Client-side decryption followed by reencryption is inefficient and can lead to sensitive data leaks. The reencrypt
APIs allow decryption followed by reencryption on the server side. This is more efficient and secure.
1def kms_reencrypt_noncompliant():
2 import boto3
3 import base64
4 client = boto3.client('kms')
5 plaintext = client.decrypt(
6 CiphertextBlob=bytes(base64.b64decode("secret"))
7 )
8 # Noncompliant: decrypt is immediately followed by encrypt.
9 response = client.encrypt(
10 KeyId='string',
11 Plaintext=plaintext
12 )
13 return response
1def kms_reencrypt_compliant():
2 import boto3
3 import base64
4 client = boto3.client('kms')
5 # Compliant: server-side reencryption.
6 response = client.re_encrypt(
7 CiphertextBlob=bytes(base64.b64decode("secret")),
8 DestinationKeyId="string",
9 )
10 return response