fix

Author: RitvikKapila

examples/src/keyrings/aws_kms_mrk_keyring_example.py

@@ -44,28 +44,30 @@
 def encrypt_and_decrypt_with_keyring(
     mrk_key_id_encrypt: str,
     mrk_replica_key_id_decrypt: str,
-    default_region: str,
-    second_region: str
+    mrk_encrypt_region: str,
+    mrk_replica_decrypt_region: str
 ):
     """Demonstrate an encrypt/decrypt cycle using an AWS KMS MRK keyring.
 
     Usage: encrypt_and_decrypt_with_keyring(mrk_key_id_encrypt,
                                             mrk_replica_key_id_decrypt,
-                                            default_region,
-                                            second_region)
+                                            mrk_encrypt_region,
+                                            mrk_replica_decrypt_region)
     :param mrk_key_id_encrypt: KMS Key identifier for the KMS key located in your
     default region, which you want to use for encryption of your data keys
     :type mrk_key_id_encrypt: string
-    :param mrk_replica_key_id_decrypt: KMS Key identifier for the KMS key KMS Key
+    :param mrk_replica_key_id_decrypt: KMS Key identifier for the KMS key
     that is a replica of the `mrk_key_id_encrypt` in a second region, which you
     want to use for decryption of your data keys
     :type mrk_replica_key_id_decrypt: string
-    :param default_region: AWS Region for encryption of your data keys
-    :type default_region: string
-    :param second_region: AWS Region for decryption of your data keys
-    :type second_region: string
-
-    For more information on KMS Key identifiers, see
+    :param mrk_encrypt_region: AWS Region for encryption of your data keys. This should
+    be the region of the mrk_key_id_encrypt.
+    :type mrk_encrypt_region: string
+    :param mrk_replica_decrypt_region: AWS Region for decryption of your data keys. This should
+    be the region of the mrk_replica_key_id_decrypt.
+    :type mrk_replica_decrypt_region: string
+
+    For more information on KMS Key identifiers for multi-region keys, see
     https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id
     """
     # 1. Instantiate the encryption SDK client.
@@ -91,13 +93,13 @@ def encrypt_and_decrypt_with_keyring(
         "the data you are handling": "is what you think it is",
     }
 
-    # 3. Create a keyring that will encrypt your data, using a KMS MRK key in the first region.
+    # 3. Create a keyring that will encrypt your data, using a KMS MRK in the first region.
     mat_prov: AwsCryptographicMaterialProviders = AwsCryptographicMaterialProviders(
         config=MaterialProvidersConfig()
     )
 
     # Create a boto3 client for KMS in the first region.
-    encrypt_kms_client = boto3.client('kms', region_name=default_region)
+    encrypt_kms_client = boto3.client('kms', region_name=mrk_encrypt_region)
 
     encrypt_keyring_input: CreateAwsKmsMrkKeyringInput = CreateAwsKmsMrkKeyringInput(
         kms_key_id=mrk_key_id_encrypt,
@@ -120,11 +122,11 @@ def encrypt_and_decrypt_with_keyring(
     assert ciphertext != EXAMPLE_DATA, \
         "Ciphertext and plaintext data are the same. Invalid encryption"
 
-    # 6. Create a keyring that will decrypt your data, using the same KMS MRK key replicated
+    # 6. Create a keyring that will decrypt your data, using the same KMS MRK replicated
     # to the second region. This example assumes you have already replicated your key
 
