Operation | Behavior | Example | Obfuscated |
| Operation | Behavior | Example | Result |
| --------- | ----------------------------------------------------------- | ----------------------- | ------------------------------- |
| `erase` | Replace data while keeping collections type intact. | `{"cards": ["a", "b"]}` | `{"cards": ["*****", "*****"]}` |

Here are common scenarios to best visualize how to use `fields`.

=== "Top keys only"

You want to obfuscate data in the `card_number` field.
You want to erase data in the `card_number` field.

=== "Data"

Expand All @@ -239,7 +239,7 @@ Here are common scenarios to best visualize how to use `fields`.

=== "Nested key"

You want to obfuscate data in the `postcode` field.
You want to erase data in the `postcode` field.

=== "Data"

Expand All @@ -257,7 +257,7 @@ Here are common scenarios to best visualize how to use `fields`.

=== "Multiple keys"

You want to obfuscate data in both `postcode` and `street` fields.
You want to erase data in both `postcode` and `street` fields.

=== "Data"

Expand All @@ -275,7 +275,7 @@ Here are common scenarios to best visualize how to use `fields`.

=== "All key items"

You want to obfuscate data under `address` field.
You want to erase data under `address` field.

=== "Data"

Expand All @@ -293,7 +293,7 @@ Here are common scenarios to best visualize how to use `fields`.

=== "Complex nested key"

You want to obfuscate data under `name` field.
You want to erase data under `name` field.

=== "Data"

Expand All @@ -311,7 +311,7 @@ Here are common scenarios to best visualize how to use `fields`.

=== "All fields in a list"

You want to obfuscate data under `street` field located at the any index of the address list.
You want to erase data under `street` field located at the any index of the address list.

=== "Data"

Expand All @@ -329,7 +329,7 @@ Here are common scenarios to best visualize how to use `fields`.

=== "Slicing a list"

You want to obfuscate data by slicing a list.
You want to erase data by slicing a list.

=== "Data"

Expand All @@ -347,7 +347,7 @@ Here are common scenarios to best visualize how to use `fields`.

=== "Complex expressions"

You want to obfuscate data by finding for a field with conditional expression.
You want to erase data by finding for a field with conditional expression.

=== "Data"

Expand All @@ -368,6 +368,7 @@ Here are common scenarios to best visualize how to use `fields`.
```json hl_lines="8 12"
--8<-- "examples/data_masking/src/choosing_payload_complex_search_output.json"
```

For comprehensive guidance on using JSONPath syntax, please refer to the official documentation available at [jsonpath-ng](https://github.com/h2non/jsonpath-ng#jsonpath-syntax){target="_blank" rel="nofollow"}

#### JSON
Expand Down Expand Up @@ -408,9 +409,9 @@ For compatibility or performance, you can optionally pass your own JSON serializ

=== "advanced_custom_serializer.py"
heitorlessa marked this conversation as resolved.
Show resolved Hide resolved

```python hl_lines="17-18"
--8<-- "examples/data_masking/src/advanced_custom_serializer.py"
```
```python hl_lines="17-18"
heitorlessa marked this conversation as resolved.
Show resolved Hide resolved
--8<-- "examples/data_masking/src/advanced_custom_serializer.py"
```

### Providers

Expand All @@ -425,15 +426,35 @@ You can modify the following values when initializing the `AWSEncryptionSDKProvi
| **max_messages_encrypted** | `4294967296` | The maximum number of messages that may be encrypted under a cache entry |
| **max_bytes_encrypted** | `9223372036854775807` | The maximum number of bytes that may be encrypted under a cache entry |

**Changing the default algorithm**
If required, you have the option to customize the default values when initializing the `AWSEncryptionSDKProvider` class.
heitorlessa marked this conversation as resolved.
Show resolved Hide resolved

=== "aws_encryption_provider_example.py"

```python hl_lines="14-19"
--8<-- "examples/data_masking/src/aws_encryption_provider_example.py"
```
heitorlessa marked this conversation as resolved.
Show resolved Hide resolved

