aws_dbesdk_dynamodb.encrypted.table

High-level helper class to provide an encrypting wrapper for boto3 DynamoDB tables.

Classes

EncryptedTable(*, table, encryption_config)

Wrapper for a boto3 DynamoDB table that transparently encrypts/decrypts items.

class aws_dbesdk_dynamodb.encrypted.table.EncryptedTable(*, table: ServiceResource, encryption_config: DynamoDbTablesEncryptionConfig)

Bases: EncryptedBotoInterface

Wrapper for a boto3 DynamoDB table that transparently encrypts/decrypts items.

This class implements the complete boto3 DynamoDB table API, allowing it to serve as a drop-in replacement that transparently handles encryption and decryption of items.

The API matches the standard boto3 DynamoDB table interface:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/table/index.html

This class will encrypt/decrypt items for the following operations:

put_item

get_item

query

scan

delete_item

Any calls to update_item can only update unsigned attributes. If an attribute to be updated is marked as signed, this operation will raise a DynamoDbEncryptionTransformsException.

Calling batch_writer() will return a BatchWriter that transparently encrypts batch write requests.

Any other operations on this class will defer to the underlying boto3 DynamoDB Table’s implementation and will not be encrypted/decrypted.

Create an EncryptedTable object.

Parameters:

table (ServiceResource) – Initialized boto3 DynamoDB table
encryption_config (DynamoDbTablesEncryptionConfig) – Initialized DynamoDbTablesEncryptionConfig

__init__(*, table: ServiceResource, encryption_config: DynamoDbTablesEncryptionConfig)

Create an EncryptedTable object.

Parameters:

table (ServiceResource) – Initialized boto3 DynamoDB table
encryption_config (DynamoDbTablesEncryptionConfig) – Initialized DynamoDbTablesEncryptionConfig

put_item(**kwargs) → dict[str, Any]

Put a single item to the table. Encrypts the item before writing to DynamoDB.

The input and output syntaxes match those for the boto3 DynamoDB table put_item API:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/table/put_item.html

Parameters:: **kwargs – Keyword arguments to pass to the operation. This matches the boto3 Table put_item request syntax. The value in "Item" will be encrypted locally before being written to DynamoDB.
Returns:: The response from DynamoDB. This matches the boto3 put_item response syntax.
Return type:: dict

get_item(**kwargs) → dict[str, Any]

Get a single item from the table. Decrypts the item after reading from DynamoDB.

The input and output syntaxes match those for the boto3 DynamoDB table get_item API:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/table/get_item.html

Parameters:: **kwargs – Keyword arguments to pass to the operation. This matches the boto3 Table get_item request syntax.
Returns:: The response from DynamoDB. This matches the boto3 Table get_item response syntax. The value in "Item" will be decrypted locally after being read from DynamoDB.
Return type:: dict

query(**kwargs) → dict[str, Any]

Query items from the table or index. Decrypts any returned items.

The input and output syntaxes match those for the boto3 DynamoDB table query API:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/table/query.html

Parameters:: **kwargs – Keyword arguments to pass to the operation. This matches the boto3 Table query request syntax.
Returns:: The response from DynamoDB. This matches the boto3 Table query response syntax. The value in "Items" will be decrypted locally after being read from DynamoDB.
Return type:: dict

scan(**kwargs) → dict[str, Any]

Scan the entire table or index. Decrypts any returned items.

The input and output syntaxes match those for the boto3 DynamoDB table scan API:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/table/scan.html

Parameters:: **kwargs – Keyword arguments to pass to the operation. This matches the boto3 Table scan request syntax.
Returns:: The response from DynamoDB. This matches the boto3 Table scan response syntax. The value in "Items" will be decrypted locally after being read from DynamoDB.
Return type:: dict

delete_item(**kwargs) → dict[str, Any]

Delete an item from the table.

The input and output syntaxes match those for the boto3 DynamoDB table delete_item API:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/table/delete_item.html

Parameters:: **kwargs – Keyword arguments to pass to the operation. This matches the boto3 Table delete_item request syntax.
Returns:: The response from DynamoDB. This matches the boto3 Table delete_item response syntax. Any values in "Attributes" will be decrypted locally after being read from DynamoDB.
Return type:: dict

update_item(**kwargs)

Update an unsigned attribute in the table.

If the attribute is signed, this operation will raise DynamoDbEncryptionTransformsException.

The input and output syntaxes match those for the boto3 DynamoDB table update_item API:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/table/update_item.html

Parameters:: **kwargs – Keyword arguments to pass to the operation. This matches the boto3 Table update_item request syntax.
Returns:: The response from DynamoDB. This matches the boto3 Table update_item response syntax.
Return type:: dict
Raises:: DynamoDbEncryptionTransformsException – If an attribute specified in the UpdateExpression is signed.

batch_writer(overwrite_by_pkeys: list[str] | None = None) → BatchWriter

Create a batch writer object that will transparently encrypt requests to DynamoDB.

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/table/batch_writer.html

Parameters:: overwrite_by_pkeys – De-duplicate request items in buffer if match new request item on specified primary keys. i.e ["partition_key1", "sort_key2", "sort_key3"]
Returns:: A batch writer that will transparently encrypt requests
Return type:: BatchWriter