aws
diff --git a/‎Examples/runtimes/python/Migration/src/ddbec_to_awsdbe/awsdbe/client/common.py
Lines changed: 1 addition & 1 deletion b/‎Examples/runtimes/python/Migration/src/ddbec_to_awsdbe/awsdbe/client/common.py
Lines changed: 1 addition & 1 deletion
diff --git a/‎Examples/runtimes/python/Migration/src/ddbec_to_awsdbe/awsdbe/client/migration_step_1.py
Lines changed: 2 additions & 2 deletions b/‎Examples/runtimes/python/Migration/src/ddbec_to_awsdbe/awsdbe/client/migration_step_1.py
Lines changed: 2 additions & 2 deletions
diff --git a/‎Examples/runtimes/python/Migration/src/ddbec_to_awsdbe/awsdbe/client/migration_step_2.py
Lines changed: 3 additions & 3 deletions b/‎Examples/runtimes/python/Migration/src/ddbec_to_awsdbe/awsdbe/client/migration_step_2.py
Lines changed: 3 additions & 3 deletions
diff --git a/‎Examples/runtimes/python/Migration/src/ddbec_to_awsdbe/awsdbe/client/migration_step_3.py
Lines changed: 3 additions & 3 deletions b/‎Examples/runtimes/python/Migration/src/ddbec_to_awsdbe/awsdbe/client/migration_step_3.py
Lines changed: 3 additions & 3 deletions
diff --git a/‎Examples/runtimes/python/Migration/src/ddbec_to_awsdbe/awsdbe/table/common.py
Lines changed: 235 additions & 0 deletions b/‎Examples/runtimes/python/Migration/src/ddbec_to_awsdbe/awsdbe/table/common.py
Lines changed: 235 additions & 0 deletions
diff --git a/‎Examples/runtimes/python/Migration/src/ddbec_to_awsdbe/awsdbe/table/migration_step_1.py
Lines changed: 81 additions & 0 deletions b/‎Examples/runtimes/python/Migration/src/ddbec_to_awsdbe/awsdbe/table/migration_step_1.py
Lines changed: 81 additions & 0 deletions
@@ -129,7 +129,7 @@ def setup_awsdbe_client_with_legacy_override(kms_key_id: str, ddb_table_name: st
     # 0. Create AWS SDK DynamoDB Client
     ddb_client = boto3.client("dynamodb")
 
-    # 1. Create the legacy DynamoDB Encryption Client
+    # 1. Create the legacy EncryptedClient
     cmp = AwsKmsCryptographicMaterialsProvider(key_id=kms_key_id)
     legacy_encrypted_client = LegacyEncryptedClient(
         client=ddb_client,
 
@@ -27,7 +27,7 @@
 from .common import setup_awsdbe_client_with_legacy_override
 
 
-def migration_step_1(kms_key_id: str, ddb_table_name: str, sort_read_value: int = 1):
+def migration_step_1_with_client(kms_key_id: str, ddb_table_name: str, sort_read_value: int = 1):
     """
     Migration Step 1: Using the AWS Database Encryption SDK with Legacy Override.
 
@@ -36,7 +36,7 @@ def migration_step_1(kms_key_id: str, ddb_table_name: str, sort_read_value: int
     :param sort_read_value: The sort key value to read
 
     """
-    # 1. Create a DynamoDB Encryption SDK client with legacy override.
+    # 1. Create a EncryptedClient with legacy override.
     #    For Legacy Policy, use `FORCE_LEGACY_ENCRYPT_ALLOW_LEGACY_DECRYPT`.
     #    With this policy, you will continue to read and write items using the old format,
     #    but will be able to start reading new items in the new format as soon as they appear
 
@@ -27,16 +27,16 @@
 from .common import setup_awsdbe_client_with_legacy_override
 
 
-def migration_step_2(kms_key_id: str, ddb_table_name: str, sort_read_value: int = 2):
+def migration_step_2_with_client(kms_key_id: str, ddb_table_name: str, sort_read_value: int = 2):
     """
-    Migration Step 2: Using pure AWS DBESDK and legacy override together.
+    Migration Step 2: Using pure AWS DBESDK and legacy override together with EncryptedClient.
 
