feat(data_masking): add new sensitive data masking utility (#2197)

Co-authored-by: Roger Zhang <[email protected]>
Co-authored-by: Leandro Damascena <[email protected]>
Co-authored-by: Roy Assis <[email protected]>
Co-authored-by: Ruben Fonseca <[email protected]>
Co-authored-by: Roger Zhang <[email protected]>
Co-authored-by: aal80 <[email protected]>
Co-authored-by: Seshu Brahma <[email protected]>
Co-authored-by: Heitor Lessa <[email protected]>

Author: 7 people

Makefile

@@ -7,13 +7,13 @@ target:
 dev:
 	pip install --upgrade pip pre-commit poetry
 	@$(MAKE) dev-version-plugin
-	poetry install --extras "all"
+	poetry install --extras "all datamasking-aws-sdk"
 	pre-commit install
 
 dev-gitpod:
 	pip install --upgrade pip poetry
 	@$(MAKE) dev-version-plugin
-	poetry install --extras "all"
+	poetry install --extras "all datamasking-aws-sdk"
 	pre-commit install
 
 format:

aws_lambda_powertools/utilities/data_masking/__init__.py

@@ -0,0 +1,5 @@
+from aws_lambda_powertools.utilities.data_masking.base import DataMasking
+
+__all__ = [
+    "DataMasking",
+]

aws_lambda_powertools/utilities/data_masking/base.py

@@ -0,0 +1,170 @@
+import json
+from typing import Optional, Union
+
+from aws_lambda_powertools.utilities.data_masking.provider import BaseProvider
+
+
+class DataMasking:
+    """
+    A utility class for masking sensitive data within various data types.
+
+    This class provides methods for masking sensitive information, such as personal
+    identifiers or confidential data, within different data types such as strings,
+    dictionaries, lists, and more. It helps protect sensitive information while
+    preserving the structure of the original data.
+
+    Usage:
+    Instantiate an object of this class and use its methods to mask sensitive data
+    based on the data type. Supported data types include strings, dictionaries,
+    and more.
+
+    Example:
+    ```
+    from aws_lambda_powertools.utilities.data_masking.base import DataMasking
+
+    def lambda_handler(event, context):
+        masker = DataMasking()
+
+        data = {
+            "project": "powertools",
+            "sensitive": "xxxxxxxxxx"
+        }
+
+        masked = masker.mask(data,fields=["sensitive"])
+
+        return masked
+
+    ```
+    """
+
+    def __init__(self, provider: Optional[BaseProvider] = None):
+        self.provider = provider or BaseProvider()
+
+    def encrypt(self, data, fields=None, **provider_options):
+        return self._apply_action(data, fields, self.provider.encrypt, **provider_options)
+
+    def decrypt(self, data, fields=None, **provider_options):
+        return self._apply_action(data, fields, self.provider.decrypt, **provider_options)
+
+    def mask(self, data, fields=None, **provider_options):
+        return self._apply_action(data, fields, self.provider.mask, **provider_options)
+
+    def _apply_action(self, data, fields, action, **provider_options):
+        """
+        Helper method to determine whether to apply a given action to the entire input data
+        or to specific fields if the 'fields' argument is specified.
+
+        Parameters
+        ----------
+        data : any
+            The input data to process.
+        fields : Optional[List[any]] = None
+            A list of fields to apply the action to. If 'None', the action is applied to the entire 'data'.
+        action : Callable
+           The action to apply to the data. It should be a callable that performs an operation on the data
+           and returns the modified value.
+
+        Returns
+        -------
+        any
+            The modified data after applying the action.
+        """
+
+        if fields is not None:
+            return self._apply_action_to_fields(data, fields, action, **provider_options)
+        else:
+            return action(data, **provider_options)
+
+    def _apply_action_to_fields(
+        self,
+        data: Union[dict, str],
+        fields: list,
+        action,
+        **provider_options,
+    ) -> Union[dict, str]:
+        """
+        This method takes the input data, which can be either a dictionary or a JSON string,
+        and applies a mask, an encryption, or a decryption to the specified fields.
+
+        Parameters
+        ----------
+            data : Union[dict, str])
+                The input data to process. It can be either a dictionary or a JSON string.
+            fields : List
+                A list of fields to apply the action to. Each field can be specified as a string or
+                a list of strings representing nested keys in the dictionary.
+            action : Callable
+                The action to apply to the fields. It should be a callable that takes the current
+                value of the field as the first argument and any additional arguments that might be required
+                for the action. It performs an operation on the current value using the provided arguments and
+                returns the modified value.
+            **provider_options:
+                Additional keyword arguments to pass to the 'action' function.
+
+        Returns
+        -------
+            dict
+                The modified dictionary after applying the action to the
+            specified fields.
+
+        Raises
+        -------
+            ValueError
+                If 'fields' parameter is None.
+            TypeError
+                If the 'data' parameter is not a traversable type
+
+        Example
+        -------
+        ```python
+        >>> data = {'a': {'b': {'c': 1}}, 'x': {'y': 2}}
+        >>> fields = ['a.b.c', 'a.x.y']
+        # The function will transform the value at 'a.b.c' (1) and 'a.x.y' (2)
+        # and store the result as:
+        new_dict = {'a': {'b': {'c': 'transformed_value'}}, 'x': {'y': 'transformed_value'}}
+        ```
+        """
+
+        if fields is None:
+            raise ValueError("No fields specified.")
+
+        if isinstance(data, str):
+            # Parse JSON string as dictionary
+            my_dict_parsed = json.loads(data)
+        elif isinstance(data, dict):
+            # In case their data has keys that are not strings (i.e. ints), convert it all into a JSON string
+            my_dict_parsed = json.dumps(data)
+            # Turn back into dict so can parse it
+            my_dict_parsed = json.loads(my_dict_parsed)
+        else:
+            raise TypeError(
+                f"Unsupported data type for 'data' parameter. Expected a traversable type, but got {type(data)}.",
+            )
+
+        # For example: ['a.b.c'] in ['a.b.c', 'a.x.y']
+        for nested_key in fields:
+            # Prevent overriding loop variable
+            curr_nested_key = nested_key
+
+            # If the nested_key is not a string, convert it to a string representation
+            if not isinstance(curr_nested_key, str):
+                curr_nested_key = json.dumps(curr_nested_key)
+
+            # Split the nested key string into a list of nested keys
+            # ['a.b.c'] -> ['a', 'b', 'c']
+            keys = curr_nested_key.split(".")
+
+            # Initialize a current dictionary to the root dictionary
+            curr_dict = my_dict_parsed
+
+            # Traverse the dictionary hierarchy by iterating through the list of nested keys
+            for key in keys[:-1]:
+                curr_dict = curr_dict[key]
+
+            # Retrieve the final value of the nested field
+            valtochange = curr_dict[(keys[-1])]
+
+            # Apply the specified 'action' to the target value
+            curr_dict[keys[-1]] = action(valtochange, **provider_options)
+
+        return my_dict_parsed

aws_lambda_powertools/utilities/data_masking/constants.py

@@ -0,0 +1,5 @@
+DATA_MASKING_STRING: str = "*****"
+CACHE_CAPACITY: int = 100
+MAX_CACHE_AGE_SECONDS: float = 300.0
+MAX_MESSAGES_ENCRYPTED: int = 200
+# NOTE: You can also set max messages/bytes per data key

aws_lambda_powertools/utilities/data_masking/provider/__init__.py

@@ -0,0 +1,5 @@
+from aws_lambda_powertools.utilities.data_masking.provider.base import BaseProvider
+
+__all__ = [
+    "BaseProvider",
+]

aws_lambda_powertools/utilities/data_masking/provider/base.py

@@ -0,0 +1,34 @@
+import json
+from typing import Any
+
+from aws_lambda_powertools.utilities.data_masking.constants import DATA_MASKING_STRING
+
+
+class BaseProvider:
+    """
+    When you try to create an instance of a subclass that does not implement the encrypt method,
+    you will get a NotImplementedError with a message that says the method is not implemented:
+    """
+
+    def __init__(self, json_serializer=None, json_deserializer=None) -> None:
+        self.json_serializer = json_serializer or self.default_json_serializer
+        self.json_deserializer = json_deserializer or self.default_json_deserializer
+
+    def default_json_serializer(self, data):
+        return json.dumps(data).encode("utf-8")
+
+    def default_json_deserializer(self, data):
+        return json.loads(data.decode("utf-8"))
+
+    def encrypt(self, data) -> str:
+        raise NotImplementedError("Subclasses must implement encrypt()")
+
+    def decrypt(self, data) -> Any:
+        raise NotImplementedError("Subclasses must implement decrypt()")
+
+    def mask(self, data) -> Any:
+        if isinstance(data, (str, dict, bytes)):
+            return DATA_MASKING_STRING
+        elif isinstance(data, (list, tuple, set)):
+            return type(data)([DATA_MASKING_STRING] * len(data))
+        return DATA_MASKING_STRING

aws_lambda_powertools/utilities/data_masking/provider/kms/__init__.py

@@ -0,0 +1,5 @@
+from aws_lambda_powertools.utilities.data_masking.provider.kms.aws_encryption_sdk import AwsEncryptionSdkProvider
+
+__all__ = [
+    "AwsEncryptionSdkProvider",
+]

