AWS Advanced JDBC Wrapper now provides client-side encryption

Amazon Web Services has released a new client-side encryption plugin for its Advanced JDBC Wrapper that enables Java applications to encrypt sensitive database columns before data reaches the database server. The KMS Encryption plugin operates at the JDBC driver level, automatically encrypting data when applications write to designated columns and decrypting it when reading, ensuring that plaintext data remains visible only to the application while the database stores encrypted values. The plugin integrates with AWS Key Management Service and works seamlessly with existing SQL, Spring, Hibernate, and connection pool configurations without requiring application code changes. The new capability addresses a critical security gap that exists even when databases use encryption at rest and TLS in transit. While these foundational controls protect data in storage and transmission, they still decrypt data within the database engine, leaving it vulnerable to compromised credentials, overprivileged administrators, or SQL injection attacks. The client-side encryption approach ensures compliance with regulations like PCI DSS, HIPAA, and GDPR by preventing plaintext exposure at the database level, while still allowing the database to verify data integrity through HMAC validation. The plugin is compatible with Amazon RDS and Amazon Aurora databases running PostgreSQL and MySQL engines and is available as an open-source project under the Apache 2.0 license. This release extends the Advanced JDBC Wrapper's existing capabilities, which already include failover handling, AWS authentication integration, and enhanced monitoring for Aurora and RDS databases.