     :param kms_key_id: The ARN of the KMS key to use for encryption
     :param ddb_table_name: The name of the DynamoDB table
     :param sort_read_value: The sort key value to read
 
     """
-    # 1. Create a DynamoDB Encryption SDK client with legacy override.
+    # 1. Create a EncryptedClient with legacy override.
     #    When configuring our legacy behavior, use `FORBID_LEGACY_ENCRYPT_ALLOW_LEGACY_DECRYPT`.
     #    With this policy, you will continue to read items in both formats,
     #    but will only write new items using the new format.
 
@@ -23,15 +23,15 @@
 from .common import setup_pure_awsdbe_client
 
 
-def migration_step_3(kms_key_id: str, ddb_table_name: str, sort_read_value: int = 3):
+def migration_step_3_with_client(kms_key_id: str, ddb_table_name: str, sort_read_value: int = 3):
     """
-    Migration Step 3: Using only pure AWS DBESDK (no legacy override).
+    Migration Step 3: Using only pure AWS DBESDK (no legacy override) with EncryptedClient.
 
     :param kms_key_id: The ARN of the KMS key to use for encryption
     :param ddb_table_name: The name of the DynamoDB table
     :param sort_read_value: The sort key value to read
     """
-    # 1. Create the DynamoDb Encryption Interceptor with the above configuration.
+    # 1. Create the EncryptedClient.
     #    Do not configure any legacy behavior.
     encrypted_client = setup_pure_awsdbe_client(kms_key_id, ddb_table_name)
 
