Decrypting AWS DB Activity Stream

[saberistic]

I get the following error

Error: unencryptedDataKey has not been set
    at Object.needs (/var/task/node_modules/@aws-crypto/material-management/build/main/needs.js:29:15)
    at NodeDecryptionMaterial.getUnencryptedDataKey (/var/task/node_modules/@aws-crypto/material-management/build/main/cryptographic_material.js:180:17)
    at NodeDefaultCryptographicMaterialsManager.decryptMaterials (/var/task/node_modules/@aws-crypto/material-management-node/build/main/node_cryptographic_materials_manager.js:49:46)
    at process._tickCallback (internal/process/next_tick.js:68:7)

while running a lambda function to decrypt DB activity streams.

const aws = require("aws-sdk");
const {
    decrypt,
    RawAesKeyringNode,
    RawAesWrappingSuiteIdentifier,
} = require('@aws-crypto/client-node')

console.log('Loading function');
aws.config.logger = console;


exports.handler = async (event, context) => {
    const kms = new aws.KMS({ region: "us-west-2" });
    try {
        const output = await Promise.all(
            event.records.map(async (record) => {
                const data = Buffer.from(record.databaseActivityEvents, 'base64');
                const key = Buffer.from(record.key, 'base64');
                const promise = await kms.decrypt({
                    CiphertextBlob: key,
                    EncryptionContext: {
                        "aws:rds:dbc-id": process.env.cluster_id,
                    }
                }).promise();
                console.log(typeof promise.Plaintext, promise.Plaintext);
                const wrappingSuite = RawAesWrappingSuiteIdentifier.AES256_GCM_IV12_TAG16_NO_PADDING;
                const unencryptedMasterKey = new Uint8Array(promise.Plaintext);
                console.log(unencryptedMasterKey.byteLength);
                console.log(promise.Plaintext)
                const keyring = new RawAesKeyringNode({
                    keyName: "aes-name",
                    keyNamespace: "aes-namespace",
                    wrappingSuite: wrappingSuite,
                    unencryptedMasterKey: unencryptedMasterKey,
                });

                const d = await decrypt(keyring, record.databaseActivityEvents, {encoding: 'base64'});
                console.log(d);
            })
        );
        console.log(`Processing completed.  Successful records ${output.length}.`);
    } catch (err) {
        console.log(err);
    }
};

with Test Data

{
  "invocationId": "invocationIdExample",
  "deliveryStreamArn": "arn:aws:kinesis:EXAMPLE",
  "region": "us-west-2",
  "records": [
    {
      "type": "DatabaseActivityMonitoringRecords",
      "version": "1.0",
      "databaseActivityEvents": "AYADeNXig1LTUwpx7uXCSRBTBuUAXwABABVhd3MtY3J5cHRvLXB1YmxpYy1rZXkAREFqSVhETGpKajJ5djh2TFV0RHNuMFM1eDQ5emIvZy9CN1pmUSs4cUtGenJudXJwT3VnSlR0Nlhwc1p4RnZXL0hxUT09AAEAAkJDABtEYXRhS2V5AAAAgAAAAAw70KtkoLqQkIBTM7IAMMOHE9BBr0oWz9kbwm6gadhx4cL0BnBmyxZxwr+dNzYIQN8mF5MwNB2pTwvYc7eJqQIAAAAADAAAEAAAAAAAAAAAAAAAAAAn5FJ3KVLaFhkoQwqhk73u/////wAAAAEAAAAAAAAAAAAAAAEAAAJxBlzFL/29OBU67dwDfo6/iX3XxnwQsGHx65Ts8oNAHrjwZJ9Wl/nnQ2KaY/OdCq0Tv8+u9TUnTlRdWcsXEXZ2PAP9/ejJYsdlIW0kda/jeNfb2PLkj7vzvC7KzYpY8A9BQhc8a8bm5NNeTgh/ARjkUA7pdeG6AA4DXc5w8yl6aN42o+l3c1NNX2DedT+OF9xc6fs+dqkUEzdoHK6mShuaPWdSFwzLKtGfHC5z6bqpe5mI313pccO1WSEzVioFC0g5G7mQ2f2oMuh86BjEAxT9bkU8VmtxVstaDYcXvjvu4S91Lj3UGx1dHnkA3n5P1SSvy99N1xHZxz+sAndAZ9IlcC0+EnBmWppeLwqjRJSm0qxENOkqDF3AFCkiE70HVxmXyLg70+njWXEmHhlyzBCsw2RzeGfiqXuBV12EGWud3kPKHZ3+3UXkkmvHrt/01G8MdCgvhYawsP3K4MqoNt5iZcXtsgCx+6XouIaP+6qIKVFRPVW6T6ue5pEJzYU3AG0tZ8s0/F/I44bUXRKXeEIhfcJGiDdix/fOTVB5iy946RkaCWBxam7AAmC3JjvM5uVe8ZQ5ZjjrPLD+42n1/ny+rRLtY83AfmGCAF8Nv/yj+NQZE7at91gRNYeBjGQk8sX8JchTWwQNYrsgEMWOEZ9B34q6Hqb4im4lm32oJFpwecgTrWdHQ5afSt4A9u4y5BAJXtXqdpBkzP1Ail4Fqit+NYDxdiwuVM37a6baeslaJppzDOH9r40kxiDVDMgFTl/PgXSpL7RbQhWcIA0vcke2DHiO2kBWmHpphK7jLSpprFuVP/WJagSJbJ+ZGvI406UBYacZqWvAyfknVnGttJucETsAZzBlAjEArAzQjkTRcSAUdn0pXvR3D3HhtxGzLvkR48Frso4GzDlXkUIgGHgV7kS0AksB0OdxAjArbCAXaH1CXcMkt1OKlMXZfyeLwJn10fVJ/zxbrxl3b6aaGIR4EI4yTS6T2l8T82o=",
      "key": "AQIDAHj5sC4V75fw9OgpNzg8eJz30SjZJKlkaeCghpgU0ZZpcwGyagVf0Vv0OdZEh9ge6wKPAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMIZT3HfWUMjZXZFp0AgEQgDtqf5tHswwRHSQNqlkXMuoVe2N+zfnJVJ0njS2es8vDqGm54lDCbUVMAIkaSZAx62ygv0IFD8UpExo3og=="
    }
  ]
}

I followed https://github.com/awslabs/aws-encryption-sdk-javascript/blob/master/modules/example-node/src/aes_simple.ts and https://docs.amazonaws.cn/en_us/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.html#DBActivityStreams.CodeExample

Not sure if this is a bug or I did something wrong. Any help would be much appreciated

[saberistic]

I looked into the code and I figured setUnencryptedDataKey() of CryptographicMaterial has been called and I could verify that the dataKey is assigned to unencryptedDataKey
https://github.com/awslabs/aws-encryption-sdk-javascript/blob/master/modules/material-management/src/cryptographic_material.ts#L257

but in getUnencryptedDataKey() scope unencryptedDataKey is undefined
https://github.com/awslabs/aws-encryption-sdk-javascript/blob/master/modules/material-management/src/cryptographic_material.ts#L285

[seebees]

It looks like the RawAesKeyringNode is not finding an encrypted data key to decrypt. Do you have a copy of your encryption code? The

As a side note, for every record you are making an AWS KMS decrypt call. Why not use a KMS keyring?

[seebees]

Looking deeper at the databaseActivityEvents example value you have I can see that the keyName and keyNamespace need to change to:

keyName: "DataKey",
keyNamespace: "BC",

The raw keyrings are tricky as these values must exactly match or the keyring will not even attempt to decrypt. I have opened #152 to track this error message.

[saberistic]

Thanks @seebees, that solved my issue. I could decrypt the activityStreamEvent. Maybe we should add the Node example in docs.

[nithin-ideas2it]

Hi @amirsaber,

Need help,

Requirement: lambda function to Decrypting AWS Aurora Mysql DB Activity Stream.

Do the Above script will works now? I follow the code but endup with Configuration conflict. Am I missing something or wrong?

INFO Error: Configuration conflict. Cannot process message with ID c62bdfgfd43543sdf due to CommitmentPolicy REQUIRE_ENCRYPT_REQUIRE_DECRYPT requiring only committed messages. Algorithm ID was ALG_AES256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384. See: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/troubleshooting-migration.html

Could some one please help? Do we have any clear reference or doc with working example?