用于 AWS 验证访问权限的静态数据加密 - AWS 已验证的访问权限

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

用于 AWS 验证访问权限的静态数据加密

AWS 默认情况下,Verified Access 使用 AWS 拥有的 KMS 密钥对静态数据进行加密。当默认情况下对静态数据进行加密时,它有助于减少保护敏感数据所涉及的操作开销和复杂性。同时,它使您能够构建满足严格的加密合规性和监管要求的安全应用程序。以下各节详细介绍了 Verified Access 如何使用 KMS 密钥进行静态数据加密。

Verified Access 和 KMS 密钥

AWS 拥有的密钥

Verified Access 使用 KMS 密钥自动加密个人身份信息(PII)。这是默认操作,您无法自己查看、管理、使用或审核 AWS 拥有的密钥的使用情况。但是,您无需采取任何操作或更改任何程序即可保护用于加密数据的密钥。有关更多信息,请参阅 AWS Key Management Service 开发人员指南中的 AWS 自有密钥

虽然您无法禁用此加密层或选择其他加密类型,但您可以在创建 Verified Access 资源时选择客户管理的密钥,从而在现有 AWS 拥有的加密密钥上添加第二层加密。

客户托管密钥

Verified Access 支持使用您创建和管理的对称客户托管密钥,在现有默认加密的基础上添加第二层加密。由于您可以完全控制这一层加密,因此可以执行以下任务:

  • 制定和维护关键策略

  • 建立和维护 IAM 策略和授权

  • 启用和禁用密钥策略

  • 轮换加密材料

  • 添加标签

  • 创建密钥别名

  • 安排密钥删除

有关更多信息,请参阅《AWS Key Management Service 开发人员指南》中的客户托管密钥

注意

Verified Access 使用 AWS 自有密钥自动启用静态加密,从而免费保护个人身份数据。

但是,当您使用客户管理的密钥时,将 AWS KMS 收取费用。有关定价的更多信息,请参阅 AWS Key Management Service 定价

个人身份信息

下表汇总了 Verified Access 使用的个人身份信息(PII)以及加密方式。

数据类型 AWS 自有密钥加密 客户托管密钥加密(可选)
Trust provider (user-type)

用户类型的信任提供者包含 OIDC 选项,例如 AuthorizationEndpoint、、 UserInfoEndpoint ClientId ClientSecret、等,这些选项被视为 PII。

已启用 已启用
Trust provider (device-type)

设备类型的信任提供者包含 TenantId,这被视为 PII。

已启用 已启用
Group policy

在创建或修改 Verified Access 组时提供。包含授权访问请求的规则。可能包含 PII,例如用户名和电子邮件地址等。

已启用 已启用
Endpoint policy

在创建或修改 Verified Access 端点时提供。包含授权访问请求的规则。可能包含 PII,例如用户名和电子邮件地址等。

已启用 已启用

AWS 已验证访问权限如何使用授权 AWS KMS

Verified Access 需要授权才能使用客户托管密钥。

当您创建使用客户托管密钥加密的已验证访问资源时,Verified Access 会通过向发送CreateGrant请求来代表您创建授权 AWS KMS。中的授权 AWS KMS 用于授予已验证访问权限访问您账户中的客户托管密钥的权限。

Verified Access 需要授权才能将客户托管密钥用于以下内部操作:

  • 向发送解密请求 AWS KMS 以解密加密的数据密钥,以便它们可用于解密您的数据。

  • 向发送RetireGrant请求 AWS KMS 以删除授权。

您可以随时撤销授予访问权限,或删除服务对客户托管密钥的访问权限。如果这样做,Verified Access 将无法访问由客户托管密钥加密的任何数据,这会影响依赖于该数据的操作。

将客户托管密钥用于 Verified Access

您可以使用 AWS Management Console、或,创建对称的客户托管密钥。 AWS KMS APIs按照AWS Key Management Service 开发人员指南创建对称加密密钥的步骤进行操作。