 
@@ -0,0 +1,235 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+"""Common Utilities for Migration Examples."""
+import boto3
+from aws_cryptographic_material_providers.mpl import AwsCryptographicMaterialProviders
+from aws_cryptographic_material_providers.mpl.config import MaterialProvidersConfig
+from aws_cryptographic_material_providers.mpl.models import (
+    CreateAwsKmsMrkMultiKeyringInput,
+    DBEAlgorithmSuiteId,
+)
+from aws_cryptographic_material_providers.mpl.references import IKeyring
+from aws_dbesdk_dynamodb.encrypted.table import EncryptedTable
+from aws_dbesdk_dynamodb.structures.dynamodb import (
+    DynamoDbTableEncryptionConfig,
+    DynamoDbTablesEncryptionConfig,
+    LegacyOverride,
+)
+from aws_dbesdk_dynamodb.structures.structured_encryption import (
+    CryptoAction,
+)
+
+# Import from legacy DynamoDB Encryption Client
+from dynamodb_encryption_sdk.encrypted.table import EncryptedTable as LegacyEncryptedTable
+from dynamodb_encryption_sdk.material_providers.aws_kms import AwsKmsCryptographicMaterialsProvider
+
+
+def setup_pure_awsdbe_table(kms_key_id: str, ddb_table_name: str):
+    """
+    Set up a pure AWS Database Encryption SDK EncryptedTable without legacy override.
+
+    :param kms_key_id: The ARN of the KMS key to use for encryption
+    :param ddb_table_name: The name of the DynamoDB table
+    :returns EncryptedTable for DynamoDB
+    """
+    # 1. Create a Keyring. This Keyring will be responsible for protecting the data keys that protect your data.
+    #    For this example, we will create a AWS KMS Keyring with the AWS KMS Key we want to use.
+    #    We will use the `CreateMrkMultiKeyring` method to create this keyring,
+    #    as it will correctly handle both single region and Multi-Region KMS Keys.
+    mat_prov: AwsCryptographicMaterialProviders = AwsCryptographicMaterialProviders(config=MaterialProvidersConfig())
+    kms_mrk_multi_keyring_input: CreateAwsKmsMrkMultiKeyringInput = CreateAwsKmsMrkMultiKeyringInput(
+        generator=kms_key_id,
+    )
+    kms_mrk_multi_keyring: IKeyring = mat_prov.create_aws_kms_mrk_multi_keyring(input=kms_mrk_multi_keyring_input)
+
+    # 2. Configure which attributes are encrypted and/or signed when writing new items.
+    #    For each attribute that may exist on the items we plan to write to our DynamoDbTable,
+    #    we must explicitly configure how they should be treated during item encryption:
+    #      - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
+    #      - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
+    #      - DO_NOTHING: The attribute is not encrypted and not included in the signature
+    attribute_actions_on_encrypt = {
+        "partition_key": CryptoAction.SIGN_ONLY,
+        "sort_key": CryptoAction.SIGN_ONLY,
+        "attribute1": CryptoAction.ENCRYPT_AND_SIGN,
+        "attribute2": CryptoAction.SIGN_ONLY,
+        ":attribute3": CryptoAction.DO_NOTHING,
+    }
+
+    # 3. Configure which attributes we expect to be included in the signature
+    #    when reading items. There are two options for configuring this:
+    #
+    #    - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
+    #      When defining your DynamoDb schema and deciding on attribute names,
+    #      choose a distinguishing prefix (such as ":") for all attributes that
+    #      you do not want to include in the signature.
+    #      This has two main benefits:
+    #      - It is easier to reason about the security and authenticity of data within your item
+    #        when all unauthenticated data is easily distinguishable by their attribute name.
+    #      - If you need to add new unauthenticated attributes in the future,
+    #        you can easily make the corresponding update to your `attributeActionsOnEncrypt`
+    #        and immediately start writing to that new attribute, without
+    #        any other configuration update needed.
+    #      Once you configure this field, it is not safe to update it.
+    #
+    #    - Configure `allowedUnsignedAttributes`: You may also explicitly list
+    #      a set of attributes that should be considered unauthenticated when encountered
+    #      on read. Be careful if you use this configuration. Do not remove an attribute
+    #      name from this configuration, even if you are no longer writing with that attribute,
+    #      as old items may still include this attribute, and our configuration needs to know
+    #      to continue to exclude this attribute from the signature scope.
+    #      If you add new attribute names to this field, you must first deploy the update to this
+    #      field to all readers in your host fleet before deploying the update to start writing
+    #      with that new attribute.
+    #
+    #   For this example, we have designed our DynamoDb table such that any attribute name with
+    #   the ":" prefix should be considered unauthenticated.
+    unsignAttrPrefix: str = ":"
+
+    # 4. Create the DynamoDb Encryption configuration for the table we will be writing to.
+    #    without the legacy override
+    table_configs = {}
+    table_config = DynamoDbTableEncryptionConfig(
+        logical_table_name=ddb_table_name,
+        partition_key_name="partition_key",
+        sort_key_name="sort_key",
+        attribute_actions_on_encrypt=attribute_actions_on_encrypt,
+        keyring=kms_mrk_multi_keyring,
+        allowed_unsigned_attribute_prefix=unsignAttrPrefix,
+        # Specifying an algorithm suite is not required,
+        # but is done here to demonstrate how to do so.
+        # We suggest using the
+        # `ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384_SYMSIG_HMAC_SHA384` suite,
+        # which includes AES-GCM with key derivation, signing, and key commitment.
+        # This is also the default algorithm suite if one is not specified in this config.
+        # For more information on supported algorithm suites, see:
+        #   https://docs.aws.amazon.com/database-encryption-sdk/latest/devguide/supported-algorithms.html
+        algorithm_suite_id=DBEAlgorithmSuiteId.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384_SYMSIG_HMAC_SHA384,
+    )
+    table_configs[ddb_table_name] = table_config
+    tables_config = DynamoDbTablesEncryptionConfig(table_encryption_configs=table_configs)
+
+    # 5. Create the DB-ESDK EncryptedTable
+    return EncryptedTable(
+        table=boto3.resource("dynamodb").Table(ddb_table_name),
+        encryption_config=tables_config,
+    )
+
+
+def setup_awsdbe_table_with_legacy_override(kms_key_id: str, ddb_table_name: str, policy: str):
+    """
+    Set up an AWS Database Encryption SDK EncryptedTable with legacy override.
+
+    :param kms_key_id: The ARN of the KMS key to use for encryption
+    :param ddb_table_name: The name of the DynamoDB table
+    :param policy: The policy required for the Legacy Override configuration
+    :returns EncryptedTable for DynamoDB
+
+    """
+    # 0. Create AWS SDK DynamoDB Client
+    ddb_table = boto3.resource("dynamodb").Table(ddb_table_name)
+
+    # 1. Create the legacy EncryptedTable
+    cmp = AwsKmsCryptographicMaterialsProvider(key_id=kms_key_id)
+    legacy_encrypted_table = LegacyEncryptedTable(
+        table=ddb_table,
+        materials_provider=cmp,
+    )
+
+    # 2. Configure our legacy behavior, inputting the DynamoDBEncryptor, attribute actions
+    #    created above, and  legacy policy.
+    legacy_override = LegacyOverride(
+        encryptor=legacy_encrypted_table,
+        attribute_actions_on_encrypt={
+            "partition_key": CryptoAction.SIGN_ONLY,
+            "sort_key": CryptoAction.SIGN_ONLY,
+            "attribute1": CryptoAction.ENCRYPT_AND_SIGN,
+            "attribute2": CryptoAction.SIGN_ONLY,
+            ":attribute3": CryptoAction.DO_NOTHING,
+        },
+        policy=policy,
+    )
+
+    # 3. Create a Keyring. This Keyring will be responsible for protecting the data keys that protect your data.
+    #    For this example, we will create a AWS KMS Keyring with the AWS KMS Key we want to use.
+    #    We will use the `CreateMrkMultiKeyring` method to create this keyring,
+    #    as it will correctly handle both single region and Multi-Region KMS Keys.
+    mat_prov: AwsCryptographicMaterialProviders = AwsCryptographicMaterialProviders(config=MaterialProvidersConfig())
+    kms_mrk_multi_keyring_input: CreateAwsKmsMrkMultiKeyringInput = CreateAwsKmsMrkMultiKeyringInput(
+        generator=kms_key_id,
+    )
+    kms_mrk_multi_keyring: IKeyring = mat_prov.create_aws_kms_mrk_multi_keyring(input=kms_mrk_multi_keyring_input)
+
+    # 4. Configure which attributes are encrypted and/or signed when writing new items.
+    #    For each attribute that may exist on the items we plan to write to our DynamoDbTable,
+    #    we must explicitly configure how they should be treated during item encryption:
+    #      - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
+    #      - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
+    #      - DO_NOTHING: The attribute is not encrypted and not included in the signature
+    attribute_actions_on_encrypt = {
+        "partition_key": CryptoAction.SIGN_ONLY,
+        "sort_key": CryptoAction.SIGN_ONLY,
+        "attribute1": CryptoAction.ENCRYPT_AND_SIGN,
+        "attribute2": CryptoAction.SIGN_ONLY,
+        ":attribute3": CryptoAction.DO_NOTHING,
+    }
+
+    # 5. Configure which attributes we expect to be included in the signature
+    #    when reading items. There are two options for configuring this:
+    #
+    #    - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
+    #      When defining your DynamoDb schema and deciding on attribute names,
+    #      choose a distinguishing prefix (such as ":") for all attributes that
+    #      you do not want to include in the signature.
+    #      This has two main benefits:
+    #      - It is easier to reason about the security and authenticity of data within your item
+    #        when all unauthenticated data is easily distinguishable by their attribute name.
+    #      - If you need to add new unauthenticated attributes in the future,
+    #        you can easily make the corresponding update to your `attributeActionsOnEncrypt`
+    #        and immediately start writing to that new attribute, without
+    #        any other configuration update needed.
+    #      Once you configure this field, it is not safe to update it.
+    #
+    #    - Configure `allowedUnsignedAttributes`: You may also explicitly list
+    #      a set of attributes that should be considered unauthenticated when encountered
+    #      on read. Be careful if you use this configuration. Do not remove an attribute
+    #      name from this configuration, even if you are no longer writing with that attribute,
+    #      as old items may still include this attribute, and our configuration needs to know
+    #      to continue to exclude this attribute from the signature scope.
+    #      If you add new attribute names to this field, you must first deploy the update to this
+    #      field to all readers in your host fleet before deploying the update to start writing
+    #      with that new attribute.
