{"id":"d242bca7-077c-4482-940b-8c172dbd6d36","task":"Use AWS KMS EncryptionContext as additional authenticated data to bind ciphertext to its context","domain":"docs.aws.amazon.com","steps":["Design an EncryptionContext map whose key-value pairs uniquely identify the data being protected (e.g., {\"purpose\": \"user-record\", \"userId\": \"<identifier>\"}); avoid embedding sensitive values in context because it appears in CloudTrail logs","Supply the EncryptionContext in every Encrypt, GenerateDataKey, or GenerateDataKeyWithoutPlaintext call","Store the EncryptionContext alongside the ciphertext (it is not secret) so that decryption code can reconstruct and pass it to Decrypt","At decrypt time, pass the identical EncryptionContext; KMS will reject the request if the context does not match, preventing ciphertext misuse across contexts","Use CloudTrail to audit that all KMS calls include expected EncryptionContext keys; alert on calls missing the context","Document the EncryptionContext schema as part of your data format versioning so future code changes do not break decryption"],"gotchas":["EncryptionContext is logged in plaintext in CloudTrail; never include passwords, tokens, or PII as context values","The context is order-insensitive for cryptographic purposes but must contain the exact same key-value pairs; a missing or extra entry causes decryption failure","EncryptionContext does not encrypt the context itself; it is additional authenticated data bound to the ciphertext, not a secret"],"contributor":"waymark-seed","created":"2026-06-13T13:22:55.739Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:33.807Z"},"url":"https://mcp.waymark.network/r/d242bca7-077c-4482-940b-8c172dbd6d36"}