密钥政策

密钥政策控制对客户托管式密钥的访问。每个客户托管式密钥必须只有一个密钥策略,其中包含确定谁可以使用密钥以及如何使用密钥的声明。创建客户托管式密钥时,可以指定密钥策略。有关更多信息,请参阅《AWS Key Management Service 开发人员指南》中的密钥政策

要将客户托管密钥与 Verified Access 资源结合使用,密钥政策中必须允许以下 API 操作:

以下是可用于 Verified Access 的示例密钥政策。

"Statement" : [ { "Sid" : "Allow access to principals authorized to use Verified Access", "Effect" : "Allow", "Principal" : { "AWS" : "*" }, "Action" : [ "kms:DescribeKey", "kms:CreateGrant", "kms:GenerateDataKey", "kms:Decrypt" ], "Resource" : "*", "Condition" : { "StringEquals" : { "kms:ViaService" : "verified-access.region.amazonaws.com", "kms:CallerAccount" : "111122223333" } }, { "Sid": "Allow access for key administrators", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action" : [ "kms:*" ], "Resource": "arn:aws:kms:region:111122223333:key/key_ID" }, { "Sid" : "Allow read-only access to key metadata to the account", "Effect" : "Allow", "Principal" : { "AWS" : "arn:aws:iam::111122223333:root" }, "Action" : [ "kms:Describe*", "kms:Get*", "kms:List*", "kms:RevokeGrant" ], "Resource" : "*" } ]

有关更多信息,请参阅《AWS Key Management Service 开发人员指南》中的创建密钥策略和密钥访问疑难解答

为 Verified Access 资源指定客户托管密钥

您可以指定客户托管密钥为以下资源提供第二层加密:

使用创建这些资源中的任何一个时 AWS Management Console,可以在其他加密--可选部分指定客户托管密钥。在此过程中,选中 “自定义加密设置(高级)” 复选框,然后输入要使用的 AWS KMS 密钥 ID。也可以在修改现有资源时或使用 AWS CLI来完成此操作。

注意

如果用于向上述任何资源添加额外加密的客户自主管理型密钥丢失,则将无法再访问这些资源的配置值。但是,可以通过使用 AWS Management Console 或 AWS CLI修改资源来应用新的客户托管密钥并重置配置值。

AWS 已验证访问权限加密上下文

加密上下文是一组可选的键值对,其中包含有关数据的其他上下文信息。 AWS KMS 使用加密上下文作为其他经过身份验证的数据来支持经过身份验证的加密。当您在加密数据的请求中包含加密上下文时,会将加密上下文 AWS KMS 绑定到加密数据。要解密数据,您必须在请求中包含相同的加密上下文。

AWS 已验证访问权限加密上下文

Verified Access 在所有 AWS KMS 加密操作中使用相同的加密上下文,其中密钥为aws:verified-access:arn,值为资源 Amazon 资源名称 (ARN)。以下是 Verified Access 资源的加密上下文。

Verified Access 信任提供商

"encryptionContext": { "aws:verified-access:arn": "arn:aws:ec2:region:111122223333:VerifiedAccessTrustProviderId" }

Verified Access 组

"encryptionContext": { "aws:verified-access:arn": "arn:aws:ec2:region:111122223333:VerifiedAccessGroupId" }

Verified Access 端点

"encryptionContext": { "aws:verified-access:arn": "arn:aws:ec2:region:111122223333:VerifiedAccessEndpointId" }

监控您的加密密钥以获得 AWS 经过验证的访问权限

当您将客户托管的 KMS 密钥与您的 AWS 已验证访问资源一起使用时,您可以使用AWS CloudTrail来跟踪已验证访问权限发送到的请求 AWS KMS。

以下示例是CreateGrant、、RetireGrantDecryptDescribeKeyGenerateDataKey、和 AWS CloudTrail 的事件,它们监控 Verified Access 调用的 KMS 操作以访问由您的客户托管 KMS 密钥加密的数据:

CreateGrant

当使用客户托管密钥加密您的资源时,Verified Access 会代表您发送 CreateGrant 请求以访问您的 AWS 账户中的密钥。Verified Access 创建的授权特定于与客户托管密钥关联的资源。

