The Amazon DynamoDB Encryption Client, a software library that helps you to encrypt your sensitive data both in transit and at rest, is now available in Python as well as Java.
The main focus of the Amazon DynamoDB Encryption Client is to protect your table data before you send it to Amazon DynamoDB. Encrypting your sensitive data helps ensure that your plain text data isn’t available to any third party, including AWS.
The DynamoDB Encryption Client libraries are developed in open source projects on GitHub. Previously they were only available in Java, but there is now a Python option.
Importantly the two supported language implementations are interoperable so, for example, you can encrypt table data with the Python library and decrypt it with the Java library.
And the good news is that you don’t need to be a cryptography expert to use the Client. The implementations include helper methods that are designed to work with your existing DynamoDB applications.
After you create and configure the required components, the DynamoDB Encryption Client transparently encrypts and signs your table items when you add them to a table, and verifies and decrypts them when you retrieve them.
It’s also worth noting that you can use the DynamoDB Encryption Client with encryption keys from any source, including your custom implementation or a cryptography service, such as AWS Key Management Service (AWS KMS) or AWS CloudHSM.
AWS also confirms that whilst the DynamoDB Encryption Client is designed for client-side encryption (where data is encrypted before you send it to DynamoDB), it’s also possible to use encryption at rest. This server-side option encrypts the data in your table whenever DynamoDB saves the table to disk. In addition, there’s also the option to use both the DynamoDB Encryption Client and encryption at rest together.
And finally, it’s important to note that use of the libraries doesn’t actually require an AWS account or any AWS service.
Cloud Development Director