aws_lambda_powertools/utilities/data_masking/provider/kms/aws_encryption_sdk.py

@@ -0,0 +1,177 @@
+from __future__ import annotations
+
+import base64
+from typing import Any, Callable, Dict, List
+
+import botocore
+from aws_encryption_sdk import (
+    CachingCryptoMaterialsManager,
+    EncryptionSDKClient,
+    LocalCryptoMaterialsCache,
+    StrictAwsKmsMasterKeyProvider,
+)
+
+from aws_lambda_powertools.shared.user_agent import register_feature_to_botocore_session
+from aws_lambda_powertools.utilities.data_masking.constants import (
+    CACHE_CAPACITY,
+    MAX_CACHE_AGE_SECONDS,
+    MAX_MESSAGES_ENCRYPTED,
+)
+from aws_lambda_powertools.utilities.data_masking.provider import BaseProvider
+
+
+class ContextMismatchError(Exception):
+    def __init__(self, key):
+        super().__init__(f"Encryption Context does not match expected value for key: {key}")
+        self.key = key
+
+
+class AwsEncryptionSdkProvider(BaseProvider):
+    """
+    The AwsEncryptionSdkProvider is used as a provider for the DataMasking class.
+
+    This provider allows you to perform data masking using the AWS Encryption SDK
+    for encryption and decryption. It integrates with the DataMasking class to
+    securely encrypt and decrypt sensitive data.
+
+    Usage Example:
+    ```
+    from aws_lambda_powertools.utilities.data_masking import DataMasking
+    from aws_lambda_powertools.utilities.data_masking.providers.kms.aws_encryption_sdk import (
+        AwsEncryptionSdkProvider,
+    )
+
+
+    def lambda_handler(event, context):
+        provider = AwsEncryptionSdkProvider(["arn:aws:kms:us-east-1:0123456789012:key/key-id"])
+        masker = DataMasking(provider=provider)
+
+        data = {
+            "project": "powertools",
+            "sensitive": "xxxxxxxxxx"
+        }
+
+        masked = masker.encrypt(data,fields=["sensitive"])
+
+        return masked
+
+    ```
+    """
+
+    def __init__(
+        self,
+        keys: List[str],
+        key_provider=None,
+        local_cache_capacity: int = CACHE_CAPACITY,
+        max_cache_age_seconds: float = MAX_CACHE_AGE_SECONDS,
+        max_messages_encrypted: int = MAX_MESSAGES_ENCRYPTED,
+        json_serializer: Callable | None = None,
+        json_deserializer: Callable | None = None,
+    ):
+        super().__init__(json_serializer=json_serializer, json_deserializer=json_deserializer)
+
+        self._key_provider = key_provider or KMSKeyProvider(
+            keys=keys,
+            local_cache_capacity=local_cache_capacity,
+            max_cache_age_seconds=max_cache_age_seconds,
+            max_messages_encrypted=max_messages_encrypted,
+            json_serializer=self.json_serializer,
+            json_deserializer=self.json_deserializer,
+        )
+
+    def encrypt(self, data: bytes | str | Dict | int, **provider_options) -> str:
+        return self._key_provider.encrypt(data=data, **provider_options)
+
+    def decrypt(self, data: str, **provider_options) -> Any:
+        return self._key_provider.decrypt(data=data, **provider_options)
+
+
+class KMSKeyProvider:
+
+    """
+    The KMSKeyProvider is responsible for assembling an AWS Key Management Service (KMS)
+    client, a caching mechanism, and a keyring for secure key management and data encryption.
+    """
+
+    def __init__(
+        self,
+        keys: List[str],
+        json_serializer: Callable,
+        json_deserializer: Callable,
+        local_cache_capacity: int = CACHE_CAPACITY,
+        max_cache_age_seconds: float = MAX_CACHE_AGE_SECONDS,
+        max_messages_encrypted: int = MAX_MESSAGES_ENCRYPTED,
+    ):
+        session = botocore.session.Session()
+        register_feature_to_botocore_session(session, "data-masking")
+
+        self.json_serializer = json_serializer
+        self.json_deserializer = json_deserializer
+        self.client = EncryptionSDKClient()
+        self.keys = keys
+        self.cache = LocalCryptoMaterialsCache(local_cache_capacity)
+        self.key_provider = StrictAwsKmsMasterKeyProvider(key_ids=self.keys, botocore_session=session)
+        self.cache_cmm = CachingCryptoMaterialsManager(
+            master_key_provider=self.key_provider,
+            cache=self.cache,
+            max_age=max_cache_age_seconds,
+            max_messages_encrypted=max_messages_encrypted,
+        )
+
+    def encrypt(self, data: bytes | str | Dict | float, **provider_options) -> str:
+        """
+        Encrypt data using the AwsEncryptionSdkProvider.
+
+        Parameters
+        -------
+            data : Union[bytes, str]
+                The data to be encrypted.
+            provider_options
+                Additional options for the aws_encryption_sdk.EncryptionSDKClient
+
+        Returns
+        -------
+            ciphertext : str
+                The encrypted data, as a base64-encoded string.
+        """
+        data_encoded = self.json_serializer(data)
+        ciphertext, _ = self.client.encrypt(
+            source=data_encoded,
+            materials_manager=self.cache_cmm,
+            **provider_options,
+        )
+        ciphertext = base64.b64encode(ciphertext).decode()
+        return ciphertext
+
+    def decrypt(self, data: str, **provider_options) -> Any:
+        """
+        Decrypt data using AwsEncryptionSdkProvider.
+
+        Parameters
+        -------
+            data : Union[bytes, str]
+                The encrypted data, as a base64-encoded string
+            provider_options
+                Additional options for the aws_encryption_sdk.EncryptionSDKClient
+
+        Returns
+        -------
+            ciphertext : bytes
+                The decrypted data in bytes
+        """
+        ciphertext_decoded = base64.b64decode(data)
+
+        expected_context = provider_options.pop("encryption_context", {})
+
+        ciphertext, decryptor_header = self.client.decrypt(
+            source=ciphertext_decoded,
+            key_provider=self.key_provider,
+            **provider_options,
+        )
+
+        for key, value in expected_context.items():
+            if decryptor_header.encryption_context.get(key) != value:
+                raise ContextMismatchError(key)
+
+        ciphertext = self.json_deserializer(ciphertext)
+        return ciphertext

mypy.ini

@@ -12,6 +12,12 @@ disable_error_code = annotation-unchecked
 [mypy-jmespath]
 ignore_missing_imports=True
 
+[mypy-aws_encryption_sdk]
+ignore_missing_imports=True
+
+[mypy-sentry_sdk]
+ignore_missing_imports=True
+
 [mypy-jmespath.exceptions]
 ignore_missing_imports=True
 

poetry.lock

@@ -4,21 +4,31 @@ version = "2.25.1"
 description = "Powertools for AWS Lambda (Python) is a developer toolkit to implement Serverless best practices and increase developer velocity."
 authors = ["Amazon Web Services"]
 include = ["aws_lambda_powertools/py.typed", "THIRD-PARTY-LICENSES"]
-classifiers=[
-    "Development Status :: 5 - Production/Stable",
-    "Intended Audience :: Developers",
-    "License :: OSI Approved :: MIT No Attribution License (MIT-0)",
-    "Natural Language :: English",
-    "Programming Language :: Python :: 3.7",
-    "Programming Language :: Python :: 3.8",
-    "Programming Language :: Python :: 3.9",
-    "Programming Language :: Python :: 3.10",
-    "Programming Language :: Python :: 3.11",
+classifiers = [
+  "Development Status :: 5 - Production/Stable",
+  "Intended Audience :: Developers",
+  "License :: OSI Approved :: MIT No Attribution License (MIT-0)",
+  "Natural Language :: English",
+  "Programming Language :: Python :: 3.7",
+  "Programming Language :: Python :: 3.8",
+  "Programming Language :: Python :: 3.9",
+  "Programming Language :: Python :: 3.10",
+  "Programming Language :: Python :: 3.11",
 ]
 repository = "https://github.com/aws-powertools/powertools-lambda-python"
 documentation = "https://docs.powertools.aws.dev/lambda/python/"
 readme = "README.md"
-keywords = ["aws_lambda_powertools", "aws", "tracing", "logging", "lambda", "powertools", "feature_flags", "idempotency", "middleware"]
+keywords = [
+  "aws_lambda_powertools",
+  "aws",
+  "tracing",
+  "logging",
+  "lambda",
+  "powertools",
+  "feature_flags",
+  "idempotency",
+  "middleware",
+]
 # MIT-0 is not recognized as an existing license from poetry.
 # By using `MIT` as a license value, a `License :: OSI Approved :: MIT License` classifier is added to the classifiers list.
 license = "MIT"
@@ -35,6 +45,7 @@ pydantic = { version = "^1.8.2", optional = true }
 boto3 = { version = "^1.20.32", optional = true }
 typing-extensions = "^4.6.2"
 datadog-lambda = { version = "^4.77.0", optional = true }
+aws-encryption-sdk = { version = "^3.1.1", optional = true }
 
 [tool.poetry.dev-dependencies]
 coverage = {extras = ["toml"], version = "^7.2"}
@@ -86,7 +97,8 @@ tracer = ["aws-xray-sdk"]
 all = ["pydantic", "aws-xray-sdk", "fastjsonschema"]
 # allow customers to run code locally without emulators (SAM CLI, etc.)
 aws-sdk = ["boto3"]
-datadog=["datadog-lambda"]
+datadog = ["datadog-lambda"]
+datamasking-aws-sdk = ["aws-encryption-sdk"]
 
 [tool.poetry.group.dev.dependencies]
 cfn-lint = "0.80.3"
@@ -96,10 +108,16 @@ httpx = ">=0.23.3,<0.25.0"
 sentry-sdk = "^1.22.2"
 ruff = ">=0.0.272,<0.0.292"
 retry2 = "^0.9.5"
+pytest-socket = "^0.6.0"
 
 [tool.coverage.run]
 source = ["aws_lambda_powertools"]
-omit = ["tests/*", "aws_lambda_powertools/exceptions/*", "aws_lambda_powertools/utilities/parser/types.py", "aws_lambda_powertools/utilities/jmespath_utils/envelopes.py"]
+omit = [
+  "tests/*",
+  "aws_lambda_powertools/exceptions/*",
+  "aws_lambda_powertools/utilities/parser/types.py",
+  "aws_lambda_powertools/utilities/jmespath_utils/envelopes.py",
+]
 branch = true
 
 [tool.coverage.html]
@@ -109,26 +127,26 @@ title = "Powertools for AWS Lambda (Python) Test Coverage"
 [tool.coverage.report]
 fail_under = 90
 exclude_lines = [
-    # Have to re-enable the standard pragma
-    "pragma: no cover",
+  # Have to re-enable the standard pragma
+  "pragma: no cover",
 
-    # Don't complain about missing debug-only code:
-    "def __repr__",
-    "if self.debug",
+  # Don't complain about missing debug-only code:
+  "def __repr__",
+  "if self.debug",
 
-    # Don't complain if tests don't hit defensive assertion code:
-    "raise AssertionError",
-    "raise NotImplementedError",
+  # Don't complain if tests don't hit defensive assertion code:
+  "raise AssertionError",
+  "raise NotImplementedError",
 
-    # Don't complain if non-runnable code isn't run:
-    "if 0:",
-    "if __name__ == .__main__.:",
+  # Don't complain if non-runnable code isn't run:
+  "if 0:",
+  "if __name__ == .__main__.:",
 
-    # Ignore runtime type checking
-    "if TYPE_CHECKING:",
+  # Ignore runtime type checking
+  "if TYPE_CHECKING:",
 
-    # Ignore type function overload
-    "@overload",
+  # Ignore type function overload
+  "@overload",
 ]
 
 [tool.isort]
@@ -161,16 +179,16 @@ minversion = "6.0"
 addopts = "-ra -vv"
 testpaths = "./tests"
 markers = [
-    "perf: marks perf tests to be deselected (deselect with '-m \"not perf\"')",
+  "perf: marks perf tests to be deselected (deselect with '-m \"not perf\"')",
 ]
 
