You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/utilities/data_masking.md
+26-20Lines changed: 26 additions & 20 deletions
Original file line number
Diff line number
Diff line change
@@ -109,14 +109,14 @@ Erasing will remove the original data and replace it with a `*****`. This means
109
109
1. See [working with nested data](#working-with-nested-data) to learn more about the `fields` parameter. </br></br>If we omit `fields` parameter, the entire dictionary will be erased with `*****`.
@@ -135,14 +135,14 @@ Under the hood, we delegate a [number of operations](#encrypt-operation-with-enc
135
135
1. You can use more than one KMS Key for higher availability but increased latency. </br></br>Encryption SDK will ensure the data key is encrypted with both keys.
@@ -164,21 +164,23 @@ Under the hood, we delegate a [number of operations](#decrypt-operation-with-enc
164
164
1. Note that KMS key alias or key ID won't work.
165
165
2. You can use more than one KMS Key for higher availability but increased latency. </br></br>Encryption SDK will call `Decrypt` API with all master keys when trying to decrypt the data key.
### Encryption context for integrity and authenticity
180
180
181
+
<!-- markdownlint-disable MD013 -->
181
182
For a stronger security posture, you can add metadata to each encryption operation, and verify them during decryption. This is known as additional authenticated data (AAD). These are non-sensitive data that can help protect authenticity and integrity of your encrypted data, and even help to prevent a [confused deputy](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html){target="_blank"} situation.
183
+
<!-- markdownlint-enable MD013 -->
182
184
183
185
???+ danger "Important considerations you should know"
184
186
1. **Exact match verification on decrypt**. Be careful using random data like `timestamps` as encryption context if you can't provide them on decrypt.
@@ -205,7 +207,7 @@ For a stronger security posture, you can add metadata to each encryption operati
205
207
206
208
???+ note "Current limitations"
207
209
1. The `fields` parameter is currently exclusive to the `erase` method, with potential future inclusion into `encrypt` and `decrypt`.
208
-
2. We support `JSON` data types only - see [data serialization for more details](#data-serialization-and-preservation)."
210
+
2. We support `JSON` data types only - see [data serialization for more details](#data-serialization)."
209
211
210
212
You can use the `fields` parameter with the dot notation `.` to choose one or more parts of your data to `erase`. This is useful when you want to keep data structure intact except the confidential fields.
211
213
@@ -424,6 +426,8 @@ You can modify the following values when initializing the `AWSEncryptionSDKProvi
424
426
|**max_messages_encrypted**|`4294967296`| The maximum number of messages that may be encrypted under a cache entry |
425
427
|**max_bytes_encrypted**|`9223372036854775807`| The maximum number of bytes that may be encrypted under a cache entry |
426
428
429
+
If required, you have the option to customize the default values when initializing the `AWSEncryptionSDKProvider` class.
0 commit comments