The AWS Encryption SDK defaults to using the `AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384` algorithm for encrypting your Data Key. If you want, you have the flexibility to customize and choose a different encryption algorithm.
**Passing additional SDK arguments**
heitorlessa marked this conversation as resolved.
Show resolved Hide resolved

You can pass additional arguments to the `AWSEncryptionSDKProvider` via the `provider_options` parameter. To learn more about the different arguments you can give to the SDK, see the [EncryptionSDKClient's documentation](https://aws-encryption-sdk-python.readthedocs.io/en/latest/generated/aws_encryption_sdk.html#aws_encryption_sdk.EncryptionSDKClient.encrypt){target="_blank"}.
heitorlessa marked this conversation as resolved.
Show resolved Hide resolved

For example, the AWS Encryption SDK defaults to using the `AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384` algorithm for encrypting your Data Key. If you want, you have the flexibility to customize and choose a different encryption algorithm.

=== "changing_default_algorithm.py"
heitorlessa marked this conversation as resolved.
Show resolved Hide resolved

```python hl_lines="5 26"
--8<-- "examples/data_masking/src/changing_default_algorithm.py"
```
```python hl_lines="5 26 30"
heitorlessa marked this conversation as resolved.
Show resolved Hide resolved
--8<-- "examples/data_masking/src/changing_default_algorithm.py"
```

**Using multiple keys**
heitorlessa marked this conversation as resolved.
Show resolved Hide resolved

The `AWSEncryptionSDKProvider` allows you to instantiate it with several KMS keys by passing them all in a `list` to the `keys` parameter. This could be beneficial if you own keys in different regions, enabling you to perform cross-regional encryption and decryption.
heitorlessa marked this conversation as resolved.
Show resolved Hide resolved

=== "using_multiple_keys.py"
heitorlessa marked this conversation as resolved.
Show resolved Hide resolved

```python hl_lines="15"
heitorlessa marked this conversation as resolved.
Show resolved Hide resolved
--8<-- "examples/data_masking/src/using_multiple_keys.py"
```

### Data masking request flow

Expand Down Expand Up @@ -577,11 +598,13 @@ sequenceDiagram
Testing your code with a simple erase operation

=== "test_lambda_mask.py"
```python hl_lines="22"
--8<-- "examples/data_masking/tests/test_lambda_mask.py"
```

```python hl_lines="22"
--8<-- "examples/data_masking/tests/test_lambda_mask.py"
```

=== "lambda_mask.py"
```python hl_lines="3 12"
--8<-- "examples/data_masking/tests/lambda_mask.py"
```

```python hl_lines="3 12"
--8<-- "examples/data_masking/tests/lambda_mask.py"
```
34 changes: 34 additions & 0 deletions examples/data_masking/src/aws_encryption_provider_example.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
from __future__ import annotations

import os

from aws_lambda_powertools import Logger
from aws_lambda_powertools.utilities.data_masking import DataMasking
from aws_lambda_powertools.utilities.data_masking.provider.kms.aws_encryption_sdk import (
AWSEncryptionSDKProvider,
)
from aws_lambda_powertools.utilities.typing import LambdaContext

KMS_KEY_ARN = os.getenv("KMS_KEY_ARN", "")

encryption_provider = AWSEncryptionSDKProvider(
keys=[KMS_KEY_ARN],
local_cache_capacity=200,
max_cache_age_seconds=400,
max_messages_encrypted=200,
max_bytes_encrypted=2000)

data_masker = DataMasking(provider=encryption_provider)

logger = Logger()