 # MAINTENANCE: Remove these lines when drop support to Pydantic v1
-filterwarnings=[
+filterwarnings = [
   "ignore:.*The `parse_obj` method is deprecated*:DeprecationWarning",
   "ignore:.*The `parse_raw` method is deprecated*:DeprecationWarning",
   "ignore:.*load_str_bytes is deprecated*:DeprecationWarning",
   "ignore:.*The `dict` method is deprecated; use `model_dump` instead*:DeprecationWarning",
-  "ignore:.*Pydantic V1 style `@validator` validators are deprecated*:DeprecationWarning"
+  "ignore:.*Pydantic V1 style `@validator` validators are deprecated*:DeprecationWarning",
 ]
 
 [build-system]

pyproject.toml

@@ -0,0 +1,19 @@
+import pytest
+
+from tests.e2e.data_masking.infrastructure import DataMaskingStack
+
+
+@pytest.fixture(autouse=True, scope="package")
+def infrastructure():
+    """Setup and teardown logic for E2E test infrastructure
+
+    Yields
+    ------
+    Dict[str, str]
+        CloudFormation Outputs from deployed infrastructure
+    """
+    stack = DataMaskingStack()
+    try:
+        yield stack.deploy()
+    finally:
+        stack.delete()

tests/e2e/data_masking/__init__.py

@@ -0,0 +1,23 @@
+from aws_lambda_powertools import Logger
+from aws_lambda_powertools.utilities.data_masking import DataMasking
+from aws_lambda_powertools.utilities.data_masking.provider.kms.aws_encryption_sdk import AwsEncryptionSdkProvider
+
+logger = Logger()
+
+
+@logger.inject_lambda_context
+def lambda_handler(event, context):
+    # Generating logs for test_encryption_in_logs test
+    message, append_keys = event.get("message", ""), event.get("append_keys", {})
+    logger.append_keys(**append_keys)
+    logger.info(message)
+
+    # Encrypting data for test_encryption_in_handler test
+    kms_key = event.get("kms_key", "")
+    data_masker = DataMasking(provider=AwsEncryptionSdkProvider(keys=[kms_key]))
+    value = [1, 2, "string", 4.5]
+    encrypted_data = data_masker.encrypt(value)
+    response = {}
+    response["encrypted_data"] = encrypted_data
+
+    return response

tests/e2e/data_masking/conftest.py

@@ -0,0 +1,20 @@
+import aws_cdk.aws_kms as kms
+from aws_cdk import CfnOutput, Duration
+from aws_cdk import aws_iam as iam
+
+from tests.e2e.utils.infrastructure import BaseInfrastructure
+
+
+class DataMaskingStack(BaseInfrastructure):
+    def create_resources(self):
+        functions = self.create_lambda_functions(function_props={"timeout": Duration.seconds(10)})
+
+        key1 = kms.Key(self.stack, "MyKMSKey1", description="My KMS Key1")
+        CfnOutput(self.stack, "KMSKey1Arn", value=key1.key_arn, description="ARN of the created KMS Key1")
+
+        key2 = kms.Key(self.stack, "MyKMSKey2", description="My KMS Key2")
+        CfnOutput(self.stack, "KMSKey2Arn", value=key2.key_arn, description="ARN of the created KMS Key2")
+
+        functions["BasicHandler"].add_to_role_policy(
+            iam.PolicyStatement(effect=iam.Effect.ALLOW, actions=["kms:*"], resources=[key1.key_arn, key2.key_arn]),
+        )

tests/e2e/data_masking/handlers/basic_handler.py

@@ -0,0 +1,151 @@
+import json
+from uuid import uuid4
+
+import pytest
+from aws_encryption_sdk.exceptions import DecryptKeyError
+
+from aws_lambda_powertools.utilities.data_masking import DataMasking
+from aws_lambda_powertools.utilities.data_masking.provider.kms.aws_encryption_sdk import (
+    AwsEncryptionSdkProvider,
+    ContextMismatchError,
+)
+from tests.e2e.utils import data_fetcher
+
+
+@pytest.fixture
+def basic_handler_fn(infrastructure: dict) -> str:
+    return infrastructure.get("BasicHandler", "")
+
+
+@pytest.fixture
+def basic_handler_fn_arn(infrastructure: dict) -> str:
+    return infrastructure.get("BasicHandlerArn", "")
+
+
+@pytest.fixture
+def kms_key1_arn(infrastructure: dict) -> str:
+    return infrastructure.get("KMSKey1Arn", "")
+
+
+@pytest.fixture
+def kms_key2_arn(infrastructure: dict) -> str:
+    return infrastructure.get("KMSKey2Arn", "")
+
+
+@pytest.fixture
+def data_masker(kms_key1_arn) -> DataMasking:
+    return DataMasking(provider=AwsEncryptionSdkProvider(keys=[kms_key1_arn]))
+
+
+@pytest.mark.xdist_group(name="data_masking")
+def test_encryption(data_masker):
+    # GIVEN an instantiation of DataMasking with the AWS encryption provider
+
+    # AWS Encryption SDK encrypt method only takes in bytes or strings
+    value = [1, 2, "string", 4.5]
+
+    # WHEN encrypting and then decrypting the encrypted data
+    encrypted_data = data_masker.encrypt(value)
+    decrypted_data = data_masker.decrypt(encrypted_data)
+
+    # THEN the result is the original input data
+    assert decrypted_data == value
+
+
+@pytest.mark.xdist_group(name="data_masking")
+def test_encryption_context(data_masker):
+    # GIVEN an instantiation of DataMasking with the AWS encryption provider
+
+    value = [1, 2, "string", 4.5]
+    context = {"this": "is_secure"}
+
+    # WHEN encrypting and then decrypting the encrypted data with an encryption_context
+    encrypted_data = data_masker.encrypt(value, encryption_context=context)
+    decrypted_data = data_masker.decrypt(encrypted_data, encryption_context=context)
+
+    # THEN the result is the original input data
+    assert decrypted_data == value
+
+
+@pytest.mark.xdist_group(name="data_masking")
+def test_encryption_context_mismatch(data_masker):
+    # GIVEN an instantiation of DataMasking with the AWS encryption provider
+
+    value = [1, 2, "string", 4.5]
+
+    # WHEN encrypting with a encryption_context
+    encrypted_data = data_masker.encrypt(value, encryption_context={"this": "is_secure"})
+
+    # THEN decrypting with a different encryption_context should raise a ContextMismatchError
+    with pytest.raises(ContextMismatchError):
+        data_masker.decrypt(encrypted_data, encryption_context={"not": "same_context"})
+
+
+@pytest.mark.xdist_group(name="data_masking")
+def test_encryption_no_context_fail(data_masker):
+    # GIVEN an instantiation of DataMasking with the AWS encryption provider
+
+    value = [1, 2, "string", 4.5]
+
+    # WHEN encrypting with no encryption_context
+    encrypted_data = data_masker.encrypt(value)
+
+    # THEN decrypting with an encryption_context should raise a ContextMismatchError
+    with pytest.raises(ContextMismatchError):
+        data_masker.decrypt(encrypted_data, encryption_context={"this": "is_secure"})
+
+
+@pytest.mark.xdist_group(name="data_masking")
+def test_encryption_decryption_key_mismatch(data_masker, kms_key2_arn):
+    # GIVEN an instantiation of DataMasking with the AWS encryption provider with a certain key
+
+    # WHEN encrypting and then decrypting the encrypted data
+    value = [1, 2, "string", 4.5]
+    encrypted_data = data_masker.encrypt(value)
+
+    # THEN when decrypting with a different key it should fail
+    data_masker_key2 = DataMasking(provider=AwsEncryptionSdkProvider(keys=[kms_key2_arn]))
+
+    with pytest.raises(DecryptKeyError):
+        data_masker_key2.decrypt(encrypted_data)
+
+
+@pytest.mark.xdist_group(name="data_masking")
+def test_encryption_in_logs(data_masker, basic_handler_fn, basic_handler_fn_arn, kms_key1_arn):
+    # GIVEN an instantiation of DataMasking with the AWS encryption provider
+
+    # WHEN encrypting a value and logging it
+    value = [1, 2, "string", 4.5]
+    encrypted_data = data_masker.encrypt(value)
+    message = encrypted_data
+    custom_key = "order_id"
+    additional_keys = {custom_key: f"{uuid4()}"}
+    payload = json.dumps({"message": message, "kms_key": kms_key1_arn, "append_keys": additional_keys})
+
+    _, execution_time = data_fetcher.get_lambda_response(lambda_arn=basic_handler_fn_arn, payload=payload)
+    data_fetcher.get_lambda_response(lambda_arn=basic_handler_fn_arn, payload=payload)
+
+    logs = data_fetcher.get_logs(function_name=basic_handler_fn, start_time=execution_time, minimum_log_entries=2)
+
+    # THEN decrypting it from the logs should show the original value
+    for log in logs.get_log(key=custom_key):
+        encrypted_data = log.message
+        decrypted_data = data_masker.decrypt(encrypted_data)
+        assert decrypted_data == value
+
+
+@pytest.mark.xdist_group(name="data_masking")
+def test_encryption_in_handler(data_masker, basic_handler_fn_arn, kms_key1_arn):
+    # GIVEN a lambda_handler with an instantiation the AWS encryption provider data masker
+
+    payload = {"kms_key": kms_key1_arn}
+
+    # WHEN the handler is invoked to encrypt data
+    handler_result, _ = data_fetcher.get_lambda_response(lambda_arn=basic_handler_fn_arn, payload=json.dumps(payload))
+
+    response = json.loads(handler_result["Payload"].read())
+    encrypted_data = response["encrypted_data"]
+    decrypted_data = data_masker.decrypt(encrypted_data)
+
+    # THEN decrypting the encrypted data from the response should result in the original value
+    assert decrypted_data == [1, 2, "string", 4.5]

tests/e2e/data_masking/infrastructure.py

@@ -1,6 +1,6 @@
-import logging
 import subprocess
 from pathlib import Path
+from typing import List
 
 from aws_cdk.aws_lambda import Architecture
 from checksumdir import dirhash
@@ -9,18 +9,20 @@
 from tests.e2e.utils.constants import CDK_OUT_PATH, SOURCE_CODE_ROOT_PATH
 from tests.e2e.utils.lambda_layer.base import BaseLocalLambdaLayer
 
-logger = logging.getLogger(__name__)
-
 
 class LocalLambdaPowertoolsLayer(BaseLocalLambdaLayer):
     IGNORE_EXTENSIONS = ["pyc"]
+    ARCHITECTURE_PLATFORM_MAPPING = {
+        Architecture.X86_64.name: ("manylinux_2_17_x86_64", "manylinux_2_28_x86_64"),
+        Architecture.ARM_64.name: ("manylinux_2_17_aarch64", "manylinux_2_28_aarch64"),
+    }
 
     def __init__(self, output_dir: Path = CDK_OUT_PATH, architecture: Architecture = Architecture.X86_64):
         super().__init__(output_dir)
         self.package = f"{SOURCE_CODE_ROOT_PATH}[all]"
 
-        platform_name = self._resolve_platform(architecture)
-        self.build_args = f"--platform {platform_name} --only-binary=:all: --upgrade"
+        self.platform_args = self._resolve_platform(architecture)
+        self.build_args = f"{self.platform_args} --only-binary=:all: --upgrade"
         self.build_command = f"python -m pip install {self.package} {self.build_args} --target {self.target_dir}"
         self.cleanup_command = (
             f"rm -rf {self.target_dir}/boto* {self.target_dir}/s3transfer* && "
@@ -62,16 +64,20 @@ def _has_source_changed(self) -> bool:
         return False
 
     def _resolve_platform(self, architecture: Architecture) -> str:
-        """Returns the correct plaform name for the manylinux project (see PEP 599)
+        """Returns the correct pip platform tag argument for the manylinux project (see PEP 599)
 
         Returns
         -------
-        platform_name : str
-            The platform tag
+        str
+            pip's platform argument, e.g., --platform manylinux_2_17_x86_64 --platform manylinux_2_28_x86_64
         """
-        if architecture.name == Architecture.X86_64.name:
-            return "manylinux1_x86_64"
-        elif architecture.name == Architecture.ARM_64.name:
-            return "manylinux2014_aarch64"
-        else:
-            raise ValueError(f"unknown architecture {architecture.name}")
+        platforms = self.ARCHITECTURE_PLATFORM_MAPPING.get(architecture.name)
+        if not platforms:
+            raise ValueError(
+                f"unknown architecture {architecture.name}. Supported: {self.ARCHITECTURE_PLATFORM_MAPPING.keys()}",
+            )
+
+        return self._build_platform_args(platforms)
+
+    def _build_platform_args(self, platforms: List[str]):
+        return " ".join([f"--platform {platform}" for platform in platforms])

tests/e2e/data_masking/test_e2e_data_masking.py

@@ -0,0 +1,6 @@
+from pytest_socket import disable_socket
+
+
+def pytest_runtest_setup():
+    """Disable Unix and TCP sockets for Data masking tests"""
+    disable_socket()

tests/e2e/utils/lambda_layer/powertools_layer.py

@@ -0,0 +1,283 @@
+from __future__ import annotations
+
+import base64
+import json
+from typing import Any, Callable, Dict, Union
+
+import pytest
+
+from aws_lambda_powertools.utilities.data_masking import DataMasking
+from aws_lambda_powertools.utilities.data_masking.constants import DATA_MASKING_STRING
+from aws_lambda_powertools.utilities.data_masking.provider import BaseProvider
+from aws_lambda_powertools.utilities.data_masking.provider.kms import (
+    AwsEncryptionSdkProvider,
+)
+
+
+class FakeEncryptionKeyProvider(BaseProvider):
+    def __init__(
+        self,
+        json_serializer: Callable[[Dict], str] | None = None,
+        json_deserializer: Callable[[Union[Dict, str, bool, int, float]], str] | None = None,
+    ):
+        super().__init__(json_serializer=json_serializer, json_deserializer=json_deserializer)
+
+    def encrypt(self, data: bytes | str, **kwargs) -> str:
+        data = self.json_serializer(data)
+        ciphertext = base64.b64encode(data).decode()
+        return ciphertext
+
+    def decrypt(self, data: bytes, **kwargs) -> Any:
+        ciphertext_decoded = base64.b64decode(data)
+        ciphertext = self.json_deserializer(ciphertext_decoded)
+        return ciphertext
+
+
+@pytest.fixture
+def data_masker(monkeypatch) -> DataMasking:
+    """DataMasking using AWS Encryption SDK Provider with a fake client"""
+    fake_key_provider = FakeEncryptionKeyProvider()
+    provider = AwsEncryptionSdkProvider(
+        keys=["dummy"],
+        key_provider=fake_key_provider,
+    )
+    return DataMasking(provider=provider)
+
+
+def test_mask_int(data_masker):
+    # GIVEN an int data type
+
+    # WHEN mask is called with no fields argument
+    masked_string = data_masker.mask(42)
+
+    # THEN the result is the data masked
+    assert masked_string == DATA_MASKING_STRING
+
+
+def test_mask_float(data_masker):
+    # GIVEN a float data type
+
+    # WHEN mask is called with no fields argument
+    masked_string = data_masker.mask(4.2)
+
+    # THEN the result is the data masked
+    assert masked_string == DATA_MASKING_STRING
+
+
+def test_mask_bool(data_masker):
+    # GIVEN a bool data type
+
+    # WHEN mask is called with no fields argument
+    masked_string = data_masker.mask(True)
+
+    # THEN the result is the data masked
+    assert masked_string == DATA_MASKING_STRING
+
+
+def test_mask_none(data_masker):
+    # GIVEN a None data type
+
+    # WHEN mask is called with no fields argument
+    masked_string = data_masker.mask(None)
+
+    # THEN the result is the data masked
+    assert masked_string == DATA_MASKING_STRING
+
+
+def test_mask_str(data_masker):
+    # GIVEN a str data type
+
+    # WHEN mask is called with no fields argument
+    masked_string = data_masker.mask("this is a string")
+
+    # THEN the result is the data masked
+    assert masked_string == DATA_MASKING_STRING
+
+
+def test_mask_list(data_masker):
+    # GIVEN a list data type
+
+    # WHEN mask is called with no fields argument
+    masked_string = data_masker.mask([1, 2, "string", 3])
+
+    # THEN the result is the data masked, while maintaining type list
+    assert masked_string == [DATA_MASKING_STRING, DATA_MASKING_STRING, DATA_MASKING_STRING, DATA_MASKING_STRING]
+
+
+def test_mask_dict(data_masker):
+    # GIVEN a dict data type
+    data = {
+        "a": {
+            "1": {"None": "hello", "four": "world"},
+            "b": {"3": {"4": "goodbye", "e": "world"}},
+        },
+    }
+
+    # WHEN mask is called with no fields argument
+    masked_string = data_masker.mask(data)
+
+    # THEN the result is the data masked
+    assert masked_string == DATA_MASKING_STRING
+
+
+def test_mask_dict_with_fields(data_masker):
+    # GIVEN a dict data type
+    data = {
+        "a": {
+            "1": {"None": "hello", "four": "world"},
+            "b": {"3": {"4": "goodbye", "e": "world"}},
+        },
+    }
+
+    # WHEN mask is called with a list of fields specified
+    masked_string = data_masker.mask(data, fields=["a.1.None", "a.b.3.4"])
+
+    # THEN the result is only the specified fields are masked
+    assert masked_string == {
+        "a": {
+            "1": {"None": DATA_MASKING_STRING, "four": "world"},
+            "b": {"3": {"4": DATA_MASKING_STRING, "e": "world"}},
+        },
+    }
+
+
+def test_mask_json_dict_with_fields(data_masker):
+    # GIVEN the data type is a json representation of a dictionary
+    data = json.dumps(
+        {
+            "a": {
+                "1": {"None": "hello", "four": "world"},
+                "b": {"3": {"4": "goodbye", "e": "world"}},
+            },
+        },
+    )
+
+    # WHEN mask is called with a list of fields specified
+    masked_json_string = data_masker.mask(data, fields=["a.1.None", "a.b.3.4"])
+
+    # THEN the result is only the specified fields are masked
+    assert masked_json_string == {
+        "a": {
+            "1": {"None": DATA_MASKING_STRING, "four": "world"},
+            "b": {"3": {"4": DATA_MASKING_STRING, "e": "world"}},
+        },
+    }
+
+
+def test_encrypt_int(data_masker):
+    # GIVEN an int data type
+
+    # WHEN encrypting and then decrypting the encrypted data
+    encrypted_data = data_masker.encrypt(-1)
+    decrypted_data = data_masker.decrypt(encrypted_data)
+
+    # THEN the result is the original input data
+    assert decrypted_data == -1
+
+
+def test_encrypt_float(data_masker):
+    # GIVEN an float data type
+
+    # WHEN encrypting and then decrypting the encrypted data
+    encrypted_data = data_masker.encrypt(-1.11)
+    decrypted_data = data_masker.decrypt(encrypted_data)
+
+    # THEN the result is the original input data
+    assert decrypted_data == -1.11
+
+
+def test_encrypt_bool(data_masker):
+    # GIVEN an bool data type
+
+    # WHEN encrypting and then decrypting the encrypted data
+    encrypted_data = data_masker.encrypt(True)
+    decrypted_data = data_masker.decrypt(encrypted_data)
+
+    # THEN the result is the original input data
+    assert decrypted_data is True
+
+
+def test_encrypt_none(data_masker):
+    # GIVEN an none data type
+
+    # WHEN encrypting and then decrypting the encrypted data
+    encrypted_data = data_masker.encrypt(None)
+    decrypted_data = data_masker.decrypt(encrypted_data)
+
+    # THEN the result is the original input data
+    assert decrypted_data is None
+
+
+def test_encrypt_str(data_masker):
+    # GIVEN an str data type
+
+    # WHEN encrypting and then decrypting the encrypted data
+    encrypted_data = data_masker.encrypt("this is a string")
+    decrypted_data = data_masker.decrypt(encrypted_data)
+
+    # THEN the result is the original input data
+    assert decrypted_data == "this is a string"
+
+
+def test_encrypt_list(data_masker):
+    # GIVEN an list data type
+
+    # WHEN encrypting and then decrypting the encrypted data
+    encrypted_data = data_masker.encrypt([1, 2, "a string", 3.4])
+    decrypted_data = data_masker.decrypt(encrypted_data)
+
+    # THEN the result is the original input data
+    assert decrypted_data == [1, 2, "a string", 3.4]
+
+
+def test_encrypt_dict(data_masker):
+    # GIVEN an dict data type
+    data = {
+        "a": {
+            "1": {"None": "hello", "four": "world"},
+            "b": {"3": {"4": "goodbye", "e": "world"}},
+        },
+    }
+
+    # WHEN encrypting and then decrypting the encrypted data
+    encrypted_data = data_masker.encrypt(data)
+    decrypted_data = data_masker.decrypt(encrypted_data)
+
+    # THEN the result is the original input data
+    assert decrypted_data == data
+
+
+def test_encrypt_dict_with_fields(data_masker):
+    # GIVEN the data type is a dictionary
+    data = {
+        "a": {
+            "1": {"None": "hello", "four": "world"},
+            "b": {"3": {"4": "goodbye", "e": "world"}},
+        },
+    }
+
+    # WHEN encrypting and then decrypting the encrypted data
+    encrypted_data = data_masker.encrypt(data, fields=["a.1.None", "a.b.3.4"])
+    decrypted_data = data_masker.decrypt(encrypted_data, fields=["a.1.None", "a.b.3.4"])
+
+    # THEN the result is only the specified fields are masked
+    assert decrypted_data == data
+
+
+def test_encrypt_json_dict_with_fields(data_masker):
+    # GIVEN the data type is a json representation of a dictionary
+    data = json.dumps(
+        {
+            "a": {
+                "1": {"None": "hello", "four": "world"},
+                "b": {"3": {"4": "goodbye", "e": "world"}},
+            },
+        },
+    )
+
+    # WHEN encrypting and then decrypting the encrypted data
+    encrypted_data = data_masker.encrypt(data, fields=["a.1.None", "a.b.3.4"])
+    decrypted_data = data_masker.decrypt(encrypted_data, fields=["a.1.None", "a.b.3.4"])
+
+    # THEN the result is only the specified fields are masked
+    assert decrypted_data == json.loads(data)

