godaddy · chief-micco · Oct 11, 2025 · Nov 12, 2025 · Nov 15, 2025 · Nov 15, 2025
diff --git a/csharp/AppEncryption/AppEncryption.IntegrationTests/AppEncryption.IntegrationTests.csproj b/csharp/AppEncryption/AppEncryption.IntegrationTests/AppEncryption.IntegrationTests.csproj
@@ -5,12 +5,12 @@
         <RootNamespace>GoDaddy.Asherah.AppEncryption.IntegrationTests</RootNamespace>
         <EnableNETAnalyzers>true</EnableNETAnalyzers>
         <EnforceCodeStyleInBuild>true</EnforceCodeStyleInBuild>
-        <AnalysisMode>Recommended</AnalysisMode>
+        <AnalysisMode>Minimum</AnalysisMode>
         <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
-        <NoWarn>$(NoWarn);CA1873</NoWarn>
+        <NoWarn>$(NoWarn);CS0618;CA1816;CA1873</NoWarn>
     </PropertyGroup>
     <ItemGroup Label="Package References">
-        <PackageReference Include="AWSSDK.SecurityToken" Version="4.0.4" />
+        <PackageReference Include="AWSSDK.SecurityToken" Version="4.0.4.1" />
         <PackageReference Include="coverlet.msbuild" Version="6.0.4">
           <PrivateAssets>all</PrivateAssets>
           <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>

diff --git a/csharp/AppEncryption/AppEncryption.IntegrationTests/GlobalSuppressions.cs b/csharp/AppEncryption/AppEncryption.IntegrationTests/GlobalSuppressions.cs
diff --git a/csharp/AppEncryption/AppEncryption.PlugIns.Aws/AppEncryption.PlugIns.Aws.csproj b/csharp/AppEncryption/AppEncryption.PlugIns.Aws/AppEncryption.PlugIns.Aws.csproj
@@ -0,0 +1,35 @@
+<Project Sdk="Microsoft.NET.Sdk">
+    <PropertyGroup>
+        <PackageId>GoDaddy.Asherah.AppEncryption.PlugIns.Aws</PackageId>
+        <Title>AppEncryption.PlugIns.Aws</Title>
+        <Authors>GoDaddy</Authors>
+        <Company>GoDaddy</Company>
+        <Description>AWS extensions for Application level envelope encryption SDK for C#</Description>
+        <TargetFrameworks>net8.0;net9.0;net10.0;netstandard2.0</TargetFrameworks>
+        <!-- NOTE: Version controlled via Directory.Build.props  -->
+        <!--<Version></Version>-->
+        <RootNamespace>GoDaddy.Asherah.AppEncryption.PlugIns.Aws</RootNamespace>
+        <EnableNETAnalyzers>true</EnableNETAnalyzers>
+        <EnforceCodeStyleInBuild>true</EnforceCodeStyleInBuild>
+        <AnalysisMode>Recommended</AnalysisMode>
+        <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+        <GenerateDocumentationFile>true</GenerateDocumentationFile>
+        <!-- Properties related to NuGet packaging: -->
+        <PackageRequireLicenseAcceptance>False</PackageRequireLicenseAcceptance>
+        <PackageProjectUrl>https://github.com/godaddy/asherah</PackageProjectUrl>
+        <RepositoryUrl>https://github.com/godaddy/asherah/tree/main/csharp/AppEncryption</RepositoryUrl>
+        <PackageLicenseExpression>MIT</PackageLicenseExpression>
+        <IncludeSymbols>true</IncludeSymbols>
+        <SymbolPackageFormat>snupkg</SymbolPackageFormat>
+        <!-- End of Properties related to NuGet packaging: -->
+    </PropertyGroup>
+    <ItemGroup Label="Package References">
+        <PackageReference Include="AWSSDK.DynamoDBv2" Version="4.0.9.6"/>
+        <PackageReference Include="AWSSDK.KeyManagementService" Version="4.0.7.1" />
+        <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0"/>
+    </ItemGroup>
+    <ItemGroup Label="Project References">
+        <ProjectReference Include="../AppEncryption/AppEncryption.csproj"/>
+        <ProjectReference Include="../Crypto/Crypto.csproj"/>
+    </ItemGroup>
+</Project>
diff --git a/csharp/AppEncryption/AppEncryption.PlugIns.Aws/Kms/IKeyManagementClientFactory.cs b/csharp/AppEncryption/AppEncryption.PlugIns.Aws/Kms/IKeyManagementClientFactory.cs
@@ -0,0 +1,17 @@
+using Amazon.KeyManagementService;
+
+namespace GoDaddy.Asherah.AppEncryption.PlugIns.Aws.Kms
+{
+    /// <summary>
+    /// Factory interface for creating AWS KMS clients for specific regions.
+    /// </summary>
+    public interface IKeyManagementClientFactory
+    {
+        /// <summary>
+        /// Creates a KMS client for the specified region.
