本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon WorkSpaces 瘦客户机的静态数据加密
Amazon Th WorkSpaces in Client 默认提供加密,通过使用 AWS 自有的加密密钥保护敏感的静态客户数据。
默认情况下,静态数据加密有助于降低保护敏感数据的操作开销和复杂性。同时,它还支持构建符合严格加密合规性和监管要求的安全应用程序。
虽然您无法禁用此加密层或选择备选加密类型,但您可以在创建 Thin Client 环境时选择客户托管密钥,从而在现有亚马逊云科技拥有的加密密钥上添加第二层加密:
有关更多信息,请参阅《Amazon Key Management Service 开发人员指南》中的客户托管密钥。
下表汇总了 Amazon WorkSpaces 瘦客户机如何加密个人身份数据。
| 数据类型 |
AWS 拥有的密钥加密 |
客户托管密钥加密(可选) |
|
环境名称
WorkSpaces 瘦客户机环境名称
|
已启用
|
已启用
|
|
设备名称
WorkSpaces 瘦客户机设备名称
|
已启用
|
已启用
|
|
用户活动
WorkSpaces 瘦客户机用户活动
|
已启用
|
已启用
|
|
设备设置
WorkSpaces 瘦客户机设备设置
|
已启用
|
已启用
|
|
设备创建标签
WorkSpaces 瘦客户机环境设备创建标签
|
已启用
|
已启用
|
Amazon Th WorkSpaces in Client 使用 AWS 自有密钥自动启用静态加密,从而免费保护个人身份数据。
但是,使用客户托管密钥需支付 AWS KMS 费用。有关定价的更多信息,请参阅 Key Management Service 定价。
亚马逊 WorkSpaces 瘦客户机如何使用 AWS KMS
Amazon Th WorkSpaces in Client 需要密钥策略才能使用您的客户托管密钥。
Amazon Th WorkSpaces in Client 要求密钥策略使用您的客户托管密钥进行以下内部操作:
您可以随时删除该服务对客户托管密钥的访问权限。如果您这样做,Amazon Th WorkSpaces in Client 将无法访问由客户托管密钥加密的任何数据,这会影响依赖该数据的操作。例如,如果您尝试获取 WorkSpaces 瘦客户机无法访问的环境详细信息,则该操作会返回AccessDeniedException错误。此外, WorkSpaces 瘦客户机设备将无法使用 WorkSpaces 瘦客户机环境。
创建客户托管密钥
您可以使用 AWS 管理控制台或 KMS API 操作创建对称客户托管 AWS 密钥。
创建对称的客户托管式密钥:
根据《AWS Key Management Service 开发人员指南》https://docs.aws.amazon.com/kms/latest/developerguide/overview.html中创建对称的客户托管密钥的步骤操作。
密钥策略
密钥策略控制对客户自主管理型密钥的访问。每个客户托管式密钥必须只有一个密钥策略,其中包含确定谁可以使用密钥以及如何使用密钥的声明。创建客户托管式密钥时,可以指定密钥策略。有关更多信息,请参阅《AWS Key Management Service 开发人员指南》https://docs.aws.amazon.com/kms/latest/developerguide/overview.html中的管理对客户托管密钥的访问权限。
要将您的客户托管密钥用于您的 Amazon WorkSpaces 瘦客户机资源,密钥政策中必须允许以下 API 操作:
以下是您可以为 Amazon WorkSpaces 瘦客户机添加的政策声明示例:
{
"Statement":
[
{
"Sid": "Allow access to principals authorized to use Amazon WorkSpaces Thin Client",
"Effect": "Allow",
"Principal": {"AWS": "*"},
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "thinclient.region.amazonaws.com",
"kms:CallerAccount": "111122223333"
}
}
},
{
"Sid": "Allow Amazon WorkSpaces Thin Client service to encrypt and decrypt data",
"Effect": "Allow",
"Principal": {"Service": "thinclient.amazonaws.com"},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:SourceArn":
"arn:aws:thinclient:region:111122223333:*",
"kms:EncryptionContext:aws:thinclient:arn":
"arn:aws:thinclient:region:111122223333:*"
}
}
},
{
"Sid": "Allow access for key administrators",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:root"},
"Action": ["kms:*"],
"Resource": "arn:aws:kms:region:111122223333:key/key_ID"
},
{
"Sid": "Allow read-only access to key metadata to the account",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:root"},
"Action": [
"kms:Describe*",
"kms:Get*",
"kms:List*"
],
"Resource": "*"
}
]
}
有关在策略中指定权限的更多信息,请参阅《AWS Key Management Service 开发人员指南》https://docs.aws.amazon.com/kms/latest/developerguide/overview.html。
有关密钥访问故障排除的更多信息,请参阅《AWS Key Management Service 开发人员指南》https://docs.aws.amazon.com/kms/latest/developerguide/overview.html。
为 WorkSpaces 瘦客户机指定客户管理的密钥
您可以指定客户托管密钥作为以下资源的第二层加密:
创建环境时,您可以通过提供数据密钥来指定数据密钥kmsKeyArn,Amazon Th WorkSpaces in Client 使用该密钥来加密可识别的个人数据。
将新的 WorkSpaces 瘦客户机设备添加到使用客户管理密钥加密的 WorkSpaces 瘦客户机环境时, WorkSpaces 瘦客户机设备将继承 WorkSpaces 瘦客户机环境中的客户托管密钥设置。
加密上下文是一组可选的键值对,其中包含有关数据的其他上下文信息。
AWS KMS 使用加密上下文作为额外的经过身份验证的数据来支持经过身份验证的加密。当您在加密数据的请求中包含加密上下文时, AWS KMS 会将加密上下文绑定到加密数据。要解密数据,请在请求中包含相同的加密上下文。
Amazon WorkSpaces 瘦客户机加密上下文
Amazon Th WorkSpaces in Client 在所有 AWS KMS 加密操作中使用相同的加密环境,其中密钥为aws:thinclient:arn,值为亚马逊资源名称 (ARN)。
以下是环境加密上下文:
"encryptionContext": {
"aws:thinclient:arn": "arn:aws:thinclient:region:111122223333:environment/environment_ID"
}
以下是设备加密上下文:
"encryptionContext": {