tests/functional/data_masking/__init__.py

@@ -0,0 +1,32 @@
+config:
+  target: https://sebwc2y7gh.execute-api.us-west-2.amazonaws.com/Prod/function128
+  phases:
+    - duration: 60
+      arrivalRate: 1
+      rampTo: 5
+      name: Warm up phase
+    - duration: 60
+      arrivalRate: 5
+      rampTo: 10
+      name: Ramp up load
+    - duration: 30
+      arrivalRate: 10
+      rampTo: 30
+      name: Spike phase
+  # Load & configure a couple of useful plugins
+  # https://docs.art/reference/extensions
+  plugins:
+    apdex: {}
+    metrics-by-endpoint: {}
+  apdex:
+    threshold: 500
+scenarios:
+  - flow:
+      - loop:
+        - get:
+            url: "https://sebwc2y7gh.execute-api.us-west-2.amazonaws.com/Prod/function128"
+        - get:
+            url: "https://sebwc2y7gh.execute-api.us-west-2.amazonaws.com/Prod/function1024"
+        - get:
+            url: "https://sebwc2y7gh.execute-api.us-west-2.amazonaws.com/Prod/function1769"
+        count: 100

tests/functional/data_masking/conftest.py

@@ -0,0 +1,243 @@
+# Created by https://www.gitignore.io/api/osx,linux,python,windows,pycharm,visualstudiocode
+
+### Linux ###
+*~
+
+# temporary files which can be created if a process still has a handle open of a deleted file
+.fuse_hidden*
+
+# KDE directory preferences
+.directory
+
+# Linux trash folder which might appear on any partition or disk
+.Trash-*
+
+# .nfs files are created when an open file is removed but is still being accessed
+.nfs*
+
+### OSX ###
+*.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### PyCharm ###
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and Webstorm
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff:
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/dictionaries
+
+# Sensitive or high-churn files:
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.xml
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+
+# Gradle:
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# CMake
+cmake-build-debug/
+
+# Mongo Explorer plugin:
+.idea/**/mongoSettings.xml
+
+## File-based project format:
+*.iws
+
+## Plugin-specific files:
+
+# IntelliJ
+/out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# Ruby plugin and RubyMine
+/.rakeTasks
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+### PyCharm Patch ###
+# Comment Reason: https://github.com/joeblau/gitignore.io/issues/186#issuecomment-215987721
+
+# *.iml
+# modules.xml
+# .idea/misc.xml
+# *.ipr
+
+# Sonarlint plugin
+.idea/sonarlint
+
+### Python ###
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.coverage
+.coverage.*
+.cache
+.pytest_cache/
+nosetests.xml
+coverage.xml
+*.cover
+.hypothesis/
+
+# Translations
+*.mo
+*.pot
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# pyenv
+.python-version
+
+# celery beat schedule file
+celerybeat-schedule.*
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+
+### VisualStudioCode ###
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+.history
+
+### Windows ###
+# Windows thumbnail cache files
+Thumbs.db
+ehthumbs.db
+ehthumbs_vista.db
+
+# Folder config file
+Desktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Windows Installer files
+*.cab
+*.msi
+*.msm
+*.msp
+
+# Windows shortcuts
+*.lnk
+
+# Build folder
+
+*/build/*
+
+# End of https://www.gitignore.io/api/osx,linux,python,windows,pycharm,visualstudiocode

tests/functional/data_masking/test_aws_encryption_sdk.py

@@ -0,0 +1,163 @@
+# pt-load-test-stack
+
+Congratulations, you have just created a Serverless "Hello World" application using the AWS Serverless Application Model (AWS SAM) for the `python3.10` runtime, and options to bootstrap it with [**Powertools for AWS Lambda (Python)**](https://awslabs.github.io/aws-lambda-powertools-python/latest/) (Powertools for AWS Lambda (Python)) utilities for Logging, Tracing and Metrics.
+
+Powertools for AWS Lambda (Python) is a developer toolkit to implement Serverless best practices and increase developer velocity.
+
+## Powertools for AWS Lambda (Python) features
+
+Powertools for AWS Lambda (Python) provides three core utilities:
+
+* **[Tracing](https://awslabs.github.io/aws-lambda-powertools-python/latest/core/tracer/)** - Decorators and utilities to trace Lambda function handlers, and both synchronous and asynchronous functions
+* **[Logging](https://awslabs.github.io/aws-lambda-powertools-python/latest/core/logger/)** - Structured logging made easier, and decorator to enrich structured logging with key Lambda context details
+* **[Metrics](https://awslabs.github.io/aws-lambda-powertools-python/latest/core/metrics/)** - Custom Metrics created asynchronously via CloudWatch Embedded Metric Format (EMF)
+
+Find the complete project's [documentation here](https://awslabs.github.io/aws-lambda-powertools-python).
+
+### Installing Powertools for AWS Lambda (Python)n
+
+With [pip](https://pip.pypa.io/en/latest/index.html) installed, run: 
+
+```bash
+pip install aws-lambda-powertools
+```
+
+### Powertools for AWS Lambda (Python) Examples
+
+* [Tutorial](https://awslabs.github.io/aws-lambda-powertools-python/latest/tutorial)
+* [Serverless Shopping cart](https://github.com/aws-samples/aws-serverless-shopping-cart)
+* [Serverless Airline](https://github.com/aws-samples/aws-serverless-airline-booking)
+* [Serverless E-commerce platform](https://github.com/aws-samples/aws-serverless-ecommerce-platform)
+* [Serverless GraphQL Nanny Booking Api](https://github.com/trey-rosius/babysitter_api)
+
+## Working with this project
+
+This project contains source code and supporting files for a serverless application that you can deploy with the SAM CLI. It includes the following files and folders.
+
+* hello_world - Code for the application's Lambda function.
+* events - Invocation events that you can use to invoke the function.
+* tests - Unit tests for the application code.
+* template.yaml - A template that defines the application's AWS resources.  
+
+The application uses several AWS resources, including Lambda functions and an API Gateway API. These resources are defined in the `template.yaml` file in this project. You can update the template to add AWS resources through the same deployment process that updates your application code.
+
+If you prefer to use an integrated development environment (IDE) to build and test your application, you can use the AWS Toolkit.  
+The AWS Toolkit is an open source plug-in for popular IDEs that uses the SAM CLI to build and deploy serverless applications on AWS. The AWS Toolkit also adds a simplified step-through debugging experience for Lambda function code. See the following links to get started.
+
+* [CLion](https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/welcome.html)
+* [GoLand](https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/welcome.html)
+* [IntelliJ](https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/welcome.html)
+* [WebStorm](https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/welcome.html)
+* [Rider](https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/welcome.html)
+* [PhpStorm](https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/welcome.html)
+* [PyCharm](https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/welcome.html)
+* [RubyMine](https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/welcome.html)
+* [DataGrip](https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/welcome.html)
+* [VS Code](https://docs.aws.amazon.com/toolkit-for-vscode/latest/userguide/welcome.html)
+* [Visual Studio](https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/welcome.html)
+
+### Deploy the sample application
+
+The Serverless Application Model Command Line Interface (SAM CLI) is an extension of the AWS CLI that adds functionality for building and testing Lambda applications. It uses Docker to run your functions in an Amazon Linux environment that matches Lambda. It can also emulate your application's build environment and API.
+
+To use the SAM CLI, you need the following tools.
+
+* SAM CLI - [Install the SAM CLI](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-install.html)
+* [Python 3 installed](https://www.python.org/downloads/)
+* Docker - [Install Docker community edition](https://hub.docker.com/search/?type=edition&offering=community)
+
+To build and deploy your application for the first time, run the following in your shell:
+
+```bash
+sam build --use-container
+sam deploy --guided
+```
+
+The first command will build the source of your application. The second command will package and deploy your application to AWS, with a series of prompts:
+
+* **Stack Name**: The name of the stack to deploy to CloudFormation. This should be unique to your account and region, and a good starting point would be something matching your project name.
+* **AWS Region**: The AWS region you want to deploy your app to.
+* **Confirm changes before deploy**: If set to yes, any change sets will be shown to you before execution for manual review. If set to no, the AWS SAM CLI will automatically deploy application changes.
+* **Allow SAM CLI IAM role creation**: Many AWS SAM templates, including this example, create AWS IAM roles required for the AWS Lambda function(s) included to access AWS services. By default, these are scoped down to minimum required permissions. To deploy an AWS CloudFormation stack which creates or modifies IAM roles, the `CAPABILITY_IAM` value for `capabilities` must be provided. If permission isn't provided through this prompt, to deploy this example you must explicitly pass `--capabilities CAPABILITY_IAM` to the `sam deploy` command.
+* **Save arguments to samconfig.toml**: If set to yes, your choices will be saved to a configuration file inside the project, so that in the future you can just re-run `sam deploy` without parameters to deploy changes to your application.
+
+You can find your API Gateway Endpoint URL in the output values displayed after deployment.
+
+### Use the SAM CLI to build and test locally
+
+Build your application with the `sam build --use-container` command.
+
+```bash
+pt-load-test-stack$ sam build --use-container
+```
+
+The SAM CLI installs dependencies defined in `hello_world/requirements.txt`, creates a deployment package, and saves it in the `.aws-sam/build` folder.
+
+Test a single function by invoking it directly with a test event. An event is a JSON document that represents the input that the function receives from the event source. Test events are included in the `events` folder in this project.
+
+Run functions locally and invoke them with the `sam local invoke` command.
+
+```bash
+pt-load-test-stack$ sam local invoke HelloWorldFunction --event events/event.json
+```
+
+The SAM CLI can also emulate your application's API. Use the `sam local start-api` to run the API locally on port 3000.
+
+```bash
+pt-load-test-stack$ sam local start-api
+pt-load-test-stack$ curl http://localhost:3000/
+```
+
+The SAM CLI reads the application template to determine the API's routes and the functions that they invoke. The `Events` property on each function's definition includes the route and method for each path.
+
+```yaml
+      Events:
+        HelloWorld:
+          Type: Api
+          Properties:
+            Path: /hello
+            Method: get
+```
+
+### Add a resource to your application
+
+The application template uses AWS Serverless Application Model (AWS SAM) to define application resources. AWS SAM is an extension of AWS CloudFormation with a simpler syntax for configuring common serverless application resources such as functions, triggers, and APIs. For resources not included in [the SAM specification](https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md), you can use standard [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) resource types.
+
+### Fetch, tail, and filter Lambda function logs
+
+To simplify troubleshooting, SAM CLI has a command called `sam logs`. `sam logs` lets you fetch logs generated by your deployed Lambda function from the command line. In addition to printing the logs on the terminal, this command has several nifty features to help you quickly find the bug.
+
+`NOTE`: This command works for all AWS Lambda functions; not just the ones you deploy using SAM.
+
+```bash
+pt-load-test-stack$ sam logs -n HelloWorldFunction --stack-name pt-load-test-stack --tail
+```
+
+You can find more information and examples about filtering Lambda function logs in the [SAM CLI Documentation](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-logging.html).
+
+### Tests
+
+Tests are defined in the `tests` folder in this project. Use PIP to install the test dependencies and run tests.
+
+```bash
+pt-load-test-stack$ pip install -r tests/requirements.txt --user
+# unit test
+pt-load-test-stack$ python -m pytest tests/unit -v
+# integration test, requiring deploying the stack first.
+# Create the env variable AWS_SAM_STACK_NAME with the name of the stack we are testing
+pt-load-test-stack$ AWS_SAM_STACK_NAME="pt-load-test-stack" python -m pytest tests/integration -v
+```
+
+### Cleanup
+
+To delete the sample application that you created, use the AWS CLI. Assuming you used your project name for the stack name, you can run the following:
+
+```bash
+sam delete --stack-name "pt-load-test-stack"
+```
+
+## Resources
+
+See the [AWS SAM developer guide](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/what-is-sam.html) for an introduction to SAM specification, the SAM CLI, and serverless application concepts.
+
+Next, you can use AWS Serverless Application Repository to deploy ready to use Apps that go beyond hello world samples and learn how authors developed their applications: [AWS Serverless Application Repository main page](https://aws.amazon.com/serverless/serverlessrepo/)