+        /// </summary>
+        /// <param name="region">The AWS region name.</param>
+        /// <returns>A KMS client configured for the specified region.</returns>
+        IAmazonKeyManagementService CreateForRegion(string region);
+    }
+}
diff --git a/csharp/AppEncryption/AppEncryption.PlugIns.Aws/Kms/IKeyManagementServiceBuilder.cs b/csharp/AppEncryption/AppEncryption.PlugIns.Aws/Kms/IKeyManagementServiceBuilder.cs
@@ -0,0 +1,58 @@
+using Amazon.Runtime;
+using Microsoft.Extensions.Logging;
+
+namespace GoDaddy.Asherah.AppEncryption.PlugIns.Aws.Kms
+{
+    /// <summary>
+    /// Builder for KeyManagementServiceOptions.
+    /// </summary>
+    public interface IKeyManagementServiceBuilder
+    {
+        /// <summary>
+        /// Adds a logger factory to the builder. Required for logging within the KeyManagementService.
+        /// </summary>
+        /// <param name="loggerFactory"><see cref="ILoggerFactory"/></param>
+        /// <returns><see cref="IKeyManagementServiceBuilder"/></returns>
+        IKeyManagementServiceBuilder WithLoggerFactory(ILoggerFactory loggerFactory);
+
+        /// <summary>
+        /// Credentials are needed to create the AWS KMS clients for each region.
+        /// This is not required if providing your own <see cref="IKeyManagementClientFactory"/>
+        /// which can handle credentials itself.
+        /// </summary>
+        /// <param name="credentials"><see cref="AWSCredentials"/></param>
+        /// <returns><see cref="IKeyManagementServiceBuilder"/></returns>
+        IKeyManagementServiceBuilder WithCredentials(AWSCredentials credentials);
+
+        /// <summary>
+        /// Use to provied your own implementation of <see cref="IKeyManagementClientFactory"/>.
+        /// This allows your application to customize the creation of the AWS KMS clients for each region requested.
+        /// </summary>
+        /// <param name="kmsClientFactory"><see cref="IKeyManagementClientFactory"/></param>
+        /// <returns><see cref="IKeyManagementServiceBuilder"/></returns>
+        IKeyManagementServiceBuilder WithKmsClientFactory(IKeyManagementClientFactory kmsClientFactory);
+
+        /// <summary>
+        /// Adds a region and key ARN pair to the builder. Note that this can be called multiple times to add multiple regions.
+        /// The order of the regions should be from most preferred to least preferred.
+        /// </summary>
+        /// <param name="region">A valid AWS region</param>
+        /// <param name="keyArn">The KMS key Arn from that region to use as your master key</param>
+        /// <returns><see cref="IKeyManagementServiceBuilder"/></returns>
+        IKeyManagementServiceBuilder WithRegionKeyArn(string region, string keyArn);
+
+        /// <summary>
+        /// Used to provide all the regions and key Anrs at once using a strongly typed options object.
+        /// This can easily be deserialized from a configuration file and used instead of calling WithRegionKeyArn multiple times.
+        /// </summary>
+        /// <param name="options"><see cref="KeyManagementServiceOptions"/></param>
+        /// <returns><see cref="IKeyManagementServiceBuilder"/></returns>
+        IKeyManagementServiceBuilder WithOptions(KeyManagementServiceOptions options);
+
+        /// <summary>
+        /// Returns a new instance of <see cref="KeyManagementService"/> with the configured options.
+        /// </summary>
+        /// <returns></returns>
+        KeyManagementService Build();
+    }
+}
diff --git a/csharp/AppEncryption/AppEncryption.PlugIns.Aws/Kms/KeyManagementClientFactory.cs b/csharp/AppEncryption/AppEncryption.PlugIns.Aws/Kms/KeyManagementClientFactory.cs
@@ -0,0 +1,48 @@
+using System;
+using Amazon;
+using Amazon.KeyManagementService;
+using Amazon.Runtime;
+
+namespace GoDaddy.Asherah.AppEncryption.PlugIns.Aws.Kms
+{
+    /// <summary>
+    /// Simple implementation of <see cref="IKeyManagementClientFactory"/> that creates KMS clients
+    /// for any region using provided AWS credentials. Alternative implementations can be used
+    /// if your application requires more complex credential management or client configuration.
+    /// </summary>
+    public class KeyManagementClientFactory : IKeyManagementClientFactory
+    {
+        private readonly AWSCredentials _credentials;
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="KeyManagementClientFactory"/> class.
+        /// </summary>
+        /// <param name="credentials">The AWS credentials to use for authentication.</param>
+        public KeyManagementClientFactory(AWSCredentials credentials)
+        {
+            _credentials = credentials;
+        }
+
+        /// <inheritdoc/>
+        public IAmazonKeyManagementService CreateForRegion(string region)
+        {
+            if (string.IsNullOrWhiteSpace(region))
+            {
+                throw new ArgumentException("Region cannot be null or empty", nameof(region));
+            }
+
+            // GetBySystemName will always return a RegionEndpoint. Sometimes with an invalid-name
+            // but it could be working because AWS SDK matches to similar regions. So we don't
+            // do any extra validation on the regionEndpoint here because the application intention
+            // is not known
+            var regionEndpoint = RegionEndpoint.GetBySystemName(region);
+
+            var config = new AmazonKeyManagementServiceConfig
+            {
+                RegionEndpoint = regionEndpoint
+            };
+
+            return new AmazonKeyManagementServiceClient(_credentials, config);
+        }
+    }
+}