翻訳は機械翻訳により提供されています。提供された翻訳内容と英語版の間で齟齬、不一致または矛盾がある場合、英語版が優先します。
# Nitro Enclaves に対するリクエストの監視
Nitro Enclave アテステーションの場合、CloudTrail ログには、アテステーションドキュメントのモジュール ID (`attestationDocumentModuleId`)、イメージダイジェスト (`attestationDocumentEnclaveImageDigest`)、プラットフォーム設定レジスタ (PCR) が含まれます。
モジュール ID は Nitro Enclave の[エンクレーブ ID](https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-concepts.html#term-enclaveid) です。イメージダイジェストは、エンクレーブイメージの SHA384 ハッシュです。[キーポリシーと IAM ポリシーの条件](conditions-attestation.md)でイメージダイジェストおよび PCR 値を使用できます。PCR の詳細については、AWS Nitro Enclaves ユーザーガイドの「[Where to get an enclave's measurements](https://docs.aws.amazon.com/enclaves/latest/user/set-up-attestation.html#where)」を参照してください。
このセクションでは、 AWS KMSに対するサポートされている Nitro Enclave リクエストそれぞれの CloudTrail ログエントリの例を示します。
## Decrypt (エンクレーブ用)
次の例は、 AWS Nitro エンクレーブの [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) オペレーションの AWS CloudTrail ログエントリを示しています。
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2020-07-27T22:58:24Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"encryptionAlgorithm": "SYMMETRIC_DEFAULT",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
"responseElements": null,
"additionalEventData": {
"recipient": {
"attestationDocumentModuleId": "i-123456789abcde123-enc123456789abcde12",
"attestationDocumentEnclaveImageDigest": "",
"attestationDocumentEnclavePCR1": "",
"attestationDocumentEnclavePCR2": "",
"attestationDocumentEnclavePCR3": "",
"attestationDocumentEnclavePCR4": "",
"attestationDocumentEnclavePCR8": ""
}
},
"requestID": "b4a65126-30d5-4b28-98b9-9153da559963",
"eventID": "e5a2f202-ba1a-467c-b4ba-f729d45ae521",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```
## GenerateDataKey (エンクレーブ用)
次の例は、 AWS Nitro エンクレーブの [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html) オペレーションの AWS CloudTrail ログエントリを示しています。
```
{
"eventVersion": "1.02",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2014-11-04T00:52:40Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKey",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"numberOfBytes": 32
},
"responseElements": null,
"additionalEventData": {
"recipient": {
"attestationDocumentModuleId": "i-123456789abcde123-enc123456789abcde12",
"attestationDocumentEnclaveImageDigest": "",
"attestationDocumentEnclavePCR1": "",
"attestationDocumentEnclavePCR2": "",
"attestationDocumentEnclavePCR3": "",
"attestationDocumentEnclavePCR4": "",
"attestationDocumentEnclavePCR8": ""
}
},
"requestID": "e0eb83e3-63bc-11e4-bc2b-4198b6150d5c",
"eventID": "a9dea4f9-8395-46c0-942c-f509c02c2b71",
"readOnly": true,
"resources": [{
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"accountId": "111122223333"
}],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```
## GenerateDataKeyPair (エンクレーブ用)
次の例は、 AWS Nitro エンクレーブの [GenerateDataKeyPair](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair.html) オペレーションの AWS CloudTrail ログエントリを示しています。
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2020-07-27T18:57:57Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKeyPair",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyPairSpec": "RSA_3072",
"encryptionContext": {
"Project": "Alpha"
},
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
},
"responseElements": null,
"additionalEventData": {
"recipient": {
"attestationDocumentModuleId": "i-123456789abcde123-enc123456789abcde12",
"attestationDocumentEnclaveImageDigest": "",
"attestationDocumentEnclavePCR1": "",
"attestationDocumentEnclavePCR2": "",
"attestationDocumentEnclavePCR3": "",
"attestationDocumentEnclavePCR4": "",
"attestationDocumentEnclavePCR8": ""
}
},
"requestID": "52fb127b-0fe5-42bb-8e5e-f560febde6b0",
"eventID": "9b6bd6d2-529d-4890-a949-593b13800ad7",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```
## GenerateRandom (エンクレーブ用)
次の例は、 AWS Nitro エンクレーブの [GenerateRandom](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateRandom.html) オペレーションの AWS CloudTrail ログエントリを示しています。
```
{
"eventVersion": "1.02",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2014-11-04T00:52:37Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateRandom",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"additionalEventData": {
"recipient": {
"attestationDocumentModuleId": "i-123456789abcde123-enc123456789abcde12",
"attestationDocumentEnclaveImageDigest": "",
"attestationDocumentEnclavePCR1": "",
"attestationDocumentEnclavePCR2": "",
"attestationDocumentEnclavePCR3": "",
"attestationDocumentEnclavePCR4": "",
"attestationDocumentEnclavePCR8": ""
}
},
"requestID": "df1e3de6-63bc-11e4-bc2b-4198b6150d5c",
"eventID": "239cb9f7-ae05-4c94-9221-6ea30eef0442",
"readOnly": true,
"resources": [],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```