# The AWS Encryption SDK - Python does not implement Keyrings # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.5 # //= type=exception # //# MUST implement the AWS Encryption SDK Keyring interface (../keyring- # //# interface.md#interface) # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.6 # //= type=exception # //# On initialization the caller MUST provide: # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.6 # //= type=exception # //# The AWS KMS key identifier MUST NOT be null or empty. # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.6 # //= type=exception # //# The AWS KMS # //# SDK client MUST NOT be null. # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.7 # //= type=exception # //# OnEncrypt MUST take encryption materials (structures.md#encryption- # //# materials) as input. # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.7 # //= type=exception # //# If the input encryption materials (structures.md#encryption- # //# materials) do not contain a plaintext data key OnEncrypt MUST attempt # //# to generate a new plaintext data key by calling AWS KMS # //# GenerateDataKey (https://docs.aws.amazon.com/kms/latest/APIReference/ # //# API_GenerateDataKey.html). # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.7 # //= type=exception # //# If the keyring calls AWS KMS GenerateDataKeys, it MUST use the # //# configured AWS KMS client to make the call. # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.7 # //= type=exception # //# The keyring MUST call # //# AWS KMS GenerateDataKeys with a request constructed as follows: # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.7 # //= type=exception # //# If the call to AWS KMS GenerateDataKey # //# (https://docs.aws.amazon.com/kms/latest/APIReference/ # //# API_GenerateDataKey.html) does not succeed, OnEncrypt MUST NOT modify # //# the encryption materials (structures.md#encryption-materials) and # //# MUST fail. # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.7 # //= type=exception # //# If the Generate Data Key call succeeds, OnEncrypt MUST verify that # //# the response "Plaintext" length matches the specification of the # //# algorithm suite (algorithm-suites.md)'s Key Derivation Input Length # //# field. # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.7 # //= type=exception # //# The Generate Data Key response's "KeyId" MUST be A valid AWS # //# KMS key ARN (aws-kms-key-arn.md#identifying-an-aws-kms-multi-region- # //# key). # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.7 # //= type=exception # //# If verified, OnEncrypt MUST do the following with the response # //# from AWS KMS GenerateDataKey # //# (https://docs.aws.amazon.com/kms/latest/APIReference/ # //# API_GenerateDataKey.html): # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.7 # //= type=exception # //# * OnEncrypt MUST output the modified encryption materials # //# (structures.md#encryption-materials) # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.7 # //= type=exception # //# Given a plaintext data key in the encryption materials # //# (structures.md#encryption-materials), OnEncrypt MUST attempt to # //# encrypt the plaintext data key using the configured AWS KMS key # //# identifier. # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.7 # //= type=exception # //# The keyring MUST call AWS KMS Encrypt # //# (https://docs.aws.amazon.com/kms/latest/APIReference/ # //# API_Encrypt.html) using the configured AWS KMS client. # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.7 # //= type=exception # //# The keyring # //# MUST AWS KMS Encrypt call with a request constructed as follows: # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.7 # //= type=exception # //# If the call to AWS KMS Encrypt # //# (https://docs.aws.amazon.com/kms/latest/APIReference/ # //# API_Encrypt.html) does not succeed, OnEncrypt MUST fail. # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.7 # //= type=exception # //# If the Encrypt call succeeds The response's "KeyId" MUST be A valid # //# AWS KMS key ARN (aws-kms-key-arn.md#identifying-an-aws-kms-multi- # //# region-key). # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.7 # //= type=exception # //# If verified, OnEncrypt MUST do the following with the # //# response from AWS KMS Encrypt # //# (https://docs.aws.amazon.com/kms/latest/APIReference/ # //# API_Encrypt.html): # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.7 # //= type=exception # //# If all Encrypt calls succeed, OnEncrypt MUST output the modified # //# encryption materials (structures.md#encryption-materials). # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.8 # //= type=exception # //# OnDecrypt MUST take decryption materials (structures.md#decryption- # //# materials) and a list of encrypted data keys # //# (structures.md#encrypted-data-key) as input. # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.8 # //= type=exception # //# The set of encrypted data keys MUST first be filtered to match this # //# keyring's configuration. # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.8 # //= type=exception # //# * Its provider ID MUST exactly match the value "aws-kms". # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.8 # //= type=exception # //# * The the function AWS KMS MRK Match for Decrypt (aws-kms-mrk-match- # //# for-decrypt.md#implementation) called with the configured AWS KMS # //# key identifier and the provider info MUST return "true". # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.8 # //= type=exception # //# For each encrypted data key in the filtered set, one at a time, the # //# OnDecrypt MUST attempt to decrypt the data key. # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.8 # //= type=exception # //# If this attempt # //# results in an error, then these errors MUST be collected. # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.8 # //= type=exception # //# To attempt to decrypt a particular encrypted data key # //# (structures.md#encrypted-data-key), OnDecrypt MUST call AWS KMS # //# Decrypt (https://docs.aws.amazon.com/kms/latest/APIReference/ # //# API_Decrypt.html) with the configured AWS KMS client. # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.8 # //= type=exception # //# When calling AWS KMS Decrypt # //# (https://docs.aws.amazon.com/kms/latest/APIReference/ # //# API_Decrypt.html), the keyring MUST call with a request constructed # //# as follows: # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.8 # //= type=exception # //# * The "KeyId" field in the response MUST equal the configured AWS # //# KMS key identifier. # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.8 # //= type=exception # //# * The length of the response's "Plaintext" MUST equal the key # //# derivation input length (algorithm-suites.md#key-derivation-input- # //# length) specified by the algorithm suite (algorithm-suites.md) # //# included in the input decryption materials # //# (structures.md#decryption-materials). # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.8 # //= type=exception # //# If the response does not satisfies these requirements then an error # //# MUST be collected and the next encrypted data key in the filtered set # //# MUST be attempted. # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.8 # //= type=exception # //# If the response does satisfies these requirements then OnDecrypt MUST # //# do the following with the response: # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.8 # //= type=exception # //# If OnDecrypt fails to successfully decrypt any encrypted data key # //# (structures.md#encrypted-data-key), then it MUST yield an error that # //# includes all the collected errors. # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.8 # //= type=exception # //# If OnDecrypt fails to successfully decrypt any encrypted data key # //# (structures.md#encrypted-data-key), then it MUST yield an error that # //# includes all the collected errors. # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.6 # //= type=exception # //# The AWS KMS # //# key identifier MUST be a valid identifier (aws-kms-key-arn.md#a- # //# valid-aws-kms-identifier). # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.8 # //= type=exception # //# * The provider info MUST be a valid AWS KMS ARN (aws-kms-key- # //# arn.md#a-valid-aws-kms-arn) with a resource type of "key" or # //# OnDecrypt MUST fail. # //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.8 # //= type=exception # //# If the decryption materials (structures.md#decryption-materials) # //# already contained a valid plaintext data key OnDecrypt MUST # //# immediately return the unmodified decryption materials # //# (structures.md#decryption-materials).