本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
适用于 Amazon S3 数据访问的密钥管理
此页面特定于 Amazon S3 数据访问类型,在这种类型中,提供商共享使用 SSE-加密的对象KMS。订阅者必须拥有对用于访问的密钥的授权。
如果您的 Amazon S3 存储桶包含使用 AWS KMS 客户托管密钥加密的数据,则必须 AWS KMS keys 与共享这些数据 AWS Data Exchange 才能配置 Amazon S3 数据访问数据集。有关更多信息,请参阅 步骤 2:配置 Amazon S3 数据访问。
创建 AWS KMS 补助金
当您提供 AWS KMS keys 作为 Amazon S3 数据访问数据集的一部分时, AWS Data Exchange
会为每个 AWS KMS key 共享数据创建 AWS KMS 授权。这种授权,称为家长授权,用于授予为订阅者创建额外 AWS KMS 授予的 AWS Data Exchange 权限。这些额外授权被称为子授权。允许每位订阅者 AWS KMS 获得一次授权。订阅者获得解密权限. AWS KMS key然后,他们可以解密,并使用与他们共享的加密 Amazon S3 对象。有关更多信息,请参阅《AWS Key Management Service 开发人员指南》中的 AWS KMS中的授权。
AWS Data Exchange 还使用 AWS KMS 父级拨款来管理其创建的 AWS KMS 赠款的生命周期。订阅结束后,将 AWS Data Exchange 停用为相应订阅者创建的 AWS KMS 子女补助金。如果修订版被撤销或数据集被删除,则会 AWS Data Exchange 停用 AWS KMS 父授权。有关 AWS KMS 操作的更多信息,请参阅AWS KMS
API参考资料。
加密上下文和授权约束
AWS Data Exchange 仅当请求包含指定的加密上下文时,才使用授权约束允许解密操作。您可以使用 Amazon S3 存储桶密钥功能来加密您的 Amazon S3 对象并与之共享 AWS Data Exchange。Amazon S3 隐式使用存储桶 Amazon 资源名称 (ARN) 作为加密上下文。以下示例显示了 AWS Data Exchange 使用存储桶ARN作为其创建的所有 AWS KMS 授权的授予约束。
"Constraints": {
"EncryptionContextSubset": "aws:s3:arn": “arn:aws:s3:::<Bucket ARN>"
}
}
监视你的 AWS KMS keys 进入 AWS Data Exchange
当您与共享 AWS KMS 客户托管密钥时 AWS Data Exchange,您可以使用AWS CloudTrail来跟踪 AWS Data Exchange 或数据订阅者向其发送的请求 AWS KMS。以下示例说明了CreateGrant
和Decrypt
调用的 CloudTrail 日志会是什么样子 AWS KMS。
- CreateGrant for parent
-
CreateGrant
用于为自己创建的家长补助金。 AWS Data Exchange
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:Provider01",
"arn": "arn:aws:sts::<your-account-id>:assumed-role/Admin/Provider01",
"accountId": "<your-account-id>",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIGDTESTANDEXAMPLE",
"arn": "arn:aws:iam::<your-account-id>:role/Admin/Provider01”,
"accountId": "<your-account-id>",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-02-16T17:29:23Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "datax.amazonaws.com"
},
"eventTime": "2023-02-16T17:32:47Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "us-east-2",
"sourceIPAddress": "datax.amazonaws.com",
"userAgent": "datax.amazonaws.com",
"requestParameters": {
"keyId": "<Key ARN of the Key you shared with AWS Data Exchange>",
"operations": [
"CreateGrant",
"Decrypt",
"RetireGrant"
],
"granteePrincipal": "dataexchange.us-east-2.amazonaws.com",
"retiringPrincipal": "dataexchange.us-east-2.amazonaws.com",
"constraints": {
"encryptionContextSubset": {
aws:s3:arn": "arn:aws:s3:::<Your Bucket ARN>"
}
}
},
"responseElements": {
"grantId": "<KMS Grant ID of the created Grant>",
"keyId": "<Key ARN of the Key you shared with AWS Data Exchange>"
},
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": false,
"resources": [
{
"accountId": "<Your Account Id>",
"type": "AWS::KMS::Key",
"ARN": "<Key ARN of the Key you shared with AWS Data Exchange>"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "<Your Account Id>",
"eventCategory": "Management"
}
- CreateGrant for child
-
CreateGrant
用于为订阅者创建的 AWS Data Exchange 儿童补助金。
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSService",
"invokedBy": "datax.amazonaws.com"
},
"eventTime": "2023-02-15T23:15:49Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "us-east-2",
"sourceIPAddress": "datax.amazonaws.com",
"userAgent": "datax.amazonaws.com",
"requestParameters": {
"keyId": "<Key ARN of the Key you shared with AWS Data Exchange>",
"operations": [
"Decrypt"
],
"granteePrincipal": “<Subscriber’s account Id>”,
"retiringPrincipal": "dataexchange.us-east-2.amazonaws.com",
"constraints": {
"encryptionContextSubset": {
"aws:s3:arn": "arn:aws:s3:::<Your Bucket ARN>"
}
}
},
"responseElements": {
"grantId": "<KMS Grant ID of the created Grant>",
"keyId": "<Key ARN of the Key you shared with AWS Data Exchange>"
},
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": false,
"resources": [
{
"accountId": "<Your Account Id>",
"type": "AWS::KMS::Key",
"ARN": "<Key ARN of the Key you shared with AWS Data Exchange>"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "<Your Account Id>",
"sharedEventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE ",
"eventCategory": "Management"
}
- Decrypt
-
Decrypt
由订阅者在尝试读取其订阅的加密数据时调用。
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSAccount",
"principalId": "AROAIGDTESTANDEXAMPLE:Subscriber01",
"accountId": "<subscriber-account-id>",
"invokedBy": "<subscriber’s IAM identity>"
},
"eventTime": "2023-02-15T23:28:30Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-east-2",
"sourceIPAddress": "<subscriber’s IP address>",
"userAgent": "<subscriber’s user agent>",
"requestParameters": {
"encryptionContext": {
"aws:s3:arn": "arn:aws:s3:::<Your Bucket ARN>"
},
"encryptionAlgorithm": "SYMMETRIC_DEFAULT"
},
"responseElements": null,
"requestID": ""ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": ""ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE”,
"readOnly": true,
"resources": [
{
"accountId": "<Your Account Id>",
"type": "AWS::KMS::Key",
"ARN": "<Key ARN of the Key you shared with AWS Data Exchange>"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "602466227860",
"sharedEventID": "bcf4d02a-31ea-4497-9c98-4c3549f20a7b",
"eventCategory": "Management"
}