tests/performance/data_masking/data_masking_load_test.yaml

@@ -0,0 +1,111 @@
+{
+    "body":"",
+    "headers":{
+       "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
+       "Accept-Encoding":"gzip, deflate, br",
+       "Accept-Language":"pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7",
+       "Cache-Control":"max-age=0",
+       "Connection":"keep-alive",
+       "Host":"127.0.0.1:3000",
+       "Sec-Ch-Ua":"\"Google Chrome\";v=\"105\", \"Not)A;Brand\";v=\"8\", \"Chromium\";v=\"105\"",
+       "Sec-Ch-Ua-Mobile":"?0",
+       "Sec-Ch-Ua-Platform":"\"Linux\"",
+       "Sec-Fetch-Dest":"document",
+       "Sec-Fetch-Mode":"navigate",
+       "Sec-Fetch-Site":"none",
+       "Sec-Fetch-User":"?1",
+       "Upgrade-Insecure-Requests":"1",
+       "User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36",
+       "X-Forwarded-Port":"3000",
+       "X-Forwarded-Proto":"http"
+    },
+    "httpMethod":"GET",
+    "isBase64Encoded": false,
+    "multiValueHeaders":{
+       "Accept":[
+          "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
+       ],
+       "Accept-Encoding":[
+          "gzip, deflate, br"
+       ],
+       "Accept-Language":[
+          "pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7"
+       ],
+       "Cache-Control":[
+          "max-age=0"
+       ],
+       "Connection":[
+          "keep-alive"
+       ],
+       "Host":[
+          "127.0.0.1:3000"
+       ],
+       "Sec-Ch-Ua":[
+          "\"Google Chrome\";v=\"105\", \"Not)A;Brand\";v=\"8\", \"Chromium\";v=\"105\""
+       ],
+       "Sec-Ch-Ua-Mobile":[
+          "?0"
+       ],
+       "Sec-Ch-Ua-Platform":[
+          "\"Linux\""
+       ],
+       "Sec-Fetch-Dest":[
+          "document"
+       ],
+       "Sec-Fetch-Mode":[
+          "navigate"
+       ],
+       "Sec-Fetch-Site":[
+          "none"
+       ],
+       "Sec-Fetch-User":[
+          "?1"
+       ],
+       "Upgrade-Insecure-Requests":[
+          "1"
+       ],
+       "User-Agent":[
+          "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
+       ],
+       "X-Forwarded-Port":[
+          "3000"
+       ],
+       "X-Forwarded-Proto":[
+          "http"
+       ]
+    },
+    "multiValueQueryStringParameters":"",
+    "path":"/hello",
+    "pathParameters":"",
+    "queryStringParameters":"",
+    "requestContext":{
+       "accountId":"123456789012",
+       "apiId":"1234567890",
+       "domainName":"127.0.0.1:3000",
+       "extendedRequestId":"",
+       "httpMethod":"GET",
+       "identity":{
+          "accountId":"",
+          "apiKey":"",
+          "caller":"",
+          "cognitoAuthenticationProvider":"",
+          "cognitoAuthenticationType":"",
+          "cognitoIdentityPoolId":"",
+          "sourceIp":"127.0.0.1",
+          "user":"",
+          "userAgent":"Custom User Agent String",
+          "userArn":""
+       },
+       "path":"/hello",
+       "protocol":"HTTP/1.1",
+       "requestId":"a3590457-cac2-4f10-8fc9-e47114bf7c62",
+       "requestTime":"02/Feb/2023:11:45:26 +0000",
+       "requestTimeEpoch":1675338326,
+       "resourceId":"123456",
+       "resourcePath":"/hello",
+       "stage":"Prod"
+    },
+    "resource":"/hello",
+    "stageVariables":"",
+    "version":"1.0"
+ }

tests/performance/data_masking/load_test_data_masking/pt-load-test-stack/.gitignore

@@ -0,0 +1,60 @@
+import os
+
+from aws_lambda_powertools import Logger, Tracer
+from aws_lambda_powertools.event_handler import APIGatewayRestResolver
+from aws_lambda_powertools.logging import correlation_paths
+from aws_lambda_powertools.utilities.data_masking import DataMasking
+from aws_lambda_powertools.utilities.data_masking.provider.kms.aws_encryption_sdk import AwsEncryptionSdkProvider
+from aws_lambda_powertools.utilities.typing import LambdaContext
+
+KMS_KEY_ARN = os.environ["KMS_KEY_ARN"]
+
+json_blob = {
+    "id": 1,
+    "name": "John Doe",
+    "age": 30,
+    "email": "johndoe@example.com",
+    "address": {"street": "123 Main St", "city": "Anytown", "state": "CA", "zip": "12345"},
+    "phone_numbers": ["+1-555-555-1234", "+1-555-555-5678"],
+    "interests": ["Hiking", "Traveling", "Photography", "Reading"],
+    "job_history": {
+        "company": {
+            "company_name": "Acme Inc.",
+            "company_address": "5678 Interview Dr.",
+        },
+        "position": "Software Engineer",
+        "start_date": "2015-01-01",
+        "end_date": "2017-12-31",
+    },
+    "about_me": """
+    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla tincidunt velit quis
+    sapien mollis, at egestas massa tincidunt. Suspendisse ultrices arcu a dolor dapibus,
+    ut pretium turpis volutpat. Vestibulum at sapien quis sapien dignissim volutpat ut a enim.
+    Praesent fringilla sem eu dui convallis luctus. Donec ullamcorper, sapien ut convallis congue,
+    risus mauris pretium tortor, nec dignissim arcu urna a nisl. Vivamus non fermentum ex. Proin
+    interdum nisi id sagittis egestas. Nam sit amet nisi nec quam pharetra sagittis. Aliquam erat
+    volutpat. Donec nec luctus sem, nec ornare lorem. Vivamus vitae orci quis enim faucibus placerat.
+    Nulla facilisi. Proin in turpis orci. Donec imperdiet velit ac tellus gravida, eget laoreet tellus
+    malesuada. Praesent venenatis tellus ac urna blandit, at varius felis posuere. Integer a commodo nunc.
+    """,
+}
+
+app = APIGatewayRestResolver()
+tracer = Tracer()
+logger = Logger()
+
+
+@app.get("/function1024")
+@tracer.capture_method
+def function1024():
+    logger.info("Hello world function1024 - HTTP 200")
+    data_masker = DataMasking(provider=AwsEncryptionSdkProvider(keys=[KMS_KEY_ARN]))
+    encrypted = data_masker.encrypt(json_blob, fields=["address.street", "job_history.company.company_name"])
+    decrypted = data_masker.decrypt(encrypted, fields=["address.street", "job_history.company.company_name"])
+    return {"Decrypted_json_blob_function_1024": decrypted}
+
+
+@logger.inject_lambda_context(correlation_id_path=correlation_paths.API_GATEWAY_REST)
+@tracer.capture_lambda_handler
+def lambda_handler(event: dict, context: LambdaContext) -> dict:
+    return app.resolve(event, context)

tests/performance/data_masking/load_test_data_masking/pt-load-test-stack/README.md

@@ -0,0 +1,3 @@
+requests
+aws-lambda-powertools[tracer]
+aws-encryption-sdk

tests/performance/data_masking/load_test_data_masking/pt-load-test-stack/__init__.py

