DETERMINISTIC_ENCRYPT
Encrypts the column using AES-GCM-SIV with a 256 bit key. Data encrypted with
DETERMINISTIC_ENCRYPT can only be decrypted inside of DataBrew with the DETERMINISTIC_DECRYPT
transform. This transform does not use Amazon KMS or the Amazon Encryption SDK, and instead uses
the Amazon LC github library
Can encrypt up to 400KB per cell. Does not preserve data type on decrypt.
Note
Note: Using a secret for more than a year is discouraged.
Parameters
-
sourceColumns
– An array of existing columns. -
secretId
– The ARN of the Secrets Manager secret key to use to encrypt the source columns, or databrew!default. -
secretVersion
– Optional. Defaults to the latest secret version. -
entityTypeFilter
– Optional array of entity types. Can be used to encrypt only detected PII in free-text column. -
createSecretIfMissing
– Optional boolean. If true will attempt to create the secret on behalf of the caller.
Example
{ "sourceColumns": ["phonenumber"], "secretId": "arn:aws:secretsmanager:us-east-1:012345678901:secret:mysecret", "secretVersion": "adfe-1232-7563-3123", "entityTypeFilter": ["USA_ALL"] }
When working in the interactive experience, in addition to the project’s role, the console user
must have permission to secretsmanager:GetSecretValue
on the provided Secrets Manager secret.
Sample policy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": [ "arn:aws:secretsmanager:us-east-1:012345678901:secret:mysecret" ] } ] }