     # Create a boto3 client for KMS in the second region.
-    decrypt_kms_client = boto3.client('kms', region_name=second_region)
+    decrypt_kms_client = boto3.client('kms', region_name=mrk_replica_decrypt_region)
 
     decrypt_keyring_input: CreateAwsKmsMrkKeyringInput = CreateAwsKmsMrkKeyringInput(
         kms_key_id=mrk_replica_key_id_decrypt,

examples/src/keyrings/aws_kms_mrk_multi_keyring_example.py

@@ -4,20 +4,28 @@
 This example sets up the KMS MRK Multi Keyring
 
 The AWS Key Management Service (AWS KMS) MRK keyring interacts with AWS KMS to
-create, encrypt, and decrypt data keys with multi-region AWS KMS keys (MRKs).
-This example creates a KMS MRK Multi Keyring using an mrk_key_id (generator) and
-a kms_key_id, and then encrypts a custom input EXAMPLE_DATA with an encryption context.
+create, encrypt, and decrypt data keys with AWS KMS MRK keys.
+The KMS MRK multi-keyring consists of one or more individual keyrings of the
+same or different type. The keys can either be regular KMS keys or MRKs.
+The effect is like using several keyrings in a series.
+
+This example creates a AwsKmsMrkMultiKeyring using an mrk_key_id (generator) and a kms_key_id
+as a child key, and then encrypts a custom input EXAMPLE_DATA with an encryption context.
+Either KMS Key individually is capable of decrypting data encrypted under this keyring.
 This example also includes some sanity checks for demonstration:
 1. Ciphertext and plaintext data are not the same
 2. Encryption context is correct in the decrypted message header
 3. Decrypted plaintext value matches EXAMPLE_DATA
 4. Ciphertext can be decrypted using an AwsKmsMrkKeyring containing a replica of the
-   MRK key (from the multi-keyring used for encryption) copied from the first region into
+   MRK (from the multi-keyring used for encryption) copied from the first region into
    the second region
 These sanity checks are for demonstration in the example only. You do not need these in your code.
 
 For more information on how to use KMS keyrings, see
 https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-kms-keyring.html
+
+For more info on KMS MRK (multi-region keys), see the KMS documentation:
+https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
 """
 import sys
 
@@ -56,15 +64,15 @@ def encrypt_and_decrypt_with_keyring(
     default region
     :type mrk_key_id: string
     :param kms_key_id: KMS Key identifier for a KMS key, possibly located in a different region
-    than the MRK key
+    than the MRK
     :type kms_key_id: string
     :param mrk_replica_key_id: KMS Key identifier for an MRK that is a replica of the
     `mrk_key_id` in a second region.
     :type mrk_replica_key_id: string
     :param second_region: The second region where the MRK replica is located
     :type second_region: string
 
-    For more information on KMS Key identifiers, see
+    For more information on KMS Key identifiers for multi-region keys, see
     https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id
     """
     # 1. Instantiate the encryption SDK client.
@@ -120,8 +128,8 @@ def encrypt_and_decrypt_with_keyring(
         "Ciphertext and plaintext data are the same. Invalid encryption"
 
     # 6. Decrypt your encrypted data using the same AwsKmsMrkMultiKeyring you used on encrypt.
-    # It will decrypt the data using the generator KMS MRK key since that is the first available
-    # KMS key on the keyring that is capable of decrypting the data.
+    # It will decrypt the data using the generator key (in this case, the MRK), since that is
+    # the first available KMS key on the keyring that is capable of decrypting the data.
     plaintext_bytes, dec_header = client.decrypt(
         source=ciphertext,
         keyring=kms_mrk_multi_keyring

examples/test/keyrings/test_i_aws_kms_mrk_keyring_example.py

@@ -14,9 +14,9 @@ def test_encrypt_and_decrypt_with_keyring():
         "arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7"
     mrk_replica_key_id_decrypt = \
         "arn:aws:kms:eu-west-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7"
-    default_region = "us-east-1"
-    second_region = "eu-west-1"
+    mrk_encrypt_region = "us-east-1"
+    mrk_replica_decrypt_region = "eu-west-1"
     encrypt_and_decrypt_with_keyring(mrk_key_id_encrypt,
                                      mrk_replica_key_id_decrypt,
-                                     default_region,
-                                     second_region)
+                                     mrk_encrypt_region,
+                                     mrk_replica_decrypt_region)