@logger.inject_lambda_context
def lambda_handler(event: dict, context: LambdaContext) -> dict:
data: dict = event.get("body", {})

logger.info("Encrypting the whole object")

encrypted = data_masker.encrypt(data)

return {"body": encrypted}
4 changes: 2 additions & 2 deletions examples/data_masking/src/changing_default_algorithm.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,9 @@ def lambda_handler(event: dict, context: LambdaContext) -> str:

provider_options = {"algorithm": Algorithm.AES_256_GCM_HKDF_SHA512_COMMIT_KEY}

decrypted = data_masker.encrypt(
encrypted = data_masker.encrypt(
data,
provider_options=provider_options,
)

return decrypted
return encrypted
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{
"body": "AgV4uF5K2YMtNhYrtviTwKNrUHhqQr73l/jNfukkh+qLOC8AXwABABVhd3MtY3J5cHRvLXB1YmxpYy1rZXkAREEvcjEyaFZHY1R5cjJuTDNKbTJ3UFA3R3ZjaytIdi9hekZqbXVUb25Ya3J5SzFBOUlJZDZxZXpSR1NTVnZDUUxoZz09AAEAB2F3cy1rbXMAS2Fybjphd3M6a21zOnVzLWVhc3QtMToyMDA5ODQxMTIzODY6a2V5LzZkODJiMzRlLTM2NjAtNDRlMi04YWJiLTdmMzA1OGJlYTIxMgC4AQIBAHjxYXAO7wQGd+7qxoyvXAajwqboF5FL/9lgYUNJTB8VtAHBP2hwVgw+zypp7GoMNTPAAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMx/B25MTgWwpL7CmuAgEQgDtan3orAOKFUfyNm3v6rFcglb+BVVVDV71fj4aRljhpg1ixsYFaKsoej8NcwRktIiWE+mw9XmTEVb6xFQIAABAA9DeLzlRaRQgTcXMJG0iBu/YTyyDKiROD+bU1Y09X9RBz5LA1nWIENJKq2seAhNSB/////wAAAAEAAAAAAAAAAAAAAAEAAAEBExLJ9wI4n7t+wyPEEP4kjYFBdkmNuLLsVC2Yt8mv9Y1iH2G+/g9SaIcdK57pkoW0ECpBxZVOxCuhmK2s74AJCUdem9McjS1waUKyzYTi9vv2ySNBsABIDwT990rE7jZJ3tEZAqcWZg/eWlxvnksFR/akBWZKsKzFz6lF57+cTgdISCEJRV0E7fcUeCuaMaQGK1Qw2OCmIeHEG5j5iztBkZG2IB2CVND/AbxmDUFHwgjsrJPTzaDYSufcGMoZW1A9X1sLVfqNVKvnOFP5tNY7kPF5eAI9FhGBw8SjTqODXz4k6zuqzy9no8HtXowP265U8NZ5VbVTd/zuVEbZyK5KBqzP1sExW4RhnlpXMoOs9WSuAGcwZQIxANTeEwb9V7CacV2Urt/oCqysUzhoV2AcT2ZjryFqY79Tsg+FRpIx7cBizL4ieRzbhQIwcRasNncO5OZOcmVr0MqHv+gCVznndMgjXJmWwUa7h6skJKmhhMPlN0CsugxtVWnD"
}
29 changes: 29 additions & 0 deletions examples/data_masking/src/using_multiple_keys.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
from __future__ import annotations

import os

from aws_lambda_powertools import Logger
from aws_lambda_powertools.utilities.data_masking import DataMasking
from aws_lambda_powertools.utilities.data_masking.provider.kms.aws_encryption_sdk import (
AWSEncryptionSDKProvider,
)
from aws_lambda_powertools.utilities.typing import LambdaContext

KMS_KEY_ARN_1 = os.getenv("KMS_KEY_ARN_1", "")
KMS_KEY_ARN_2 = os.getenv("KMS_KEY_ARN_2", "")

encryption_provider = AWSEncryptionSDKProvider(keys=[KMS_KEY_ARN_1, KMS_KEY_ARN_2])
data_masker = DataMasking(provider=encryption_provider)

logger = Logger()


@logger.inject_lambda_context
def lambda_handler(event: dict, context: LambdaContext) -> dict:
data: dict = event.get("body", {})

logger.info("Encrypting the whole object")

encrypted = data_masker.encrypt(data)

return {"body": encrypted}
Loading