Short description
-----------------

AWS KMS provides an [encryption context](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) that you can use to verify the authenticity of AWS KMS API calls. You can also use encryption context to verify the integrity of the ciphertext returned by the [decrypt](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/decrypt.html) API.

Resolution
----------

To verify the integrity of data encrypted with the AWS KMS APIs, you pass a set of key-value pairs as an encryption context during AWS KMS encryption. The data encryption integrity is verified again when you call the decrypt or [re-encrypt](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/re-encrypt.html) APIs. If the encryption passed to the decrypt API is identical to the encrypt or re-encrypt APIs, then the integrity of the ciphertext returned is protected.

Related information
-------------------

[How to protect the integrity of your encrypted data by using AWS Key Management Service and EncryptionContext](https://aws.amazon.com/blogs/security/how-to-protect-the-integrity-of-your-encrypted-data-by-using-aws-key-management-service-and-encryptioncontext/)

I want to verify that authenticated encryption with data encryption is used for AWS Key Management Service (AWS KMS) encrypt, decrypt, and re-encrypt API calls.

How can I verify that authenticated encryption with  data encryption is used for AWS KMS API calls?

Security, Identity, & Compliance

How can I verify that authenticated encryption with data encryption is used for AWS KMS API calls?

Short description

Resolution

Related information

Relevant content