Encryption best practices for AWS Encryption SDK

The AWS Encryption SDK is an open-source, client-side encryption library. It uses industry standards and best practices to support implementation and interoperability in several programming languages. AWS Encryption SDK encrypts data by using a secure, authenticated, symmetric key algorithm and offers default implementation that adheres to cryptography best practices. For more information, see Supported algorithm suites in the AWS Encryption SDK.

One of the key features of the AWS Encryption SDK is support for encrypting data in use. By adopting an encrypt-then-use approach, you can encrypt sensitive data before it is processed by your application logic. This can help protect the data from potential exposure or tampering, even if the application itself is affected by a security event.

Consider the following best practices for this service:

Adhere to all of the recommendations in Best practices for the AWS Encryption SDK.
Select one or more wrapping keys to help protect your data keys. For more information, see Select wrapping keys.
Pass the KeyId parameter to the ReEncrypt operation to help prevent use of an untrusted KMS key. For more information, see Improved client-side encryption: Explicit KeyIds and key commitment (AWS blog post).
When using the AWS Encryption SDK with AWS KMS, use local KeyId filtering. For more information, see Improved client-side encryption: Explicit KeyIds and key commitment (AWS blog post).
For applications with large volumes of traffic requiring encryption or decryption, or if your account is exceeding AWS KMS request quotas, you can use the data key caching feature of the AWS Encryption SDK. Note the following best practices for data key caching:
- Configure cache security thresholds to limit how long each cached data key is used and how much data is protected under each data key. For recommendations when configuring these thresholds, see Setting cache security thresholds.
- Limit the local cache to the smallest number of data keys necessary to achieve the performance improvements for your specific application use case. For instructions and an example of configuring limits for the local cache, see Using data key caching: Step-by-step.
For more information, see AWS Encryption SDK: How to Decide if Data Key Caching Is Right for Your Application (AWS blog post).

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Amazon EKS

AWS KMS