适用于 Apache Flink 的亚马逊托管服务(亚马逊 MSF)以前被称为适用于 Apache Flink 的亚马逊 Kinesis Data Analytics。
本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
使用管理 CMK APIs
本主题介绍如何 CMKs 使用 Amazon MSF 创建和更新您的 KM APIs S。要按照本主题中描述的步骤进行操作,您必须拥有管理 KMS 密钥和 Amazon MSF 应用程序的权限。本主题中的过程使用许可密钥策略,该策略仅用于演示和测试目的。我们不建议对生产工作负载使用这样的宽松密钥策略。在现实生活中的生产工作负载场景中,角色、权限和工作流程是隔离的。
创建和分配 KMS 密钥
在开始之前,请创建 KMS 密钥。有关创建 KMS 密钥的信息,请参阅AWS Key Management Service 开发人员指南中的创建 KMS 密钥。
创建 KMS 密钥策略
要在 Amazon MSF 中使用 CMK,您必须在密钥策略中添加以下服务主体:和。kinesisanalytics.amazonaws.com infrastructure.kinesisanalytics.amazonaws.comAmazon MSF 使用这些服务主体进行验证和资源访问。如果您不包括这些服务委托人,Amazon MSF 会拒绝该请求。
以下 KMS 密钥策略允许 Amazon MSF 使用应用程序的 CMK。MyCmkApplication该策略向Operator角色和 Amazon MSF 服务委托人授予执行以下操作所需的权限:kinesisanalytics.amazonaws.cominfrastructure.kinesisanalytics.amazonaws.com
-
描述 CMK
-
加密应用程序数据
-
解密应用程序数据
-
为密钥创建授权
以下示例使用 IAM 角色。您可以使用以下示例作为模板为 KMS 密钥创建密钥策略,但请务必执行以下操作:
-
arn:aws:iam::替换为123456789012:role/OperatorOperator角色。在创建密钥策略之前,必须先创建Operator角色或用户。不这样做将导致您的请求失败。 -
arn:aws:kinesisanalytics:us-east-1:替换为应用程序的 ARN。123456789012:application/MyCmkApplication -
kinesisanalytics.替换为相应区域的服务值。us-east-1.amazonaws.com -
123456789012用您的账户 IDKey 策略替换为 CMK。 -
添加其他策略声明以允许密钥管理员管理 KMS 密钥。不这样做将导致无法管理密钥。
以下关键政策声明之所以庞大,是因为它们旨在明确并显示每项行动所需的条件。
{ "Version": "2012-10-17", "Id": "MyMsfCmkApplicationKeyPolicy", "Statement": [ { "Sid": "AllowOperatorToDescribeKey", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/Operator" }, "Action": "kms:DescribeKey", "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "kinesisanalytics.us-east-1.amazonaws.com" } } }, { "Sid": "AllowOperatorToConfigureAppToUseKeyForApplicationState", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/Operator" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:kinesisanalytics:arn": "arn:aws:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication", "kms:ViaService": "kinesisanalytics.us-east-1.amazonaws.com" } } }, { "Sid": "AllowOperatorToConfigureAppToCreateGrantForRunningState", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/Operator" }, "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:kinesisanalytics:arn": "arn:aws:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication", "kms:ViaService": "kinesisanalytics.us-east-1.amazonaws.com", "kms:GrantConstraintType": "EncryptionContextSubset" }, "ForAllValues:StringEquals": { "kms:GrantOperations": "Decrypt" } } }, { "Sid": "AllowMSFServiceToDescribeKey", "Effect": "Allow", "Principal": { "Service": [ "kinesisanalytics.amazonaws.com", "infrastructure.kinesisanalytics.amazonaws.com" ] }, "Action": "kms:DescribeKey", "Resource": "*", "Condition": { "StringEquals": { "aws:SourceArn": "arn:aws:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication", "aws:SourceAccount": "123456789012" } } }, { "Sid": "AllowMSFServiceToGenerateDataKeyForDurableState", "Effect": "Allow", "Principal": { "Service": "kinesisanalytics.amazonaws.com" }, "Action": [ "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringEquals": { "aws:SourceArn": "arn:aws:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication", "kms:EncryptionContext:aws:kinesisanalytics:arn": "arn:aws:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication", "aws:SourceAccount": "123456789012" } } }, { "Sid": "AllowMSFServiceToDecryptForDurableState", "Effect": "Allow", "Principal": { "Service": "kinesisanalytics.amazonaws.com" }, "Action": [ "kms:Decrypt" ], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:kinesisanalytics:arn": "arn:aws:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication" } } }, { "Sid": "AllowMSFServiceToUseKeyForRunningState", "Effect": "Allow", "Principal": { "Service": [ "infrastructure.kinesisanalytics.amazonaws.com" ] }, "Action": [ "kms:Decrypt", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:kinesisanalytics:arn": "arn:aws:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication" } } }, { "Sid": "AllowMSFServiceToCreateGrantForRunningState", "Effect": "Allow", "Principal": { "Service": [ "infrastructure.kinesisanalytics.amazonaws.com" ] }, "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:kinesisanalytics:arn": "arn:aws:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication", "kms:GrantConstraintType": "EncryptionContextSubset" }, "ForAllValues:StringEquals": { "kms:GrantOperations": "Decrypt" } } } ] }
应用程序生命周期操作员(API 调用者)权限
以下 IAM 策略可确保应用程序生命周期操作员拥有向应用程序分配 KMS 密钥所需的权限MyCmkApplication。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowMSFAPICalls", "Effect": "Allow", "Action": "kinesisanalytics:*", "Resource": "*" }, { "Sid": "AllowPassingServiceExecutionRole", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::123456789012:role/MyCmkApplicationRole" }, { "Sid": "AllowDescribeKey", "Effect": "Allow", "Action": [ "kms:DescribeKey" ], "Resource": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Condition": { "StringEquals": { "kms:ViaService": "kinesisanalytics.us-east-1.amazonaws.com" } } }, { "Sid": "AllowMyCmkApplicationKeyOperationsForDurableState", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Condition": { "StringEquals": { "kms:ViaService": "kinesisanalytics.us-east-1.amazonaws.com", "kms:EncryptionContext:aws:kinesisanalytics:arn": "arn:aws:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication" } } }, { "Sid": "AllowMyCmkApplicationKeyOperationsForRunningState", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Condition": { "StringEquals": { "kms:ViaService": "kinesisanalytics.us-east-1.amazonaws.com", "kms:EncryptionContext:aws:kinesisanalytics:arn": "arn:aws:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication" } } }, { "Sid": "AllowMyCmkApplicationCreateGrantForRunningState", "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Condition": { "ForAllValues:StringEquals": { "kms:GrantOperations": "Decrypt" }, "StringEquals": { "kms:ViaService": "kinesisanalytics.us-east-1.amazonaws.com", "kms:EncryptionContext:aws:kinesisanalytics:arn": "arn:aws:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication", "kms:GrantConstraintType": "EncryptionContextSubset" } } } ] }
更新现有应用程序以使用 CMK
在 Amazon MSF 中,您可以将 CMK 策略应用于使用 AWS 拥有的密钥 () AOKs 的现有应用程序。
默认情况下,Amazon MSF 使用 AOKs 临时存储(运行应用程序存储)和耐用(耐用应用程序存储)存储来加密您的所有数据。这意味着默认情况下,所有受 Flink 检查点或快照约束的数据都是使用加密 AOKs 的。当你用 CMK 替换 AOK 时,新的检查点和快照将使用 CMK 加密。但是,历史快照仍将使用 AOK 进行加密。
更新现有应用程序以使用 CMK
-
使用以下配置创建 JSON 文件。
确保将的值替换
CurrentApplicationVersionId为应用程序的当前版本号。您可以使用获取应用程序的当前版本号DescribeApplication。在此 JSON 配置中,请记住将
sample值替换为实际值。{ "ApplicationName": "MyCmkApplication", "CurrentApplicationVersionId":1, "ApplicationConfigurationUpdate": { "ApplicationEncryptionConfigurationUpdate": { "KeyTypeUpdate": "CUSTOMER_MANAGED_KEY", "KeyIdUpdate": "arn:aws:kms:us-east-1:" } } }123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab -
保存此文件。例如,使用名称将其保存
enable-cmk.json。 -
运行 update-applic at AWS CLI ion 命令,如以下示例所示。在此命令中,提供您在前面步骤中创建的 JSON 配置文件作为文件参数。
aws kinesisanalyticsv2 update-application \ --cli-input-json file://enable-cmk.json
只有在满足以下条件时,才接受上述配置来更新应用程序以使用 CMK:
-
API 调用者有一份允许访问密钥的政策声明。
-
密钥策略具有允许 API 调用者访问密钥的策略声明。
-
例如,密钥策略包含允许 Amazon MSF 服务委托人
kinesisanalytics.amazonaws.com访问密钥的政策声明。
从 CMK 恢复到 AWS 拥有的密钥
从 CMK 还原为 AOK
-
使用以下配置创建 JSON 文件。
在此 JSON 配置中,请记住将
sample值替换为实际值。{ "ApplicationName": "MyCmkApplication", "CurrentApplicationVersionId":1, "ApplicationConfigurationUpdate": { "ApplicationEncryptionConfigurationUpdate": { "KeyTypeUpdate": "AWS_OWNED_KEY" } } } -
保存此文件。例如,使用名称将其保存
disable-cmk.json。 -
运行 update-applic at AWS CLI ion 命令,如以下示例所示。在此命令中,提供您在前面步骤中创建的 JSON 配置文件作为文件参数。
aws kinesisanalyticsv2 update-application \ --cli-input-json file://disable-cmk.json
