The AWS Encryption SDK’s AWS KMS Keyring has become increasingly complex as it supports various customer use cases. In this proposal, we separate the functionality of the AWS KMS keyring into multiple smaller-scoped keyrings. Each new keyring maintains a smaller API surface area.
By simplifying the AWS KMS keyring, we establish the basic building blocks for interacting with AWS KMS. We can support additional customer use cases by writing operations to configure a multi-keyring with these smaller-scoped keyrings. In the future, new features will be supported without refactoring code or updating customer-facing APIs. Advanced customers can also follow a similar process for more complex customization. This lowers the likelihood that advanced customers fork ESDK code.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Issue #, if available:
This proposal affects the following issues: https://github.com/awslabs/aws-encryption-sdk-specification/issues/139, https://github.com/awslabs/aws-encryption-sdk-specification/issues/94, https://github.com/awslabs/aws-encryption-sdk-specification/issues/90, https://github.com/awslabs/aws-encryption-sdk-specification/issues/84, https://github.com/awslabs/aws-encryption-sdk-specification/issues/59, https://github.com/awslabs/aws-encryption-sdk-specification/issues/16, https://github.com/awslabs/aws-encryption-sdk-specification/issues/15, https://github.com/awslabs/aws-encryption-sdk-specification/issues/49, https://github.com/awslabs/aws-encryption-sdk-specification/issues/83, https://github.com/awslabs/aws-encryption-sdk-specification/issues/40
Description of changes:
The AWS Encryption SDK’s AWS KMS Keyring has become increasingly complex as it supports various customer use cases. In this proposal, we separate the functionality of the AWS KMS keyring into multiple smaller-scoped keyrings. Each new keyring maintains a smaller API surface area.
By simplifying the AWS KMS keyring, we establish the basic building blocks for interacting with AWS KMS. We can support additional customer use cases by writing operations to configure a multi-keyring with these smaller-scoped keyrings. In the future, new features will be supported without refactoring code or updating customer-facing APIs. Advanced customers can also follow a similar process for more complex customization. This lowers the likelihood that advanced customers fork ESDK code.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.