使用 Amazon KMS 加密值,使用 DynamoDB 和 Lambda (NodeJS) 存储/检索
Encrypting values using Amazon KMS, storing / retrieving using DynamoDB with Lambda (NodeJS)
我有一个将数据写入 DynamoDB 的 Lambda(NodeJS) 函数。其中一些数据需要加密。我正在使用 KMS 加密和存储进行加密。当我使用不同的 Lambda 函数从 Dynamo 检索并尝试解密时,出现错误。如果我加密然后再解密,我可以做到这一点,但如果我从数据库中读取加密值,它就不会解密。
我的 encrypt/store 代码如下:
console.log('Loading event');
var AWS = require('aws-sdk');
var keyId = "arn:aws:kms:us-east-1:5423542542:key/xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxx";
var tableName = "person";
var dynamoDBConfiguration = {
"region": "us-west-2"
};
AWS.config.update(dynamoDBConfiguration);
var dynamodb = new AWS.DynamoDB({apiVersion: '2012-08-10'});
var kms = new AWS.KMS({region: 'us-east-1'});
var newId = "1234-56789-101112-13141516";
var item = {};
exports.handler = function (event, context) {
console.log('ssn');
//encrypt it
var ssnParams = {
KeyId: keyId,
Plaintext: "123-45-6789"
};
kms.encrypt(ssnParams, function (err, data) {
if (err) {
console.log(err, err.stack);
}
else {
console.log(' ssn encrypted');
var enc_ssn = data.CiphertextBlob;
item["SSN"] = {"Value": {"B": enc_ssn}};
item["First_Name"] = {"Value": {"S": "Joe"}};
item["Last_Name"] = {"Value": {"S": "Blow"}};
dynamodb.updateItem({
"TableName": tableName,
"AttributeUpdates": item,
"ReturnValues": "ALL_NEW",
"Key": {
"id": {"S": newId}
}
}, function (err, data) {
if (err) {
context.done(err);
}
else {
console.log('great success: %j', data);
context.succeed("Person Successfully Inserted");
}
});
}
});
};
我的retrieval/decrypt代码如下:
console.log('Loading event');
var AWS = require('aws-sdk');
var dynamoDBConfiguration = {
"region": "us-west-2"
};
AWS.config.update(dynamoDBConfiguration);
var dynamodb = new AWS.DynamoDB({apiVersion: '2012-08-10'});
var keyId = "arn:aws:kms:us-east-1:5423542542:key/xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxx";
var tableName = "person";
var kms = new AWS.KMS({region: 'us-east-1'});
exports.handler = function (event, context) {
console.log(JSON.stringify(event, null, ' '));
var params = {};
var id = event.id;
console.log(id);
if (id && id !== '') {
params = {
"TableName": tableName,
KeyConditionExpression: "id = :id",
ExpressionAttributeValues: {
':id': {'S': id}
}
};
dynamodb.query(params, function (err, data) {
if (err) {
context.done(err);
}
else {
var person = data.Items[0];
console.log('query success');
console.log(person);
if (person.SSN) {
console.log('have ssn');
var b_ssn = person.SSN;
console.log(b_ssn);
person.SSNtext = "";
var encryptedParams = {
CiphertextBlob: Buffer(b_ssn, 'base64'),
};
kms.decrypt(encryptedParams, function (err, decrypteddata) {
if (err) {
console.log(err, err.stack);
//context.done(err);
}
else {
person.SSNtext = decrypteddata.Plaintext.toString();
console.log(decrypteddata.Plaintext.toString());
context.succeed(person);
}
});
}
}
});
}
else {
params = {
"TableName": tableName
};
dynamodb.scan(params, function (err, data) {
if (err) {
context.done(err);
}
else {
console.log('scan success');
context.succeed(data);
}
});
}
};
当我运行这段代码时,我得到以下错误:
START RequestId: 639590ac-cb95-11e5-91e4-d706c725f529 Version: $LATEST
2016-02-04T23:16:58.713Z 639590ac-cb95-11e5-91e4-d706c725f529 Loading event
2016-02-04T23:17:00.215Z 639590ac-cb95-11e5-91e4-d706c725f529 {
"id": "1234-56789-101112-13141516"
}
2016-02-04T23:17:00.215Z 639590ac-cb95-11e5-91e4-d706c725f529 1234-56789-101112-13141516
2016-02-04T23:17:00.954Z 639590ac-cb95-11e5-91e4-d706c725f529 query success
2016-02-04T23:17:00.954Z 639590ac-cb95-11e5-91e4-d706c725f529 { Last_Name: { S: 'Blow' },
id: { S: '1234-56789-101112-13141516' },
First_Name: { S: 'Joe' },
SSN: { B: <Buffer 0a 20 ec 00 75 21 f2 61 7d ba 2e 38 7e c6 fd 24 6d 32 b4 c2 b3 29 47 9e 9b 97 f2 a8 46 f2 d0 38 da 37 12 92 01 01 01 02 00 78 ec 00 75 21 f2 61 7d ba 2e ...> } }
2016-02-04T23:17:00.956Z 639590ac-cb95-11e5-91e4-d706c725f529 have ssn
2016-02-04T23:17:00.956Z 639590ac-cb95-11e5-91e4-d706c725f529 { B: <Buffer 0a 20 ec 00 75 21 f2 61 7d ba 2e 38 7e c6 fd 24 6d 32 b4 c2 b3 29 47 9e 9b 97 f2 a8 46 f2 d0 38 da 37 12 92 01 01 01 02 00 78 ec 00 75 21 f2 61 7d ba 2e ...> }
2016-02-04T23:17:01.573Z 639590ac-cb95-11e5-91e4-d706c725f529 { [InvalidCiphertextException: null]
message: null,
code: 'InvalidCiphertextException',
time: Thu Feb 04 2016 23:17:01 GMT+0000 (UTC),
我可以对加密值进行加密和解密,但是当我存储该值、检索它并尝试解密时,它失败了。任何帮助将不胜感激。
好的 - 我已经开始工作了,我想在此处 post 以防其他人遇到同样的问题。当你将数据放入 DynamoDB 时,你使用这样的东西:
item["First_Name"] = {"Value":{"S": "Joe"}};
当我检索它时,我没有得到一个字符串,我得到了一个对象。因此,当我刚刚检索到名为 person 的行时,我必须得到这样的值:
first_name = person.First_Name.S;
//results in first_name = "Joe";
所以我遇到的问题是我试图将对象 person.First_Name 传递给解密方法,而不是 person.First_Name.S
的值
我有一个将数据写入 DynamoDB 的 Lambda(NodeJS) 函数。其中一些数据需要加密。我正在使用 KMS 加密和存储进行加密。当我使用不同的 Lambda 函数从 Dynamo 检索并尝试解密时,出现错误。如果我加密然后再解密,我可以做到这一点,但如果我从数据库中读取加密值,它就不会解密。 我的 encrypt/store 代码如下:
console.log('Loading event');
var AWS = require('aws-sdk');
var keyId = "arn:aws:kms:us-east-1:5423542542:key/xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxx";
var tableName = "person";
var dynamoDBConfiguration = {
"region": "us-west-2"
};
AWS.config.update(dynamoDBConfiguration);
var dynamodb = new AWS.DynamoDB({apiVersion: '2012-08-10'});
var kms = new AWS.KMS({region: 'us-east-1'});
var newId = "1234-56789-101112-13141516";
var item = {};
exports.handler = function (event, context) {
console.log('ssn');
//encrypt it
var ssnParams = {
KeyId: keyId,
Plaintext: "123-45-6789"
};
kms.encrypt(ssnParams, function (err, data) {
if (err) {
console.log(err, err.stack);
}
else {
console.log(' ssn encrypted');
var enc_ssn = data.CiphertextBlob;
item["SSN"] = {"Value": {"B": enc_ssn}};
item["First_Name"] = {"Value": {"S": "Joe"}};
item["Last_Name"] = {"Value": {"S": "Blow"}};
dynamodb.updateItem({
"TableName": tableName,
"AttributeUpdates": item,
"ReturnValues": "ALL_NEW",
"Key": {
"id": {"S": newId}
}
}, function (err, data) {
if (err) {
context.done(err);
}
else {
console.log('great success: %j', data);
context.succeed("Person Successfully Inserted");
}
});
}
});
};
我的retrieval/decrypt代码如下:
console.log('Loading event');
var AWS = require('aws-sdk');
