- A fourth Crypto Action will be made available :
SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT, to join the existingDO_NOTHING,SIGN_ONLYandENCRYPT_AND_SIGN.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXTbehaves likeSIGN_ONLY, but also includes the value in the encryption context, making it available to the branch key selector. - The Parsed Header, returned from EncryptItem and DecryptItem, now returns two more fields
- encryptionContext : the full encryption context used for encryption
- selectorContext : the encryption context as presented to the branch key selector
- The Java Enhanced Client now supports Single Table Design. When using the DynamoDbEnhancedTableEncryptionConfig builder, one can now specify
schemaOnEncryptmultiple times, once for each class being modeled in the table. - There was a hard limit of 100 on the size of maps and lists in Items to be encrypted. This limit has been removed.
- support for .NET
- Beacon Styles :
- PartOnly : save a little bit of space for a beacon that used as part of a Compound Beacon, but never alone
- AsSet : turn a set of values into a set of beacons, rather than into a single beacon
- Twinned : calculate beacons for one attribute to be compatible with those from a different attribute
- TwinnedSet : both AsSet and Twinned
- Global Parts List : all compound beacons can now share a single list of Parts
- Test vectors to ensure cross language compatibility
- explicit error message when searching on a Compound Beacon that could never exist.
- New APIs : ResolveAttributes and GetVirtualFields to assist in development and debugging.
- String compare for client side filtering of Scan and Query results could sometimes produce the wrong result for certain characters.
Fixed an issue where, when using the DynamoDbEncryptionInterceptor, an encrypted item in the Attributes field of a DeleteItem, PutItem, or UpdateItem response was passed through unmodified instead of being decrypted.
Issue when a DynamoDB Set attribute is marked as SIGN_ONLY in the AWS Database Encryption SDK (DB-ESDK) for DynamoDB.
DB-ESDK for DynamoDB supports SIGN_ONLY and ENCRYPT_AND_SIGN attribute actions. In version 3.1.0 and below, when a Set type is assigned a SIGN_ONLY attribute action, there is a chance that signature validation of the record containing a Set will fail on read, even if the Set attributes contain the same values. The probability of a failure depends on the order of the elements in the Set combined with how DynamoDB returns this data, which is undefined.
This update addresses the issue by ensuring that any Set values are canonicalized in the same order while written to DynamoDB as when read back from DynamoDB.
See: https://github.com/aws/aws-database-encryption-sdk-dynamodb-java/tree/v3.1.1/DecryptWithPermute for additional details for additional details
- Support underscores in DynamoDB expression attribute names
- Upgrade various library dependencies
- A variety of fixes to the library's CI and testing
- Updates to the AWS Cryptographic Material Providers Library for Java,
a pivotal dependency of the this library,
introduce Thread Safe Cryptographic Materials Caches (CMCs):
- Storm Tracking Cache
Safe for use in a multi threaded environment,
tries to prevent redundant or overly parallel backend calls.
See Spec changes for details. - Multi Threaded Cache
Safe for use in a multi threaded environment,
but no extra functionality
- Storm Tracking Cache
- Examples for using the Enhanced Client via Lombok Annotation and TableSchemaBuilder
- Detection of ignored DynamoDB Encryption Configuration Tags due to Nested Data Models
- Multi Threading Example
- Updates to the AWS Cryptographic Material Providers Library for Java,
a pivotal dependency of the this library,
introduce the following breaking changes:
- CMCs:
- Original Cryptographic Materials Cache has been renamed to Single Threaded Cache
CreateCryptographicMaterialsCacheInputnow ONLY acceptsCacheType,
which determines which, if any, of the three implemented CMCs will be returned.- The
DefaultCacheisStormTrackingCache
CreateAwsKmsHierarchicalKeyringInput:- no longer has a
maxCacheSizefield - now has an optional
cachefield for aCacheType
- no longer has a
- Hierarchical Keyring's Key Store:
- The Hierarchical Keyring's Key Store's Data Structure has changed.
As such, entries persisted in the Key Store with prior versions of this library are NOT compatible.
Instead, we recommend Creating a new DynamoDB Table for this version of the Key Store. - The Key Store's
CreateKeyInputnow takes:- An Optional
String branchKeyIdentifier - An Optional
EncryptionContext encryptionContext- This
encryptionContextwill be added to the Encryption Context sent to KMS prefixed withaws-crypto-ec:
- This
- An Optional
- Creating a Key now also calls KMS:ReEncrypt
CreateKeyStoreno longer creates a GSI- The Encryption Context used with KMS'
GenerateDataKeyWithoutPlaintextno longer includes the discarded GSI'sstatus. - More details about the Key Store's changes are available in our Specification:
- The Hierarchical Keyring's Key Store's Data Structure has changed.
- CMCs:
- With the Enhanced Client, Identify Only Index attributes for Sign Only, NOT all Key Attributes, such as Auto Generated Last Modified Time Stamp.
- A variety of fixes to the libraries CI and testing
- The AWS SDK Core MUST NOT be depended on directly.
- Initial release of the AWS Database Encryption SDK. This release is considered a developer preview and is not intended for production use cases.