Envelope encryption is, in essence, the practice of encrypting one key with another key; sensitive data is encrypted with a data key and then the data key is encrypted with a master key. In this recipe, the save function encrypts the data before saving it to DynamoDB, and the get function decrypts the data after retrieving it from DynamoDB and before returning the data to the caller. In the serverless.yml file, we define a KMS MasterKey and a MasterKeyAlias. The alias facilitates the rotation of the master key. The save function calls kms.generateDataKey to create a data key for the object. Each object gets its own data key and a new key is generated each time the object is saved. Again, this practice facilitates key rotation. ...