+    #
+    #   For this example, we have designed our DynamoDb table such that any attribute name with
+    #   the ":" prefix should be considered unauthenticated.
+    unsignAttrPrefix: str = ":"
+
+    # 6. Create the DynamoDb Encryption configuration for the table we will be writing to.
+    #    without the legacy override
+    table_configs = {}
+    table_config = DynamoDbTableEncryptionConfig(
+        logical_table_name=ddb_table_name,
+        partition_key_name="partition_key",
+        sort_key_name="sort_key",
+        attribute_actions_on_encrypt=attribute_actions_on_encrypt,
+        keyring=kms_mrk_multi_keyring,
+        legacy_override=legacy_override,
+        allowed_unsigned_attribute_prefix=unsignAttrPrefix,
+        # Specifying an algorithm suite is not required,
+        # but is done here to demonstrate how to do so.
+        # We suggest using the
+        # `ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384_SYMSIG_HMAC_SHA384` suite,
+        # which includes AES-GCM with key derivation, signing, and key commitment.
+        # This is also the default algorithm suite if one is not specified in this config.
+        # For more information on supported algorithm suites, see:
+        #   https://docs.aws.amazon.com/database-encryption-sdk/latest/devguide/supported-algorithms.html
+        algorithm_suite_id=DBEAlgorithmSuiteId.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384_SYMSIG_HMAC_SHA384,
+    )
+    table_configs[ddb_table_name] = table_config
+    tables_config = DynamoDbTablesEncryptionConfig(table_encryption_configs=table_configs)
+
+    # 7. Create the DB-ESDK EncryptedTable
+    return EncryptedTable(
+        table=boto3.resource("dynamodb").Table(ddb_table_name),
+        encryption_config=tables_config,
+    )
@@ -0,0 +1,81 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+"""
+Migration Step 1.
+
+This is an example demonstrating how to start using the
+AWS Database Encryption SDK with a pre-existing table used with DynamoDB Encryption Client.
+In this example, you configure a EncryptedTable to do the following:
+  - Read items encrypted in the old format
+  - Continue to encrypt items in the old format on write
+  - Read items encrypted in the new format
+While this step configures your client to be ready to start reading items encrypted,
+we do not yet expect to be reading any items in the new format.
+Before you move on to step 2, ensure that these changes have successfully been deployed
+to all of your readers.
+
+Running this example requires access to the DDB Table whose name
+is provided in CLI arguments.
+This table must be configured with the following
+primary key configuration:
+  - Partition key is named "partition_key" with type (S)
+  - Sort key is named "sort_key" with type (S)
+"""
+from aws_dbesdk_dynamodb.structures.dynamodb import LegacyPolicy
+
+from .common import setup_awsdbe_table_with_legacy_override
+
+
+def migration_step_1_with_table(kms_key_id: str, ddb_table_name: str, sort_read_value: int = 1):
+    """
+    Migration Step 1: Using the AWS Database Encryption SDK with Legacy Override.
+
+    :param kms_key_id: The ARN of the KMS key to use for encryption
+    :param ddb_table_name: The name of the DynamoDB table
+    :param sort_read_value: The sort key value to read
+
+    """
+    # 1. Create a EncryptedTable with legacy override.
+    #    For Legacy Policy, use `FORCE_LEGACY_ENCRYPT_ALLOW_LEGACY_DECRYPT`.
+    #    With this policy, you will continue to read and write items using the old format,
+    #    but will be able to start reading new items in the new format as soon as they appear
+    policy = LegacyPolicy.FORCE_LEGACY_ENCRYPT_ALLOW_LEGACY_DECRYPT
+    encrypted_table = setup_awsdbe_table_with_legacy_override(
+        kms_key_id=kms_key_id, ddb_table_name=ddb_table_name, policy=policy
+    )
+
+    # 2. Put an item in the old format since we are using a legacy override
+    #    with FORCE_LEGACY_ENCRYPT_ALLOW_DECRYPT policy
+    item_to_encrypt = {
+        "partition_key": "MigrationExampleForPythonTable",
+        "sort_key": 1,
+        "attribute1": "encrypt and sign me!",
+        "attribute2": "sign me!",
+        ":attribute3": "ignore me!",
+    }
+
+    put_item_response = encrypted_table.put_item(Item=item_to_encrypt)
+
+    # Demonstrate that PutItem succeeded
+    assert put_item_response["ResponseMetadata"]["HTTPStatusCode"] == 200
+
+    # 3. Get an item back from the table using the EncryptedTable
+    #     If this is an item written in the old format (e.g. any item written
+    #     during Step 0 or 1), then we will attempt to decrypt the item
+    #     using the legacy behavior.
+    #     If this is an item written in the new format (e.g. any item written
+    #     during Step 2 or after), then we will attempt to decrypt the item using
+    #     the non-legacy behavior.
+    key_to_get = {"partition_key": "MigrationExampleForPythonTable", "sort_key": sort_read_value}
+    get_item_response = encrypted_table.get_item(Key=key_to_get)
+
+    # Demonstrate that GetItem succeeded and returned the decrypted item
+    assert get_item_response["ResponseMetadata"]["HTTPStatusCode"] == 200
+    decrypted_item = get_item_response["Item"]
+    # Demonstrate we get the expected item back
+    assert decrypted_item["partition_key"] == "MigrationExampleForPythonTable"
+    assert decrypted_item["sort_key"] == sort_read_value
+    assert decrypted_item["attribute1"] == "encrypt and sign me!"
+    assert decrypted_item["attribute2"] == "sign me!"
+    assert decrypted_item[":attribute3"] == "ignore me!"