Hey, thanks for putting that together, it's a very insightful read. One thing I would mention in the section "Encrypting Data":
KMS is great and very useful but there are limitations, for example the 4kb payload max. Another one is latency (back and forth is OK for a single decryption step, for 10.000 it might become problematic)
In case you have to go around these limitations they recommend a data key that you use to encrypt the data, encrypt the data key, store both encrypted blobs in your DB and throw away away the data key from the memory as quickly as possible.
E.g. "I have an API key and I want it encryptedly available to some servers, and engineers to be able to roll but not read the cred", KMS directly with a CMK is great. Otherwise: that's what the rest of the bulk encryption and key generation recommendations are for; get a DEK, use NaCl's secretbox or whatever.
DEK sharding strategies depend on your data model so that gets a little tricky to provide good advice for in this document but that's something we help clients with, sure :)
Enveloppe encryption (what you are describing) is absolutely the way to go, but the caveats described in the document for key generation and symmetric encryption apply.
KMS is great and very useful but there are limitations, for example the 4kb payload max. Another one is latency (back and forth is OK for a single decryption step, for 10.000 it might become problematic)
In case you have to go around these limitations they recommend a data key that you use to encrypt the data, encrypt the data key, store both encrypted blobs in your DB and throw away away the data key from the memory as quickly as possible.
https://docs.aws.amazon.com/kms/latest/developerguide/progra...
Thoughts?