@@ -0,0 +1,60 @@
+import os
+
+from aws_lambda_powertools import Logger, Tracer
+from aws_lambda_powertools.event_handler import APIGatewayRestResolver
+from aws_lambda_powertools.logging import correlation_paths
+from aws_lambda_powertools.utilities.data_masking import DataMasking
+from aws_lambda_powertools.utilities.data_masking.provider.kms.aws_encryption_sdk import AwsEncryptionSdkProvider
+from aws_lambda_powertools.utilities.typing import LambdaContext
+
+KMS_KEY_ARN = os.environ["KMS_KEY_ARN"]
+
+json_blob = {
+    "id": 1,
+    "name": "John Doe",
+    "age": 30,
+    "email": "johndoe@example.com",
+    "address": {"street": "123 Main St", "city": "Anytown", "state": "CA", "zip": "12345"},
+    "phone_numbers": ["+1-555-555-1234", "+1-555-555-5678"],
+    "interests": ["Hiking", "Traveling", "Photography", "Reading"],
+    "job_history": {
+        "company": {
+            "company_name": "Acme Inc.",
+            "company_address": "5678 Interview Dr.",
+        },
+        "position": "Software Engineer",
+        "start_date": "2015-01-01",
+        "end_date": "2017-12-31",
+    },
+    "about_me": """
+    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla tincidunt velit quis
+    sapien mollis, at egestas massa tincidunt. Suspendisse ultrices arcu a dolor dapibus,
+    ut pretium turpis volutpat. Vestibulum at sapien quis sapien dignissim volutpat ut a enim.
+    Praesent fringilla sem eu dui convallis luctus. Donec ullamcorper, sapien ut convallis congue,
+    risus mauris pretium tortor, nec dignissim arcu urna a nisl. Vivamus non fermentum ex. Proin
+    interdum nisi id sagittis egestas. Nam sit amet nisi nec quam pharetra sagittis. Aliquam erat
+    volutpat. Donec nec luctus sem, nec ornare lorem. Vivamus vitae orci quis enim faucibus placerat.
+    Nulla facilisi. Proin in turpis orci. Donec imperdiet velit ac tellus gravida, eget laoreet tellus
+    malesuada. Praesent venenatis tellus ac urna blandit, at varius felis posuere. Integer a commodo nunc.
+    """,
+}
+
+app = APIGatewayRestResolver()
+tracer = Tracer()
+logger = Logger()
+
+
+@app.get("/function128")
+@tracer.capture_method
+def function128():
+    logger.info("Hello world function128 - HTTP 200")
+    data_masker = DataMasking(provider=AwsEncryptionSdkProvider(keys=[KMS_KEY_ARN]))
+    encrypted = data_masker.encrypt(json_blob, fields=["address.street", "job_history.company.company_name"])
+    decrypted = data_masker.decrypt(encrypted, fields=["address.street", "job_history.company.company_name"])
+    return {"Decrypted_json_blob_function_128": decrypted}
+
+
+@logger.inject_lambda_context(correlation_id_path=correlation_paths.API_GATEWAY_REST)
+@tracer.capture_lambda_handler
+def lambda_handler(event: dict, context: LambdaContext) -> dict:
+    return app.resolve(event, context)

tests/performance/data_masking/load_test_data_masking/pt-load-test-stack/events/hello.json

@@ -0,0 +1,3 @@
+requests
+aws-lambda-powertools[tracer]
+aws-encryption-sdk

tests/performance/data_masking/load_test_data_masking/pt-load-test-stack/function_1024/__init__.py

@@ -0,0 +1,60 @@
+import os
+
+from aws_lambda_powertools import Logger, Tracer
+from aws_lambda_powertools.event_handler import APIGatewayRestResolver
+from aws_lambda_powertools.logging import correlation_paths
+from aws_lambda_powertools.utilities.data_masking import DataMasking
+from aws_lambda_powertools.utilities.data_masking.provider.kms.aws_encryption_sdk import AwsEncryptionSdkProvider
+from aws_lambda_powertools.utilities.typing import LambdaContext
+
+KMS_KEY_ARN = os.environ["KMS_KEY_ARN"]
+
+json_blob = {
+    "id": 1,
+    "name": "John Doe",
+    "age": 30,
+    "email": "johndoe@example.com",
+    "address": {"street": "123 Main St", "city": "Anytown", "state": "CA", "zip": "12345"},
+    "phone_numbers": ["+1-555-555-1234", "+1-555-555-5678"],
+    "interests": ["Hiking", "Traveling", "Photography", "Reading"],
+    "job_history": {
+        "company": {
+            "company_name": "Acme Inc.",
+            "company_address": "5678 Interview Dr.",
+        },
+        "position": "Software Engineer",
+        "start_date": "2015-01-01",
+        "end_date": "2017-12-31",
+    },
+    "about_me": """
+    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla tincidunt velit quis
+    sapien mollis, at egestas massa tincidunt. Suspendisse ultrices arcu a dolor dapibus,
+    ut pretium turpis volutpat. Vestibulum at sapien quis sapien dignissim volutpat ut a enim.
+    Praesent fringilla sem eu dui convallis luctus. Donec ullamcorper, sapien ut convallis congue,
+    risus mauris pretium tortor, nec dignissim arcu urna a nisl. Vivamus non fermentum ex. Proin
+    interdum nisi id sagittis egestas. Nam sit amet nisi nec quam pharetra sagittis. Aliquam erat
+    volutpat. Donec nec luctus sem, nec ornare lorem. Vivamus vitae orci quis enim faucibus placerat.
+    Nulla facilisi. Proin in turpis orci. Donec imperdiet velit ac tellus gravida, eget laoreet tellus
+    malesuada. Praesent venenatis tellus ac urna blandit, at varius felis posuere. Integer a commodo nunc.
+    """,
+}
+
+app = APIGatewayRestResolver()
+tracer = Tracer()
+logger = Logger()
+
+
+@app.get("/function1769")
+@tracer.capture_method
+def function1769():
+    logger.info("Hello world function1769 - HTTP 200")
+    data_masker = DataMasking(provider=AwsEncryptionSdkProvider(keys=[KMS_KEY_ARN]))
+    encrypted = data_masker.encrypt(json_blob, fields=["address.street", "job_history.company.company_name"])
+    decrypted = data_masker.decrypt(encrypted, fields=["address.street", "job_history.company.company_name"])
+    return {"Decrypted_json_blob_function_1769": decrypted}
+
+
+@logger.inject_lambda_context(correlation_id_path=correlation_paths.API_GATEWAY_REST)
+@tracer.capture_lambda_handler
+def lambda_handler(event: dict, context: LambdaContext) -> dict:
+    return app.resolve(event, context)

tests/performance/data_masking/load_test_data_masking/pt-load-test-stack/function_1024/app.py

@@ -0,0 +1,3 @@
+requests
+aws-lambda-powertools[tracer]
+aws-encryption-sdk

tests/performance/data_masking/load_test_data_masking/pt-load-test-stack/function_1024/requirements.txt

@@ -0,0 +1,34 @@
+# More information about the configuration file can be found here:
+# https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-config.html
+version = 0.1
+
+[default]
+[default.global.parameters]
+stack_name = "pt-load-test-stack"
+
+[default.build.parameters]
+cached = true
+parallel = true
+
+[default.validate.parameters]
+lint = true
+
+[default.deploy.parameters]
+capabilities = "CAPABILITY_IAM"
+confirm_changeset = true
+resolve_s3 = true
+s3_prefix = "pt-load-test-stack"
+region = "us-west-2"
+image_repositories = []
+
+[default.package.parameters]
+resolve_s3 = true
+
+[default.sync.parameters]
+watch = true
+
+[default.local_start_api.parameters]
+warm_containers = "EAGER"
+
+[default.local_start_lambda.parameters]
+warm_containers = "EAGER"

tests/performance/data_masking/load_test_data_masking/pt-load-test-stack/function_128/__init__.py

@@ -0,0 +1,147 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Transform: AWS::Serverless-2016-10-31
+Description: >
+  pt-load-test-stack
+
+  Powertools for AWS Lambda (Python) example
+
+Globals: # https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-specification-template-anatomy-globals.html
+  Function:
+    Timeout: 5
+    Runtime: python3.10
+
+    Tracing: Active
+  Api:
+    TracingEnabled: true
+Resources:
+  MyKMSKey:
+    Type: AWS::KMS::Key
+    Properties:
+      Enabled: true
+      KeyPolicy:
+        Version: 2012-10-17
+        Statement:
+        - Effect: Allow
+          Action: kms:*
+          Resource: "*"
+          Principal:
+            AWS: !Join [ "", [ "arn:aws:iam::", !Ref "AWS::AccountId", ":root" ] ]
+  Function128:
+    Type: AWS::Serverless::Function     # More info about Function Resource: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html
+    Properties:
+      Handler: app.lambda_handler
+      CodeUri: function_128
+      Description: function 128 MB
+      MemorySize: 128
+      Architectures:
+      - x86_64
+      Policies:
+        Statement:
+        - Effect: Allow
+          Action: kms:*
+          Resource: !GetAtt MyKMSKey.Arn
+      Tracing: Active
+      Events:
+        HelloPath:
+          Type: Api           # More info about API Event Source: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-function-api.html
+          Properties:
+            Path: /function128
+            Method: GET
+             # Powertools for AWS Lambda (Python) env vars: https://awslabs.github.io/aws-lambda-powertools-python/#environment-variables
+      Environment:
+        Variables:
+          POWERTOOLS_SERVICE_NAME: PowertoolsHelloWorld
+          POWERTOOLS_METRICS_NAMESPACE: Powertools
+          LOG_LEVEL: INFO
+          KMS_KEY_ARN: !GetAtt MyKMSKey.Arn
+      Tags:
+        LambdaPowertools: python
+  Function1024:
+    Type: AWS::Serverless::Function     # More info about Function Resource: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html
+    Properties:
+      Handler: app.lambda_handler
+      CodeUri: function_1024
+      Description: function 1024 MB
+      MemorySize: 1024
+      Architectures:
+      - x86_64
+      Policies:
+        Statement:
+        - Effect: Allow
+          Action: kms:*
+          Resource: !GetAtt MyKMSKey.Arn
+      Tracing: Active
+      Events:
+        HelloPath:
+          Type: Api           # More info about API Event Source: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-function-api.html
+          Properties:
+            Path: /function1024
+            Method: GET
+             # Powertools for AWS Lambda (Python) env vars: https://awslabs.github.io/aws-lambda-powertools-python/#environment-variables
+      Environment:
+        Variables:
+          POWERTOOLS_SERVICE_NAME: PowertoolsHelloWorld
+          POWERTOOLS_METRICS_NAMESPACE: Powertools
+          LOG_LEVEL: INFO
+          KMS_KEY_ARN: !GetAtt MyKMSKey.Arn
+      Tags:
+        LambdaPowertools: python
+  Function1769:
+    Type: AWS::Serverless::Function     # More info about Function Resource: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html
+    Properties:
+      Handler: app.lambda_handler
+      CodeUri: function_1769
+      Description: function 1769 MB
+      MemorySize: 1769
+      Architectures:
+      - x86_64
+      Policies:
+        Statement:
+        - Effect: Allow
+          Action: kms:*
+          Resource: !GetAtt MyKMSKey.Arn
+      Tracing: Active
+      Events:
+        HelloPath:
+          Type: Api           # More info about API Event Source: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-function-api.html
+          Properties:
+            Path: /function1769
+            Method: GET
+             # Powertools for AWS Lambda (Python) env vars: https://awslabs.github.io/aws-lambda-powertools-python/#environment-variables
+      Environment:
+        Variables:
+          POWERTOOLS_SERVICE_NAME: PowertoolsHelloWorld
+          POWERTOOLS_METRICS_NAMESPACE: Powertools
+          LOG_LEVEL: INFO
+          KMS_KEY_ARN: !GetAtt MyKMSKey.Arn
+      Tags:
+        LambdaPowertools: python
+
+Outputs:
+  KMSKeyArn:
+    Description: ARN of the KMS Key
+    Value: !GetAtt MyKMSKey.Arn
+
+  128FunctionApi:
+    Description: API Gateway endpoint URL for Prod environment for Function 128 MB
+    Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/function128"
+
+  1024FunctionApi:
+    Description: API Gateway endpoint URL for Prod environment for Function 1024 MB
+    Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/function1024"
+
+  1769FunctionApi:
+    Description: API Gateway endpoint URL for Prod environment for Function 1769 MB
+    Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/function1769"
+
+  Function128:
+    Description: Lambda Function 128 MB ARN
+    Value: !GetAtt Function128.Arn
+
+  Function1024:
+    Description: Lambda Function 1024 MB ARN
+    Value: !GetAtt Function1024.Arn
+
+  Function1769:
+    Description: Lambda Function 1769 MB ARN
+    Value: !GetAtt Function1769.Arn

tests/performance/data_masking/load_test_data_masking/pt-load-test-stack/function_128/app.py

