本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
数据加密
借AWS HealthImaging助,您可以为云中的静态数据增加一层安全保护,提供可扩展且高效的加密功能。其中包括:
-
大多数都提供静态数据加密功能 AWS 服务
-
灵活的密钥管理选项,包括 AWS Key Management Service,你可以用它来选择是否拥有 AWS 管理加密密钥或完全控制自己的密钥。
-
AWS 拥有的 AWS KMS 加密密钥
-
使用适用于 Amazon 的服务器端加密 (SSE),用于传输敏感数据的加密消息队列 SQS
此外, AWS 允许您将加密和数据保护与您在开发或部署的任何服务相集成 APIs AWS 环境。
创建客户托管的密钥
您可以使用以下方法创建对称的客户托管密钥 AWS Management Console 或者 AWS KMS APIs。有关更多信息,请参阅中的创建对称加密KMS密钥 AWS Key Management Service 开发者指南。
密钥策略控制对客户托管密钥的访问。每个客户托管式密钥必须只有一个密钥政策,其中包含确定谁可以使用密钥以及如何使用密钥的声明。创建客户托管式密钥时,可以指定密钥政策。有关更多信息,请参阅中的管理客户托管密钥的访问权限 AWS Key Management Service 开发者指南。
要将客户托管密钥用于您的 HealthImaging 资源,必须在密钥策略中允许 kms: CreateGrant 操作。这会向客户托管密钥添加授权,该密钥控制对指定KMS密钥的访问权限,从而允许用户访问授权操作 HealthImaging 所需的权限。有关更多信息,请参阅中的资助 AWS KMS中的 AWS Key Management Service 开发者指南。
要将客户托管KMS密钥 HealthImaging 用于您的资源,密钥策略中必须允许以下API操作:
-
kms:DescribeKey
提供验证密钥所需的客户托管式密钥详细信息。这是所有操作所必需的。 -
kms:GenerateDataKey
为所有写入操作提供对静态加密资源的访问权限。 -
kms:Decrypt
提供对加密资源的读取或搜索操作的访问权限。 -
kms:ReEncrypt*
提供重新加密资源的访问权限。
以下是一个策略声明示例,允许用户创建由 HealthImaging 该密钥加密的数据存储并与之交互:
{ "Sid": "Allow access to create data stores and perform CRUD and search in HealthImaging", "Effect": "Allow", "Principal": { "Service": [ "medical-imaging.amazonaws.com" ] }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey*" ], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:kms-arn": "arn:aws:kms:us-east-1:123456789012:key/bec71d48-3462-4cdd-9514-77a7226e001f", "kms:EncryptionContext:aws:medical-imaging:datastoreId": "
datastoreId
" } } }
使用客户托管KMS密钥所需的IAM权限
使用创建数据存储时 AWS KMS 使用客户托管KMS密钥启用加密,则密钥策略和创建 HealthImaging 数据存储的用户或角色的IAM策略都需要权限。
有关密钥策略的更多信息,请参阅中的启用IAM策略 AWS Key Management Service 开发者指南。
IAM用户、IAM角色或 AWS 创建存储库的帐户必须具有kms:CreateGrant
、kms:GenerateDataKey
kms:RetireGrant
、kms:Decrypt
kms:ReEncrypt*
、和的权限,以及所需的权限AWS HealthImaging。
如何在中 HealthImaging 使用补助 AWS KMS
HealthImaging 需要获得授权才能使用您的客户托管KMS密钥。当您创建使用客户托管KMS密钥加密的数据存储时,通过向发送CreateGrant请求来代表您 HealthImaging 创建授权 AWS KMS。 补助金 AWS KMS 用于提供对客户账户密KMS钥的 HealthImaging 访问权限。
代表您 HealthImaging 创建的赠款不应被撤销或撤销。如果您撤销或取消授予使用 HealthImaging 权限的授权 AWS KMS 您账户中的密钥 HealthImaging 无法访问这些数据,无法加密推送到数据存储的新图像资源,也无法在提取时对其进行解密。当您撤销或撤销的授予时 HealthImaging,更改会立即生效。要撤销访问权限,则应删除数据存储,而不是撤销该授权。删除数据存储后, HealthImaging 将代表您停用授权。
监控 HealthImaging 的加密密钥
您可以使用跟踪 HealthImaging 发送 CloudTrail 到的请求 AWS KMS 代表您使用客户管理的KMS密钥。日志中的日志条目显示medical-imaging.amazonaws.com
在userAgent
字段中,以明确区分由发出的请求 HealthImaging。 CloudTrail
以下示例是CreateGrant
、GenerateDataKey
Decrypt
、和DescribeKey
要监控 CloudTrail 的事件 AWS KMS HealthImaging 为访问由您的客户托管密钥加密的数据而调用的操作。
以下内容显示了CreateGrant
如何使用允许 HealthImaging 访问客户提供的KMS密钥,从而 HealthImaging 允许使用该KMS密钥对所有静态客户数据进行加密。
用户无需创建自己的授权。 HealthImaging 通过向发送CreateGrant
请求来代表您创建补助金 AWS KMS。 补助金 AWS KMS 用于授予 HealthImaging 访问权限 AWS KMS 输入客户账户。
{ "Grants": [ { "Operations": [ "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "DescribeKey" ], "KeyId": "arn:aws:kms:us-west-2:824333766656:key/2fe3c119-792d-4b99-822f-b5841e1181d1", "Name": "0a74e6ad2aa84b74a22fcd3efac1eaa8", "RetiringPrincipal": "AWS Internal", "GranteePrincipal": "AWS Internal", "GrantId": "0da169eb18ffd3da8c0eebc9e74b3839573eb87e1e0dce893bb544a34e8fbaaf", "IssuingAccount": "AWS Internal", "CreationDate": 1685050229.0, "Constraints": { "EncryptionContextSubset": { "kms-arn": "arn:aws:kms:us-west-2:824333766656:key/2fe3c119-792d-4b99-822f-b5841e1181d1" } } }, { "Operations": [ "GenerateDataKey", "CreateGrant", "RetireGrant", "DescribeKey" ], "KeyId": "arn:aws:kms:us-west-2:824333766656:key/2fe3c119-792d-4b99-822f-b5841e1181d1", "Name": "2023-05-25T21:30:17", "RetiringPrincipal": "AWS Internal", "GranteePrincipal": "AWS Internal", "GrantId": "8229757abbb2019555ba64d200278cedac08e5a7147426536fcd1f4270040a31", "IssuingAccount": "AWS Internal", "CreationDate": 1685050217.0, } ] }
以下示例说明如何使用 GenerateDataKey
来确保用户在存储数据之前拥有加密数据的必要权限。
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "EXAMPLEUSER", "arn": "arn:aws:sts::111122223333:assumed-role/Sampleuser01", "accountId": "111122223333", "accessKeyId": "EXAMPLEKEYID", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EXAMPLEROLE", "arn": "arn:aws:iam::111122223333:role/Sampleuser01", "accountId": "111122223333", "userName": "Sampleuser01" }, "webIdFederationData": {}, "attributes": { "creationDate": "2021-06-30T21:17:06Z", "mfaAuthenticated": "false" } }, "invokedBy": "medical-imaging.amazonaws.com" }, "eventTime": "2021-06-30T21:17:37Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKey", "awsRegion": "us-east-1", "sourceIPAddress": "medical-imaging.amazonaws.com", "userAgent": "medical-imaging.amazonaws.com", "requestParameters": { "keySpec": "AES_256", "keyId": "arn:aws:kms:us-east-1:111122223333:key/EXAMPLE_KEY_ARN" }, "responseElements": null, "requestID": "EXAMPLE_ID_01", "eventID": "EXAMPLE_ID_02", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-east-1:111122223333:key/EXAMPLE_KEY_ARN" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }
以下示例显示如何 HealthImaging 调用Decrypt
操作以使用存储的加密数据密钥访问加密数据。
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "EXAMPLEUSER", "arn": "arn:aws:sts::111122223333:assumed-role/Sampleuser01", "accountId": "111122223333", "accessKeyId": "EXAMPLEKEYID", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EXAMPLEROLE", "arn": "arn:aws:iam::111122223333:role/Sampleuser01", "accountId": "111122223333", "userName": "Sampleuser01" }, "webIdFederationData": {}, "attributes": { "creationDate": "2021-06-30T21:17:06Z", "mfaAuthenticated": "false" } }, "invokedBy": "medical-imaging.amazonaws.com" }, "eventTime": "2021-06-30T21:21:59Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-east-1", "sourceIPAddress": "medical-imaging.amazonaws.com", "userAgent": "medical-imaging.amazonaws.com", "requestParameters": { "encryptionAlgorithm": "SYMMETRIC_DEFAULT", "keyId": "arn:aws:kms:us-east-1:111122223333:key/EXAMPLE_KEY_ARN" }, "responseElements": null, "requestID": "EXAMPLE_ID_01", "eventID": "EXAMPLE_ID_02", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-east-1:111122223333:key/EXAMPLE_KEY_ARN" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }
以下示例说明如何 HealthImaging 使用该DescribeKey
操作来验证是否 AWS KMS 客户所有 AWS KMS 密钥处于可用状态,用于帮助用户在无法正常工作时进行故障排除。
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "EXAMPLEUSER", "arn": "arn:aws:sts::111122223333:assumed-role/Sampleuser01", "accountId": "111122223333", "accessKeyId": "EXAMPLEKEYID", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EXAMPLEROLE", "arn": "arn:aws:iam::111122223333:role/Sampleuser01", "accountId": "111122223333", "userName": "Sampleuser01" }, "webIdFederationData": {}, "attributes": { "creationDate": "2021-07-01T18:36:14Z", "mfaAuthenticated": "false" } }, "invokedBy": "medical-imaging.amazonaws.com" }, "eventTime": "2021-07-01T18:36:36Z", "eventSource": "kms.amazonaws.com", "eventName": "DescribeKey", "awsRegion": "us-east-1", "sourceIPAddress": "medical-imaging.amazonaws.com", "userAgent": "medical-imaging.amazonaws.com", "requestParameters": { "keyId": "arn:aws:kms:us-east-1:111122223333:key/EXAMPLE_KEY_ARN" }, "responseElements": null, "requestID": "EXAMPLE_ID_01", "eventID": "EXAMPLE_ID_02", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-east-1:111122223333:key/EXAMPLE_KEY_ARN" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }
了解更多
以下资源提供了有关静态数据加密的更多信息,位于 AWS Key Management Service 开发者指南。