var dynamoDBConfiguration = {
"region": "us-west-2"
};
AWS.config.update(dynamoDBConfiguration);
var dynamodb = new AWS.DynamoDB({apiVersion: '2012-08-10'});
var keyId = "arn:aws:kms:us-east-1:5423542542:key/xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxx";
var tableName = "person";
var kms = new AWS.KMS({region: 'us-east-1'});
exports.handler = function (event, context) {
console.log(JSON.stringify(event, null, ' '));
var params = {};
var id = event.id;
console.log(id);
if (id && id !== '') {
params = {
"TableName": tableName,
KeyConditionExpression: "id = :id",
ExpressionAttributeValues: {
':id': {'S': id}
}
};
dynamodb.query(params, function (err, data) {
if (err) {
context.done(err);
}
else {
var person = data.Items[0];
console.log('query success');
console.log(person);
if (person.SSN) {
console.log('have ssn');
var b_ssn = person.SSN;
console.log(b_ssn);
person.SSNtext = "";
var encryptedParams = {
CiphertextBlob: Buffer(b_ssn, 'base64'),
};
kms.decrypt(encryptedParams, function (err, decrypteddata) {
if (err) {
console.log(err, err.stack);
//context.done(err);
}
else {
person.SSNtext = decrypteddata.Plaintext.toString();
console.log(decrypteddata.Plaintext.toString());
context.succeed(person);
}
});
}
}
});
}
else {
params = {
"TableName": tableName
};
dynamodb.scan(params, function (err, data) {
if (err) {
context.done(err);
}
else {
console.log('scan success');
context.succeed(data);
}
});
}
};
当我运行这段代码时,我得到以下错误:
START RequestId: 639590ac-cb95-11e5-91e4-d706c725f529 Version: $LATEST
2016-02-04T23:16:58.713Z 639590ac-cb95-11e5-91e4-d706c725f529 Loading event
2016-02-04T23:17:00.215Z 639590ac-cb95-11e5-91e4-d706c725f529 {
"id": "1234-56789-101112-13141516"
}
2016-02-04T23:17:00.215Z 639590ac-cb95-11e5-91e4-d706c725f529 1234-56789-101112-13141516
2016-02-04T23:17:00.954Z 639590ac-cb95-11e5-91e4-d706c725f529 query success
2016-02-04T23:17:00.954Z 639590ac-cb95-11e5-91e4-d706c725f529 { Last_Name: { S: 'Blow' },
id: { S: '1234-56789-101112-13141516' },
First_Name: { S: 'Joe' },
SSN: { B: <Buffer 0a 20 ec 00 75 21 f2 61 7d ba 2e 38 7e c6 fd 24 6d 32 b4 c2 b3 29 47 9e 9b 97 f2 a8 46 f2 d0 38 da 37 12 92 01 01 01 02 00 78 ec 00 75 21 f2 61 7d ba 2e ...> } }
2016-02-04T23:17:00.956Z 639590ac-cb95-11e5-91e4-d706c725f529 have ssn
2016-02-04T23:17:00.956Z 639590ac-cb95-11e5-91e4-d706c725f529 { B: <Buffer 0a 20 ec 00 75 21 f2 61 7d ba 2e 38 7e c6 fd 24 6d 32 b4 c2 b3 29 47 9e 9b 97 f2 a8 46 f2 d0 38 da 37 12 92 01 01 01 02 00 78 ec 00 75 21 f2 61 7d ba 2e ...> }
2016-02-04T23:17:01.573Z 639590ac-cb95-11e5-91e4-d706c725f529 { [InvalidCiphertextException: null]
message: null,
code: 'InvalidCiphertextException',
time: Thu Feb 04 2016 23:17:01 GMT+0000 (UTC),
我可以对加密值进行加密和解密,但是当我存储该值、检索它并尝试解密时,它失败了。任何帮助将不胜感激。
好的 - 我已经开始工作了,我想在此处 post 以防其他人遇到同样的问题。当你将数据放入 DynamoDB 时,你使用这样的东西:
item["First_Name"] = {"Value":{"S": "Joe"}};
当我检索它时,我没有得到一个字符串,我得到了一个对象。因此,当我刚刚检索到名为 person 的行时,我必须得到这样的值:
first_name = person.First_Name.S;
//results in first_name = "Joe";
所以我遇到的问题是我试图将对象 person.First_Name 传递给解密方法,而不是 person.First_Name.S
的值