InvalidCypherTextException when reading an encrypted DynamoDB table which has been restored from a backup
If you attempt to read encrypted data from a DynamoDB table which has been restored from a backup to a DynamoDB table which doesn’t match the original table name, you may see the following errors:
InvalidCiphertextException: An error occurred (InvalidCiphertextException) when calling the Decrypt operation
UnwrappingError: Failed to unwrap AWS KMS protected materials
In this case:
- A backup of the DynamoDB table “Notes” had been restored to a new DynamoDB table “Notes-Restored”
- The table was using encryption at rest
- One of the columns of the DynamoDB table had been encrypted using a CMK.
- I was using the boto3 DynamoDB client, and dynamodb-encryption-sdk
TL;DR the restored DynamoDB table must have the same name as the original DynamoDB table, and be restored to the same account that it was originally created in.