Generate an encryption key, call this the data key
Use this data key to encrypt the data
Encrypt the data key with a master key
Discard the plaintext data key
Fetch the wrapped data key and the encrypted data
Use KMS to decrypt the wrapped data key
Use the decrypted data key to decrypt the encrypted data
credstash put super.secret 1234asdf
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "kms:GenerateDataKey" ], "Effect": "Allow", "Resource": "arn:aws:kms:us-east-1:AWSACCOUNTID:key/KEY-GUID" }, { "Action": [ "dynamodb:PutItem" ], "Effect": "Allow", "Resource": "arn:aws:dynamodb:us-east-1:AWSACCOUNTID:table/credential-store" } ] }
By Tim O'Guin