Client-side KMS reencryption High

Client-side decryption followed by reencryption is inefficient and can lead to sensitive data leaks. The reencrypt APIs allow decryption followed by reencryption on the server side. This is more efficient and secure.

Detector ID
java/aws-kms-reencryption@v1.0
Category

Noncompliant example

1public void withoutReEncryptNoncompliant(KmsClient client, SdkBytes encryptedContent) {
2    DecryptRequest decryptRequest = DecryptRequest.builder()
3            .ciphertextBlob(encryptedContent)
4            .build();
5    SdkBytes plaintext = client.decrypt(decryptRequest).plaintext();
6    // Noncompliant: client-side decrypt immediately followed by encrypt.
7    EncryptRequest encryptRequest = EncryptRequest.builder()
8            .keyId("my-key-id")
9            .plaintext(plaintext)
10            .build();
11    client.encrypt(encryptRequest);
12}

Compliant example

1public void withReEncryptCompliant(KmsClient client, SdkBytes encryptedContent) {
2    // Compliant: uses a ReEncryptRequest which runs server-side.
3    ReEncryptRequest req = ReEncryptRequest.builder()
4            .ciphertextBlob(encryptedContent)
5            .destinationKeyId("my-key-id")
6            .build();
7    client.reEncrypt(req).ciphertextBlob();
8}