本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
数据加密
借AWS HealthImaging助,您可以为云中的静态数据增加一层安全保护,提供可扩展且高效的加密功能。其中包括:
-
大多数都提供静态数据加密功能 AWS 服务
-
灵活的密钥管理选项,包括 AWS Key Management Service,你可以用它来选择是否拥有 AWS 管理加密密钥或完全控制自己的密钥。
-
AWS 拥有的 AWS KMS 加密密钥
-
使用适用于 Amazon 的服务器端加密 (SSE),用于传输敏感数据的加密消息队列 SQS
此外, AWS 允许您将加密和数据保护与您在开发或部署的任何服务相集成 APIs AWS 环境。
创建客户托管的密钥
您可以使用以下方法创建对称的客户托管密钥 AWS Management Console 或者 AWS KMS APIs。有关更多信息,请参阅中的创建对称加密KMS密钥 AWS Key Management Service 开发者指南。
密钥策略控制对客户托管密钥的访问。每个客户托管式密钥必须只有一个密钥政策,其中包含确定谁可以使用密钥以及如何使用密钥的声明。创建客户托管式密钥时,可以指定密钥政策。有关更多信息,请参阅中的管理客户托管密钥的访问权限 AWS Key Management Service 开发者指南。
要将客户托管密钥用于您的 HealthImaging 资源,必须在密钥策略中允许 kms: CreateGrant 操作。这会向客户托管密钥添加授权,该密钥控制对指定KMS密钥的访问权限,从而允许用户访问授权操作 HealthImaging 所需的权限。有关更多信息,请参阅中的资助 AWS KMS中的 AWS Key Management Service 开发者指南。
要将客户托管KMS密钥 HealthImaging 用于您的资源,密钥策略中必须允许以下API操作:
-
kms:DescribeKey提供验证密钥所需的客户托管式密钥详细信息。这是所有操作所必需的。 -
kms:GenerateDataKey为所有写入操作提供对静态加密资源的访问权限。 -
kms:Decrypt提供对加密资源的读取或搜索操作的访问权限。 -
kms:ReEncrypt*提供重新加密资源的访问权限。
以下是一个策略声明示例,允许用户创建由 HealthImaging 该密钥加密的数据存储并与之交互:
{ "Sid": "Allow access to create data stores and perform CRUD and search in HealthImaging", "Effect": "Allow", "Principal": { "Service": [ "medical-imaging.amazonaws.com" ] }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey*" ], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:kms-arn": "arn:aws:kms:us-east-1:123456789012:key/bec71d48-3462-4cdd-9514-77a7226e001f", "kms:EncryptionContext:aws:medical-imaging:datastoreId": "datastoreId" } } }
使用客户托管KMS密钥所需的IAM权限
使用创建数据存储时 AWS KMS 使用客户托管KMS密钥启用加密,则密钥策略和创建 HealthImaging 数据存储的用户或角色的IAM策略都需要权限。
有关密钥策略的更多信息,请参阅中的启用IAM策略 AWS Key Management Service 开发者指南。
IAM用户、IAM角色或 AWS 创建存储库的帐户必须具有kms:CreateGrant、kms:GenerateDataKeykms:RetireGrant、kms:Decryptkms:ReEncrypt*、和的权限,以及所需的权限AWS HealthImaging。
如何在中 HealthImaging 使用补助 AWS KMS
HealthImaging 需要获得授权才能使用您的客户托管KMS密钥。当您创建使用客户托管KMS密钥加密的数据存储时,通过向发送CreateGrant请求来代表您 HealthImaging 创建授权 AWS KMS。 补助金 AWS KMS 用于提供对客户账户密KMS钥的 HealthImaging 访问权限。
代表您 HealthImaging 创建的赠款不应被撤销或撤销。如果您撤销或取消授予使用 HealthImaging 权限的授权 AWS KMS 您账户中的密钥 HealthImaging 无法访问这些数据,无法加密推送到数据存储的新图像资源,也无法在提取时对其进行解密。当您撤销或撤销的授予时 HealthImaging,更改会立即生效。要撤销访问权限,则应删除数据存储,而不是撤销该授权。删除数据存储后, HealthImaging 将代表您停用授权。
监控 HealthImaging 的加密密钥
您可以使用跟踪 HealthImaging 发送 CloudTrail 到的请求 AWS KMS 代表您使用客户管理的KMS密钥。日志中的日志条目显示medical-imaging.amazonaws.com在userAgent字段中,以明确区分由发出的请求 HealthImaging。 CloudTrail
以下示例是CreateGrant、GenerateDataKeyDecrypt、和DescribeKey要监控 CloudTrail 的事件 AWS KMS HealthImaging 为访问由您的客户托管密钥加密的数据而调用的操作。
以下内容显示了CreateGrant如何使用允许 HealthImaging 访问客户提供的KMS密钥,从而 HealthImaging 允许使用该KMS密钥对所有静态客户数据进行加密。
用户无需创建自己的授权。 HealthImaging 通过向发送CreateGrant请求来代表您创建补助金 AWS KMS。 补助金 AWS KMS 用于授予 HealthImaging 访问权限 AWS KMS 输入客户账户。
{ "Grants": [ { "Operations": [ "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "DescribeKey" ], "KeyId": "arn:aws:kms:us-west-2:824333766656:key/2fe3c119-792d-4b99-822f-b5841e1181d1", "Name": "0a74e6ad2aa84b74a22fcd3efac1eaa8", "RetiringPrincipal": "AWS Internal", "GranteePrincipal": "AWS Internal", "GrantId": "0da169eb18ffd3da8c0eebc9e74b3839573eb87e1e0dce893bb544a34e8fbaaf", "IssuingAccount": "AWS Internal", "CreationDate": 1685050229.0, "Constraints": { "EncryptionContextSubset": { "kms-arn": "arn:aws:kms:us-west-2:824333766656:key/2fe3c119-792d-4b99-822f-b5841e1181d1" } } }, { "Operations": [ "GenerateDataKey", "CreateGrant", "RetireGrant", "DescribeKey" ], "KeyId": "arn:aws:kms:us-west-2:824333766656:key/2fe3c119-792d-4b99-822f-b5841e1181d1", "Name": "2023-05-25T21:30:17", "RetiringPrincipal": "AWS Internal", "GranteePrincipal": "AWS Internal", "GrantId": "8229757abbb2019555ba64d200278cedac08e5a7147426536fcd1f4270040a31", "IssuingAccount": "AWS Internal", "CreationDate": 1685050217.0, } ] }
以下示例说明如何使用 GenerateDataKey 来确保用户在存储数据之前拥有加密数据的必要权限。
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "EXAMPLEUSER", "arn": "arn:aws:sts::111122223333:assumed-role/Sampleuser01", "accountId": "111122223333", "accessKeyId": "EXAMPLEKEYID", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EXAMPLEROLE", "arn": "arn:aws:iam::111122223333:role/Sampleuser01", "accountId": "111122223333", "userName": "Sampleuser01" }, "webIdFederationData": {}, "attributes": { "creationDate": "2021-06-30T21:17:06Z", "mfaAuthenticated": "false" } }, "invokedBy": "medical-imaging.amazonaws.com" }, "eventTime": "2021-06-30T21:17:37Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKey", "awsRegion": "us-east-1", "sourceIPAddress": "medical-imaging.amazonaws.com", "userAgent": "medical-imaging.amazonaws.com", "requestParameters": { "keySpec": "AES_256", "keyId": "arn:aws:kms:us-east-1:111122223333:key/EXAMPLE_KEY_ARN" }, "responseElements": null, "requestID": "EXAMPLE_ID_01", "eventID": "EXAMPLE_ID_02", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-east-1:111122223333:key/EXAMPLE_KEY_ARN" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }
以下示例显示如何 HealthImaging 调用Decrypt操作以使用存储的加密数据密钥访问加密数据。
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "EXAMPLEUSER", "arn": "arn:aws:sts::111122223333:assumed-role/Sampleuser01", "accountId": "111122223333", "accessKeyId": "EXAMPLEKEYID", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EXAMPLEROLE", "arn": "arn:aws:iam::111122223333:role/Sampleuser01", "accountId": "111122223333", "userName": "Sampleuser01" }, "webIdFederationData": {}, "attributes": { "creationDate": "2021-06-30T21:17:06Z", "mfaAuthenticated": "false" } }, "invokedBy": "medical-imaging.amazonaws.com" }, "eventTime": "2021-06-30T21:21:59Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-east-1", "sourceIPAddress": "medical-imaging.amazonaws.com", "userAgent": "medical-imaging.amazonaws.com", "requestParameters": { "encryptionAlgorithm": "SYMMETRIC_DEFAULT", "keyId": "arn:aws:kms:us-east-1:111122223333:key/EXAMPLE_KEY_ARN" }, "responseElements": null, "requestID": "EXAMPLE_ID_01", "eventID": "EXAMPLE_ID_02", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-east-1:111122223333:key/EXAMPLE_KEY_ARN" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }
以下示例说明如何 HealthImaging 使用该DescribeKey操作来验证是否 AWS KMS 客户所有 AWS KMS 密钥处于可用状态,用于帮助用户在无法正常工作时进行故障排除。
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "EXAMPLEUSER", "arn": "arn:aws:sts::111122223333:assumed-role/Sampleuser01", "accountId": "111122223333", "accessKeyId": "EXAMPLEKEYID", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EXAMPLEROLE", "arn": "arn:aws:iam::111122223333:role/Sampleuser01", "accountId": "111122223333", "userName": "Sampleuser01" }, "webIdFederationData": {}, "attributes": { "creationDate": "2021-07-01T18:36:14Z", "mfaAuthenticated": "false" } }, "invokedBy": "medical-imaging.amazonaws.com" }, "eventTime": "2021-07-01T18:36:36Z", "eventSource": "kms.amazonaws.com", "eventName": "DescribeKey", "awsRegion": "us-east-1", "sourceIPAddress": "medical-imaging.amazonaws.com", "userAgent": "medical-imaging.amazonaws.com", "requestParameters": { "keyId": "arn:aws:kms:us-east-1:111122223333:key/EXAMPLE_KEY_ARN" }, "responseElements": null, "requestID": "EXAMPLE_ID_01", "eventID": "EXAMPLE_ID_02", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-east-1:111122223333:key/EXAMPLE_KEY_ARN" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }
了解更多
以下资源提供了有关静态数据加密的更多信息,位于 AWS Key Management Service 开发者指南。
