Added using multiple keys section

docs/utilities/data_masking.md

@@ -417,19 +417,19 @@ For compatibility or performance, you can optionally pass your own JSON serializ
 
 You can modify the following values when initializing the `AWSEncryptionSDKProvider` to best accommodate your security and performance thresholds.
 
-=== "aws_encryption_provider_example.py"
-
-```python hl_lines="14-19"
---8<-- "examples/data_masking/src/aws_encryption_provider_example.py"
-```
-
 | Parameter                  | Default               | Description                                                                                   |
 | -------------------------- | --------------------- | --------------------------------------------------------------------------------------------- |
 | **local_cache_capacity**   | `100`                 | The maximum number of entries that can be retained in the local cryptographic materials cache |
 | **max_cache_age_seconds**  | `300`                 | The maximum time (in seconds) that a cache entry may be kept in the cache                     |
 | **max_messages_encrypted** | `4294967296`          | The maximum number of messages that may be encrypted under a cache entry                      |
 | **max_bytes_encrypted**    | `9223372036854775807` | The maximum number of bytes that may be encrypted under a cache entry                         |
 
+=== "aws_encryption_provider_example.py"
+
+```python hl_lines="14-19"
+--8<-- "examples/data_masking/src/aws_encryption_provider_example.py"
+```
+
 **Passing additional SDK arguments**
 
 You can pass additional arguments to the `AWSEncryptionSDKProvider` via the `provider_options` parameter. To learn more about the different arguments you can give to the SDK, see the [EncryptionSDKClient's documentation](https://aws-encryption-sdk-python.readthedocs.io/en/latest/generated/aws_encryption_sdk.html#aws_encryption_sdk.EncryptionSDKClient.encrypt){target="_blank"}.
@@ -438,10 +438,20 @@ For example, the AWS Encryption SDK defaults to using the `AES_256_GCM_HKDF_SHA5
 
 === "changing_default_algorithm.py"
 
-```python hl_lines="5 26"
+```python hl_lines="5 26 30"
 --8<-- "examples/data_masking/src/changing_default_algorithm.py"
 ```
 
+**Using multiple keys**
+
+The `AWSEncryptionSDKProvider` allows you to instantiate it with several KMS keys by passing them all in a `list` to the `keys` parameter. This could be beneficial if you own keys in different regions, enabling you to perform cross-regional encryption and decryption.
+
+=== "using_multiple_keys.py"
+
+```python hl_lines="15"
+--8<-- "examples/data_masking/src/using_multiple_keys.py"
+```
+
 ### Data masking request flow
 
 The following sequence diagrams explain how `DataMasking` behaves under different scenarios.

examples/data_masking/src/changing_default_algorithm.py

@@ -25,9 +25,9 @@ def lambda_handler(event: dict, context: LambdaContext) -> str:
 
     provider_options = {"algorithm": Algorithm.AES_256_GCM_HKDF_SHA512_COMMIT_KEY}
 
-    decrypted = data_masker.encrypt(
+    encrypted = data_masker.encrypt(
         data,
         provider_options=provider_options,
     )
 
-    return decrypted
+    return encrypted

examples/data_masking/src/using_multiple_keys.py

@@ -0,0 +1,29 @@
+from _future_ import annotations
+
+import os
+
+from aws_lambda_powertools import Logger
+from aws_lambda_powertools.utilities.data_masking import DataMasking
+from aws_lambda_powertools.utilities.data_masking.provider.kms.aws_encryption_sdk import (
+    AWSEncryptionSDKProvider,
+)
+from aws_lambda_powertools.utilities.typing import LambdaContext
+
+KMS_KEY_ARN_1 = os.getenv("KMS_KEY_ARN_1", "")
+KMS_KEY_ARN_2 = os.getenv("KMS_KEY_ARN_2", "")
+
+encryption_provider = AWSEncryptionSDKProvider(keys=[KMS_KEY_ARN_1, KMS_KEY_ARN_2])
+data_masker = DataMasking(provider=encryption_provider)
+
+logger = Logger()
+
+
+@logger.inject_lambda_context
+def lambda_handler(event: dict, context: LambdaContext) -> dict:
+    data: dict = event.get("body", {})
+
+    logger.info("Encrypting the whole object")
+
+    encrypted = data_masker.encrypt(data)
+
+    return {"body": encrypted}