DETERMINISTIC_ENCRYPT - Amazon Glue DataBrew
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

DETERMINISTIC_ENCRYPT

Encrypts the column using AES-GCM-SIV with a 256 bit key. Data encrypted with DETERMINISTIC_ENCRYPT can only be decrypted inside of DataBrew with the DETERMINISTIC_DECRYPT transform. This transform does not use Amazon KMS or the Amazon Encryption SDK, and instead uses the Amazon LC github library.

Can encrypt up to 400KB per cell. Does not preserve data type on decrypt.

Note

Note: Using a secret for more than a year is discouraged.

Parameters

  • sourceColumns – An array of existing columns.

  • secretId – The ARN of the Secrets Manager secret key to use to encrypt the source columns, or databrew!default.

  • secretVersion – Optional. Defaults to the latest secret version.

  • entityTypeFilter – Optional array of entity types. Can be used to encrypt only detected PII in free-text column.

  • createSecretIfMissing – Optional boolean. If true will attempt to create the secret on behalf of the caller.

Example

{
   "sourceColumns": ["phonenumber"],   
   "secretId": "arn:aws:secretsmanager:us-east-1:012345678901:secret:mysecret",
   "secretVersion": "adfe-1232-7563-3123",
   "entityTypeFilter": ["USA_ALL"]
}

When working in the interactive experience, in addition to the project’s role, the console user must have permission to secretsmanager:GetSecretValue on the provided Secrets Manager secret.

Sample policy

{
  "Version": "2012-10-17",
  "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": [
                "arn:aws:secretsmanager:us-east-1:012345678901:secret:mysecret"
            ]
        }
    ]
}