AWS Security ChangesHomeSearch

AWS documentdb documentation change

Service: documentdb · 2026-06-13 · Documentation low

File: documentdb/latest/devguide/field-level-encryption.md

Summary

Updated client-side field level encryption documentation: removed limitations section, corrected code examples to use 'key_id' instead of 'key_alt_name', fixed typos, improved clarity about query support, and removed outdated examples.

Security assessment

Changes focus on improving documentation for security feature (field-level encryption) but don't address any specific vulnerability. Corrections in code examples prevent potential misconfiguration of encryption keys, which could indirectly impact security. The removal of inequality query examples clarifies security boundaries by emphasizing only supported equality operations on encrypted data.

Diff

diff --git a/documentdb/latest/devguide/field-level-encryption.md b/documentdb/latest/devguide/field-level-encryption.md
index 0be234c69..bac4dfc02 100644
--- a//documentdb/latest/devguide/field-level-encryption.md
+++ b//documentdb/latest/devguide/field-level-encryption.md
@@ -7 +7 @@
-Getting startedQuerying in client-side FLELimitations
+Getting startedQuerying in client-side FLE
@@ -19,2 +18,0 @@ Amazon DocumentDB client-side field level encryption (FLE) allows you to encrypt
-  * Limitations
-
@@ -45 +43 @@ The initial configuration of client-side FLE in Amazon DocumentDB is a four-step
-Using AWS Key Management Service, create a symmetric key that is used for encrypting and decrypting the sensitive data field and provide it the necessary IAM usage permissions. AWS KMS stores the Customer Key (CK) which is used to encrypt Data Keys (DKs). We recommend storing the Customer Key in KMS to strengthen your security posture. The Data Key is the secondary key which is stored in an Amazon DocumentDB collection and is required to encrypt sensitive fields before storing the document in Amazon DocumentDB. The Customer Key encrypts the Data Key which in turn encrypts and decrypts your data. If you are using a global cluster, you can create a multi-region key that can be used by different service roles in different regions.
+Using AWS Key Management Service, create a symmetric key that is used for encrypting and decrypting the sensitive data field and provide it the necessary IAM usage permissions. AWS KMS stores the Customer Key (CK) which is used to encrypt Data Keys (DKs). Store the Customer Key in KMS to strengthen your security posture. The Data Key is the secondary key which is stored in an Amazon DocumentDB collection and is required to encrypt sensitive fields before storing the document in Amazon DocumentDB. The Customer Key encrypts the Data Key which in turn encrypts and decrypts your data. If you are using a global cluster, you can create a multi-region key that can be used by different service roles in different regions.
@@ -80 +78 @@ By now you defined a Customer Key in AWS KMS and created an IAM role and provide
-  1. Specify ‘aws’ as KMS provider type and input your account credentials which were retrieved in the previous step.
+  1. Specify ‘aws’ as KMS provider type and enter your account credentials which were retrieved in the previous step.
@@ -148 +146 @@ Exactly one of "key_id" or "key_alt_name" must be provided.
-        key_alt_name=data_key_id
+        key_id=data_key_id
@@ -153 +151 @@ Exactly one of "key_id" or "key_alt_name" must be provided.
-        key_alt_name=data_key_id
+        key_id=data_key_id
@@ -158 +156 @@ Exactly one of "key_id" or "key_alt_name" must be provided.
-        key_alt_name=data_key_id
+        key_id=data_key_id
@@ -174 +172 @@ Exactly one of "key_id" or "key_alt_name" must be provided.
-In the following example, replace each `user input placeholder` with your own information.
+In the following example, replace each `placeholder` with your own information.
@@ -212 +210 @@ In the following example, replace each `user input placeholder` with your own in
-        # secrets manager is used to strore and retrieve user credentials for connecting to an Amazon DocumentDB cluster. 
+        # secrets manager is used to store and retrieve user credentials for connecting to an Amazon DocumentDB cluster. 
@@ -256 +254 @@ In the following example, replace each `user input placeholder` with your own in
-        doc["encryptedField"] = client_encryption.decrypt(doc["encryptedField"])
+        doc["firstName"] = client_encryption.decrypt(doc["firstName"])
@@ -268,29 +266 @@ In the following example, replace each `user input placeholder` with your own in
-Amazon DocumentDB supports point equality queries with client-side FLE. Inequality and comparison queries can return inaccurate results. Read and write operations may have unexpected or incorrect behavior as compared to issuing that same operation against the decrypted value.
-
-For example, to query filters for documents where gamerscore is greater than 500:
-    
-    
-    db.users.find( {
-        "gamerscore" : { $gt : 500 }
-    })
-
-The client uses an explicit encryption method to encrypt the query value:
-    
-    
-    encrypted_gamerscore_filter = client_encryption.encrypt(
-        500,
-            Algorithm.AEAD_AES_256_CBC_HMAC_SHA_512_Deterministic,
-            key_alt_name=data_key_id
-            )
-    
-    db.users.find( {
-        "gamerscore" : { $gt : encrypted_gamerscore_filter }
-    } )
-
-In the find operation, Amazon DocumentDB compares the encrypted value of 500 to the encrypted field values stored in each document using the greater than inequality check. The inequality check in the find operation may return a different result when performed using decrypted data and value, even though the operation succeeds in generating results.
-
-## Limitations
-
-The following limitations apply to Amazon DocumentDB client-side field level encrytion:
-
-  * Amazon DocumentDB supports only point equality queries. Inequality and comparison queries can return inaccurate results. Read and write operations may have unexpected or incorrect behavior as compared to issuing that same operation against the decrypted value. To query filters for documents where gamerscore is greater than 500.
+Amazon DocumentDB only supports equality queries with client-side FLE encrypted values.
@@ -298,3 +268 @@ The following limitations apply to Amazon DocumentDB client-side field level enc
-        db.users.find( {
-        "gamerscore" : { $gt : 500 }
-        })
+For example, to query for documents where encrypted gamerscore equals 500 the client uses an explicit encryption method to encrypt the query value:
@@ -302 +269,0 @@ The following limitations apply to Amazon DocumentDB client-side field level enc
-The client uses an explicit encryption method to encrypt the query value.
@@ -307 +274 @@ The client uses an explicit encryption method to encrypt the query value.
-        key_alt_name=data_key_id
+        key_id=data_key_id
@@ -310,2 +277,2 @@ The client uses an explicit encryption method to encrypt the query value.
-    db.users.find({
-        "gamerscore" : { $gt : encrypted_gamerscore_filter }
+    coll.find( {
+        "gamerscore" : { "$eq" : encrypted_gamerscore_filter }
@@ -314,7 +280,0 @@ The client uses an explicit encryption method to encrypt the query value.
-In the find operation, Amazon DocumentDB compares the encrypted value of 500 to the encrypted field values stored in each document using the greater than inequality check. The inequality check in the find operation may return a different result when performed using decrypted data and value, even though the operation succeeds in generating results.
-
-  * Amazon DocumentDB does not support explicit client-side FLE from the Mongo Shell. However, the feature works with any of our supported drivers.
-
-
-
-