@@ -0,0 +1,69 @@
+import importlib
+from types import ModuleType
+
+import pytest
+
+from aws_lambda_powertools.utilities.data_masking.base import DataMasking
+
+DATA_MASKING_PACKAGE = "aws_lambda_powertools.utilities.data_masking"
+DATA_MASKING_INIT_SLA: float = 0.002
+DATA_MASKING_NESTED_ENCRYPT_SLA: float = 0.001
+
+json_blob = {
+    "id": 1,
+    "name": "John Doe",
+    "age": 30,
+    "email": "johndoe@example.com",
+    "address": {"street": "123 Main St", "city": "Anytown", "state": "CA", "zip": "12345"},
+    "phone_numbers": ["+1-555-555-1234", "+1-555-555-5678"],
+    "interests": ["Hiking", "Traveling", "Photography", "Reading"],
+    "job_history": {
+        "company": {
+            "company_name": "Acme Inc.",
+            "company_address": "5678 Interview Dr.",
+        },
+        "position": "Software Engineer",
+        "start_date": "2015-01-01",
+        "end_date": "2017-12-31",
+    },
+    "about_me": """
+    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla tincidunt velit quis
+    sapien mollis, at egestas massa tincidunt. Suspendisse ultrices arcu a dolor dapibus,
+    ut pretium turpis volutpat. Vestibulum at sapien quis sapien dignissim volutpat ut a enim.
+    Praesent fringilla sem eu dui convallis luctus. Donec ullamcorper, sapien ut convallis congue,
+    risus mauris pretium tortor, nec dignissim arcu urna a nisl. Vivamus non fermentum ex. Proin
+    interdum nisi id sagittis egestas. Nam sit amet nisi nec quam pharetra sagittis. Aliquam erat
+    volutpat. Donec nec luctus sem, nec ornare lorem. Vivamus vitae orci quis enim faucibus placerat.
+    Nulla facilisi. Proin in turpis orci. Donec imperdiet velit ac tellus gravida, eget laoreet tellus
+    malesuada. Praesent venenatis tellus ac urna blandit, at varius felis posuere. Integer a commodo nunc.
+    """,
+}
+json_blob_fields = ["address.street", "job_history.company.company_name"]
+
+
+def import_data_masking_utility() -> ModuleType:
+    """Dynamically imports and return DataMasking module"""
+    return importlib.import_module(DATA_MASKING_PACKAGE)
+
+
+@pytest.mark.perf
+@pytest.mark.benchmark(group="core", disable_gc=True, warmup=False)
+def test_data_masking_init(benchmark):
+    benchmark.pedantic(import_data_masking_utility)
+    stat = benchmark.stats.stats.max
+    if stat > DATA_MASKING_INIT_SLA:
+        pytest.fail(f"High level imports should be below {DATA_MASKING_INIT_SLA}s: {stat}")
+
+
+def mask_json_blob():
+    data_masker = DataMasking()
+    data_masker.mask(json_blob, json_blob_fields)
+
+
+@pytest.mark.perf
+@pytest.mark.benchmark(group="core", disable_gc=True, warmup=False)
+def test_data_masking_encrypt_with_json_blob(benchmark):
+    benchmark.pedantic(mask_json_blob)
+    stat = benchmark.stats.stats.max
+    if stat > DATA_MASKING_NESTED_ENCRYPT_SLA:
+        pytest.fail(f"High level imports should be below {DATA_MASKING_NESTED_ENCRYPT_SLA}s: {stat}")

tests/performance/data_masking/load_test_data_masking/pt-load-test-stack/function_128/requirements.txt

@@ -0,0 +1,205 @@
+import json
+
+import pytest
+
+from aws_lambda_powertools.utilities.data_masking.base import DataMasking
+from aws_lambda_powertools.utilities.data_masking.constants import DATA_MASKING_STRING
+
+
+@pytest.fixture
+def data_masker() -> DataMasking:
+    return DataMasking()
+
+
+def test_mask_int(data_masker):
+    # GIVEN an int data type
+
+    # WHEN mask is called with no fields argument
+    masked_string = data_masker.mask(42)
+
+    # THEN the result is the data masked
+    assert masked_string == DATA_MASKING_STRING
+
+
+def test_mask_float(data_masker):
+    # GIVEN a float data type
+
+    # WHEN mask is called with no fields argument
+    masked_string = data_masker.mask(4.2)
+
+    # THEN the result is the data masked
+    assert masked_string == DATA_MASKING_STRING
+
+
+def test_mask_bool(data_masker):
+    # GIVEN a bool data type
+
+    # WHEN mask is called with no fields argument
+    masked_string = data_masker.mask(True)
+
+    # THEN the result is the data masked
+    assert masked_string == DATA_MASKING_STRING
+
+
+def test_mask_none(data_masker):
+    # GIVEN a None data type
+
+    # WHEN mask is called with no fields argument
+    masked_string = data_masker.mask(None)
+
+    # THEN the result is the data masked
+    assert masked_string == DATA_MASKING_STRING
+
+
+def test_mask_str(data_masker):
+    # GIVEN a str data type
+
+    # WHEN mask is called with no fields argument
+    masked_string = data_masker.mask("this is a string")
+
+    # THEN the result is the data masked
+    assert masked_string == DATA_MASKING_STRING
+
+
+def test_mask_list(data_masker):
+    # GIVEN a list data type
+
+    # WHEN mask is called with no fields argument
+    masked_string = data_masker.mask([1, 2, "string", 3])
+
+    # THEN the result is the data masked, while maintaining type list
+    assert masked_string == [DATA_MASKING_STRING, DATA_MASKING_STRING, DATA_MASKING_STRING, DATA_MASKING_STRING]
+
+
+def test_mask_dict(data_masker):
+    # GIVEN a dict data type
+    data = {
+        "a": {
+            "1": {"None": "hello", "four": "world"},
+            "b": {"3": {"4": "goodbye", "e": "world"}},
+        },
+    }
+
+    # WHEN mask is called with no fields argument
+    masked_string = data_masker.mask(data)
+
+    # THEN the result is the data masked
+    assert masked_string == DATA_MASKING_STRING
+
+
+def test_mask_dict_with_fields(data_masker):
+    # GIVEN a dict data type
+    data = {
+        "a": {
+            "1": {"None": "hello", "four": "world"},
+            "b": {"3": {"4": "goodbye", "e": "world"}},
+        },
+    }
+
+    # WHEN mask is called with a list of fields specified
+    masked_string = data_masker.mask(data, fields=["a.1.None", "a.b.3.4"])
+
+    # THEN the result is only the specified fields are masked
+    assert masked_string == {
+        "a": {
+            "1": {"None": DATA_MASKING_STRING, "four": "world"},
+            "b": {"3": {"4": DATA_MASKING_STRING, "e": "world"}},
+        },
+    }
+
+
+def test_mask_json_dict_with_fields(data_masker):
+    # GIVEN the data type is a json representation of a dictionary
+    data = json.dumps(
+        {
+            "a": {
+                "1": {"None": "hello", "four": "world"},
+                "b": {"3": {"4": "goodbye", "e": "world"}},
+            },
+        },
+    )
+
+    # WHEN mask is called with a list of fields specified
+    masked_json_string = data_masker.mask(data, fields=["a.1.None", "a.b.3.4"])
+
+    # THEN the result is only the specified fields are masked
+    assert masked_json_string == {
+        "a": {
+            "1": {"None": DATA_MASKING_STRING, "four": "world"},
+            "b": {"3": {"4": DATA_MASKING_STRING, "e": "world"}},
+        },
+    }
+
+
+def test_encrypt_not_implemented(data_masker):
+    # GIVEN DataMasking is not initialized with a Provider
+
+    # WHEN attempting to call the encrypt method on the data
+    with pytest.raises(NotImplementedError):
+        # THEN the result is a NotImplementedError
+        data_masker.encrypt("hello world")
+
+
+def test_decrypt_not_implemented(data_masker):
+    # GIVEN DataMasking is not initialized with a Provider
+
+    # WHEN attempting to call the decrypt method on the data
+    with pytest.raises(NotImplementedError):
+        # THEN the result is a NotImplementedError
+        data_masker.decrypt("hello world")
+
+
+def test_parsing_unsupported_data_type(data_masker):
+    # GIVEN an initialization of the DataMasking class
+
+    # WHEN attempting to pass in a list of fields with input data that is not a dict
+    with pytest.raises(TypeError):
+        # THEN the result is a TypeError
+        data_masker.mask(42, ["this.field"])
+
+
+def test_parsing_nonexistent_fields(data_masker):
+    # GIVEN a dict data type
+    data = {
+        "3": {
+            "1": {"None": "hello", "four": "world"},
+            "4": {"33": {"5": "goodbye", "e": "world"}},
+        },
+    }
+
+    # WHEN attempting to pass in fields that do not exist in the input data
+    with pytest.raises(KeyError):
+        # THEN the result is a KeyError
+        data_masker.mask(data, ["3.1.True"])
+
+
+def test_parsing_nonstring_fields(data_masker):
+    # GIVEN a dict data type
+    data = {
+        "3": {
+            "1": {"None": "hello", "four": "world"},
+            "4": {"33": {"5": "goodbye", "e": "world"}},
+        },
+    }
+
+    # WHEN attempting to pass in a list of fields that are not strings
+    masked = data_masker.mask(data, fields=[3.4])
+
+    # THEN the result is the value of the nested field should be masked as normal
+    assert masked == {"3": {"1": {"None": "hello", "four": "world"}, "4": DATA_MASKING_STRING}}
+
+
+def test_parsing_nonstring_keys_and_fields(data_masker):
+    # GIVEN a dict data type with integer keys
+    data = {
+        3: {
+            "1": {"None": "hello", "four": "world"},
+            4: {"33": {"5": "goodbye", "e": "world"}},
+        },
+    }
+
+    # WHEN masked with a list of fields that are integer keys
+    masked = data_masker.mask(data, fields=[3.4])
+
+    # THEN the result is the value of the nested field should be masked
+    assert masked == {"3": {"1": {"None": "hello", "four": "world"}, "4": DATA_MASKING_STRING}}