Memantau kunci enkripsi - Amazon Chime SDK

Terjemahan disediakan oleh mesin penerjemah. Jika konten terjemahan yang diberikan bertentangan dengan versi bahasa Inggris aslinya, utamakan versi bahasa Inggris.

Memantau kunci enkripsi

Amazon Chime SDK Voice Connectors mengirim permintaan ke AWS KMS, dan Anda dapat melacak permintaan tersebut di dalam CloudTrail atau CloudWatch log.

CreateGrant

Saat Anda menggunakan kunci yang dikelola pelanggan untuk membuat sumber daya domain profil suara, Konektor Suara terkait akan mengirimkan CreateGrant permintaan atas nama Anda untuk mengakses KMS kunci di AWS akun Anda. Hibah yang dibuat oleh Konektor Suara khusus untuk sumber daya yang terkait dengan kunci yang dikelola pelanggan. Konektor Suara juga menggunakan RetireGrant operasi untuk menghapus hibah saat Anda menghapus sumber daya.

Contoh berikut mencatat CreateGrant operasi.

{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01", "arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE3", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01", "arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01", "accountId": "111122223333", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2021-04-22T17:02:00Z" } }, "invokedBy": "AWS Internal" }, "eventTime": "2021-04-22T17:07:02Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateGrant", "awsRegion": "us-west-2", "sourceIPAddress": "172.12.34.56", "userAgent": "ExampleDesktop/1.0 (V1; OS)", "requestParameters": { "constraints": { "encryptionContextSubset": { "aws:chime:voice-profile-domain:arn": "arn:aws:chime:us-west-2:111122223333:voice-profile-domain/sample-domain-id" } }, "retiringPrincipal": "chimevoiceconnector.region.amazonaws.com", "operations": [ "GenerateDataKey", "Decrypt", "DescribeKey", "RetireGrant" ], "keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE", "granteePrincipal": "chimevoiceconnector.region.amazonaws.com", "retiringPrincipal": "chimevoiceconnector.region.amazonaws.com" }, "responseElements": { "grantId": "0ab0ac0d0b000f00ea00cc0a0e00fc00bce000c000f0000000c0bc0a0000aaafSAMPLE" }, "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE", "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE", "readOnly": false, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE" } ], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111122223333" }
GenerateDataKey

Saat Anda membuat domain profil suara dan menetapkan kunci terkelola pelanggan ke domain, Konektor Suara terkait akan membuat kunci data unik untuk mengenkripsi audio pendaftaran setiap pembicara. Konektor Suara mengirimkan GenerateDataKey permintaan AWS KMS yang menentukan kunci untuk sumber daya.

Contoh berikut mencatat GenerateDataKey operasi.

{ "eventVersion": "1.08", "userIdentity": { "type": "AWSService", "invokedBy": "AWS Internal" }, "eventTime": "2021-04-22T17:07:02Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKey", "awsRegion": "us-west-2", "sourceIPAddress": "172.12.34.56", "userAgent": "ExampleDesktop/1.0 (V1; OS)", "requestParameters": { "encryptionContext": { "aws:chime:voice-profile-domain:arn": "arn:aws:chime:us-west-2:111122223333:voice-profile-domain/sample-domain-id" }, "keySpec": "AES_256", "keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE" }, "responseElements": null, "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE", "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE" } ], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111122223333", "sharedEventID": "57f5dbee-16da-413e-979f-2c4c6663475e" }
Decrypt

Jika profil suara di domain profil suara perlu ditingkatkan cetakan suaranya karena model pengenalan suara yang lebih baru, Konektor Suara terkait akan memanggil Decrypt operasi untuk menggunakan kunci data terenkripsi yang disimpan untuk mengakses data terenkripsi.

Contoh berikut mencatat Decrypt operasi.

{ "eventVersion": "1.08", "userIdentity": { "type": "AWSService", "invokedBy": "AWS Internal" }, "eventTime": "2021-10-12T23:59:34Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-west-2", "sourceIPAddress": "172.12.34.56", "userAgent": "ExampleDesktop/1.0 (V1; OS)", "requestParameters": { "encryptionContext": { "keyId": "arn:aws:kms:us-west-2:111122223333:key/44444444-3333-2222-1111-EXAMPLE11111", "encryptionContext": { "aws:chime:voice-profile-domain:arn": "arn:aws:chime:us-west-2:111122223333:voice-profile-domain/sample-domain-id" }, "encryptionAlgorithm": "SYMMETRIC_DEFAULT" }, "responseElements": null, "requestID": "ed0fe4ab-305b-4388-8adf-7e8e3a4e80fe", "eventID": "31d0d7c6-ce5b-4caf-901f-025bf71241f6", "readOnly": true, "resources": [{ "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:key/00000000-1111-2222-3333-9999999999999" }], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "sharedEventID": "35d58aa1-26b2-427a-908f-025bf71241f6", "eventCategory": "Management" }
DescribeKey

Konektor Suara menggunakan DescribeKey operasi untuk memverifikasi bahwa kunci yang terkait dengan domain profil suara ada di akun dan Wilayah.

Contoh berikut mencatat DescribeKey operasi.

{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01", "arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE3", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01", "arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01", "accountId": "111122223333", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2021-04-22T17:02:00Z" } }, "invokedBy": "AWS Internal" }, "eventTime": "2021-04-22T17:07:02Z", "eventSource": "kms.amazonaws.com", "eventName": "DescribeKey", "awsRegion": "us-west-2", "sourceIPAddress": "172.12.34.56", "userAgent": "ExampleDesktop/1.0 (V1; OS)", "requestParameters": { "keyId": "00dd0db0-0000-0000-ac00-b0c000SAMPLE" }, "responseElements": null, "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE", "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE" } ], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111122223333" }