Posts tagged 'Dynamodb'

InvalidCypherTextException when reading an encrypted DynamoDB table which has been restored from a backup

 

If you attempt to read encrypted data from a DynamoDB table which has been restored from a backup to a DynamoDB table which doesn’t match the original table name, you may see the following errors:

InvalidCiphertextException: An error occurred (InvalidCiphertextException) when calling the Decrypt operation

and

UnwrappingError: Failed to unwrap AWS KMS protected materials

In this case:

  • A backup of the DynamoDB table “Notes” had been restored to a new DynamoDB table “Notes-Restored”
  • The table was using encryption at rest
  • One of the columns of the DynamoDB table had been encrypted using a CMK.
  • I was using the boto3 DynamoDB client, and dynamodb-encryption-sdk

TL;DR the restored DynamoDB table must have the same name as the original DynamoDB table, and be restored to the same account that it was originally created in.

 

Read More...