以下示例事件记录了 CreateGrant 操作:

{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AKIAI44QH8DHBEXAMPLE", "arn": "arn:aws:sts::111122223333:assumed-role/Admin/", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AKIAI44QH8DHBEXAMPLE", "arn": "arn:aws:iam::111122223333:role/Admin", "accountId": "111122223333", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "creationDate": "2023-09-11T16:27:12Z", "mfaAuthenticated": "false" } }, "invokedBy": "verified-access.amazonaws.com" }, "eventTime": "2023-09-11T16:41:42Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateGrant", "awsRegion": "ca-central-1", "sourceIPAddress": "verified-access.amazonaws.com", "userAgent": "verified-access.amazonaws.com", "requestParameters": { "operations": [ "Decrypt", "RetireGrant", "GenerateDataKey" ], "keyId": "arn:aws:kms:ca-central-1:111122223333:key/5ed79e7f-88c9-420c-ae1a-61ee87104dae", "constraints": { "encryptionContextSubset": { "aws:verified-access:arn": "arn:aws:ec2:ca-central-1:111122223333:verified-access-trust-provider/vatp-0e54f581e2e5c97a2" } }, "granteePrincipal": "verified-access.ca-central-1.amazonaws.com", "retiringPrincipal": "verified-access.ca-central-1.amazonaws.com" }, "responseElements": { "grantId": "e5a050fff9893ba1c43f83fddf61e5f9988f579beaadd6d4ad6d1df07df6048f", "keyId": "arn:aws:kms:ca-central-1:111122223333:key/5ed79e7f-88c9-420c-ae1a-61ee87104dae" }, "requestID": "0faa837e-5c69-4189-9736-3957278e6444", "eventID": "1b6dd8b8-cbee-4a83-9b9d-d95fa5f6fd08", "readOnly": false, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:ca-central-1:111122223333:key/5ed79e7f-88c9-420c-ae1a-61ee87104dae" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }
RetireGrant

当您删除资源时,Verified Access 使用 RetireGrant 操作来移除授权。

以下示例事件记录了 RetireGrant 操作:

{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AKIAI44QH8DHBEXAMPLE", "arn": "arn:aws:sts::111122223333:assumed-role/Admin/", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AKIAI44QH8DHBEXAMPLE", "arn": "arn:aws:iam::111122223333:role/Admin", "accountId": "111122223333", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "creationDate": "2023-09-11T16:42:33Z", "mfaAuthenticated": "false" } }, "invokedBy": "verified-access.amazonaws.com" }, "eventTime": "2023-09-11T16:47:53Z", "eventSource": "kms.amazonaws.com", "eventName": "RetireGrant", "awsRegion": "ca-central-1", "sourceIPAddress": "verified-access.amazonaws.com", "userAgent": "verified-access.amazonaws.com", "requestParameters": null, "responseElements": { "keyId": "arn:aws:kms:ca-central-1:111122223333:key/5ed79e7f-88c9-420c-ae1a-61ee87104dae" }, "additionalEventData": { "grantId": "b35e66f9bacb266cec214fcaa353c9cf750785e28773e61ba6f434d8c5c7632f" }, "requestID": "7d4a31c2-d426-434b-8f86-336532a70462", "eventID": "17edc343-f25b-43d4-bbff-150d8fff4cf8", "readOnly": false, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:ca-central-1:111122223333:key/5ed79e7f-88c9-420c-ae1a-61ee87104dae" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }
Decrypt

Verified Access 调用 Decrypt 操作以使用存储的加密数据密钥来访问加密数据。

以下示例事件记录了 Decrypt 操作:

{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AKIAI44QH8DHBEXAMPLE", "arn": "arn:aws:sts::111122223333:assumed-role/Admin/", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AKIAI44QH8DHBEXAMPLE", "arn": "arn:aws:iam::111122223333:role/Admin", "accountId": "111122223333", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "creationDate": "2023-09-11T17:19:33Z", "mfaAuthenticated": "false" } }, "invokedBy": "verified-access.amazonaws.com" }, "eventTime": "2023-09-11T17:47:05Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "ca-central-1", "sourceIPAddress": "verified-access.amazonaws.com", "userAgent": "verified-access.amazonaws.com", "requestParameters": { "encryptionAlgorithm": "SYMMETRIC_DEFAULT", "keyId": "arn:aws:kms:ca-central-1:111122223333:key/380d006e-706a-464b-99c5-68768297114e", "encryptionContext": { "aws:verified-access:arn": "arn:aws:ec2:ca-central-1:111122223333:verified-access-trust-provider/vatp-00f20a4e455e9340f", "aws-crypto-public-key": "AkK+vi1W/acBKv7OR8p2DeUrA8EgpTffSrjBqNucODuBYhyZ3hlMuYYJz9x7CwQWZw==" } }, "responseElements": null, "requestID": "2e920fd3-f2f6-41b2-a5e7-2c2cb6f853a9", "eventID": "3329e0a3-bcfb-44cf-9813-8106d6eee31d", "readOnly": true, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:ca-central-1:111122223333:key/380d006e-706a-464b-99c5-68768297114e" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }
DescribeKey

Verified Access 使用 DescribeKey 操作来验证与您的资源关联的客户托管密钥是否存在于账户和区域中。

以下示例事件记录了 DescribeKey 操作:

{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AKIAI44QH8DHBEXAMPLE", "arn": "arn:aws:sts::111122223333:assumed-role/Admin/", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AKIAI44QH8DHBEXAMPLE", "arn": "arn:aws:iam::111122223333:role/Admin", "accountId": "111122223333", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "creationDate": "2023-09-11T17:19:33Z", "mfaAuthenticated": "false" } }, "invokedBy": "verified-access.amazonaws.com" }, "eventTime": "2023-09-11T17:46:48Z", "eventSource": "kms.amazonaws.com", "eventName": "DescribeKey", "awsRegion": "ca-central-1", "sourceIPAddress": "verified-access.amazonaws.com", "userAgent": "verified-access.amazonaws.com", "requestParameters": { "keyId": "arn:aws:kms:ca-central-1:111122223333:key/380d006e-706a-464b-99c5-68768297114e" }, "responseElements": null, "requestID": "5b127082-6691-48fa-bfb0-4d40e1503636", "eventID": "ffcfc2bb-f94b-4c00-b6fb-feac77daff2a", "readOnly": true, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:ca-central-1:111122223333:key/380d006e-706a-464b-99c5-68768297114e" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }
GenerateDataKey

以下示例事件记录 GenerateDataKey 操作:

{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AKIAI44QH8DHBEXAMPLE", "arn": "arn:aws:sts::111122223333:assumed-role/Admin/", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AKIAI44QH8DHBEXAMPLE", "arn": "arn:aws:iam::111122223333:role/Admin", "accountId": "111122223333", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "creationDate": "2023-09-11T17:19:33Z", "mfaAuthenticated": "false" } }, "invokedBy": "verified-access.amazonaws.com" }, "eventTime": "2023-09-11T17:46:49Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKey", "awsRegion": "ca-central-1", "sourceIPAddress": "verified-access.amazonaws.com", "userAgent": "verified-access.amazonaws.com", "requestParameters": { "encryptionContext": { "aws:verified-access:arn": "arn:aws:ec2:ca-central-1:111122223333:verified-access-trust-provider/vatp-00f20a4e455e9340f", "aws-crypto-public-key": "A/ATGxaYatPUlOtM+l/mfDndkzHUmX5Hav+29IlIm+JRBKFuXf24ulztmOIsqFQliw==" }, "numberOfBytes": 32, "keyId": "arn:aws:kms:ca-central-1:111122223333:key/380d006e-706a-464b-99c5-68768297114e" }, "responseElements": null, "requestID": "06535808-7cce-4ae1-ab40-e3afbf158a43", "eventID": "1ce79601-5a5e-412c-90b3-978925036526", "readOnly": true, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:ca-central-1:111122223333:key/380d006e-706a-464b-99c5-68768297114e" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }