I am trying to implement a multi region strategy for my lambdas which use dynamodb global tables.
I want to use KMS to do client side encryption for the userId and pin. How can I implement a multi region strategy for KMS. I found this example which talks about the same https://aws.amazon.com/blogs/security/how-to-use-the-new-aws-encryption-sdk-to-simplify-data-encryption-and-improve-application-availability/
Does that mean I have to create KMS keys in all the regions I deploy my lambda (for latency)?
Question-1: If so, if I provide multiple regions in MultipleProviderFactory, which of the keys does it use to encrypt data and which region does it use to decrypt data?
Question-2: How will this change if I have to encrypt data bigger than 4096Kb?
The idea of the encryption SDK is to use envelope encryption. So every time you encrypt a message or data, the SDK generates a random data key for that message and uses it to encrypt the message body. Then it encrypts the key itself with ALL of your providers, and includes those encrypted keys in the header of the message.
As long as any one of those forms of the key can be decrypted from the header, the SDK can retrieve the data key and use that to decrypt the message body.
So the first question: it encrypts with all of them and decrypts with any one of them. I don't know the actual logic of how it selects the provider for decryption but it's probably just in the order they're defined in MultipleProviderFactory.
And the other: You can encrypt more than 4KB (guessing "4096Kb" is a typo) without any changes since the body is encrypted/decrypted locally with AES. The 4KB limit is only for the payload to/from KMS, which is just the data key.