"aws:thinclient:arn": "arn:aws:thinclient:region:111122223333:device/device_ID"
}
使用加密上下文进行监控
当您使用对称客户托管密钥加密 WorkSpaces 瘦客户机环境和设备数据时,您还可以使用审计记录和日志中的加密上下文来识别客户托管密钥的使用情况。加密上下文还会显示在 AWS CloudTrail 或 Amazon CloudWatch 日志生成的日志中。
使用加密上下文控制对客户托管密钥的访问
您可以使用密钥政策和 IAM 策略中的加密上下文作为条件来控制对您的对称客户托管密钥的访问。
以下是密钥策略语句示例,用于授予对特定加密上下文的客户托管密钥的访问权限。此策略语句中的条件要求 kms:Decrypt 调用具有指定加密上下文的加密上下文约束。
{
"Sid": "Enable Decrypt to access Thin Client Environment",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:role/ExampleReadOnlyRole"},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringEquals": {"kms:EncryptionContext:aws:thinclient:arn": "arn:aws:thinclient:region:111122223333:environment/environment_ID"}
}
}
监控您的 Amazon WorkSpaces 瘦客户机加密密钥
当您在亚马逊 WorkSpaces 瘦客户机资源中使用 AWS KMS 客户托管密钥时,您可以使用 AWS CloudTrail 或 Amazon CloudWatch Logs 来跟踪亚马逊 WorkSpaces 瘦客户端向 AWS KMS 发送的请求。
以下示例是DescribeKey、、GenerateDataKeyDecrypt、监控 Amazon Th WorkSpaces in Client 为访问由客户托管密钥加密的数据而调用的 KMS 操作 AWS CloudTrail 的事件:
在以下示例中,您可以看到encryptionContext WorkSpaces 瘦客户机环境的示例。 WorkSpaces 瘦客户机设备也会记录类似 CloudTrail 的事件。
- DescribeKey
-
Amazon Th WorkSpaces in Client 使用该DescribeKey操作来验证 AWS
KMS 客户托管密钥。
以下示例事件记录了 DescribeKey 操作:
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"userName": "Admin"
},
"attributes": {
"creationDate": "2024-04-08T13:43:33Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "thinclient.amazonaws.com"
},
"eventTime": "2024-04-08T13:44:22Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DescribeKey",
"awsRegion": "eu-west-1",
"sourceIPAddress": "thinclient.amazonaws.com",
"userAgent": "thinclient.amazonaws.com",
"requestParameters": {"keyId": "arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
- GenerateDataKey
-
Amazon WorkSpaces 瘦客户机使用该GenerateDataKey操作来加密数据。
以下示例事件记录了 GenerateDataKey 操作:
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"userName": "Admin"
},
"attributes": {
"creationDate": "2024-04-08T12:21:03Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "thinclient.amazonaws.com"
},
"eventTime": "2024-04-08T13:03:56Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKey",
"awsRegion": "eu-west-1",
"sourceIPAddress": "thinclient.amazonaws.com",
"userAgent": "thinclient.amazonaws.com",
"requestParameters": {
"keyId": "arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
"encryptionContext": {
"aws-crypto-public-key": "ABC123def4567890abc12345678/90dE/F123abcDEF+4567890abc123D+ef1==",
"aws:thinclient:arn": "arn:aws:thinclient:eu-west-1:111122223333:environment/abcSAMPLE"
},
"numberOfBytes": 32
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"sharedEventID": "1234abcd-12ab-34cd-56ef-123456SAMPLE",
"vpcEndpointId": "vpce-1234abcd567SAMPLE",
"vpcEndpointAccountId": "thinclient.amazonaws.com",
"eventCategory": "Management"
}
- GenerateDataKey (by service)
-
当 Amazon Th WorkSpaces in Client 使用GenerateDataKey保存的设备信息时,该GenerateDataKey操作用于加密数据。
在 KMS 密钥策略声明中允许该GenerateDataKey操作,Sid 为 “允许 Amazon WorkSpaces 瘦客户机服务加密和解密数据”。
以下示例事件记录了该 GenerateDataKey 操作:
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AWSService",
"invokedBy": "thinclient.amazonaws.com"
},
"eventTime": "2024-04-08T13:03:56Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKey",
"awsRegion": "eu-west-1",
"sourceIPAddress": "thinclient.amazonaws.com",
"userAgent": "thinclient.amazonaws.com",
"requestParameters": {
"keyId": "arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
"encryptionContext": {
"aws-crypto-public-key": "ABC123def4567890abc12345678/90dE/F123abcDEF+4567890abc123D+ef1==",
"aws:thinclient:arn": "arn:aws:thinclient:eu-west-1:111122223333:environment/abcSAMPLE"
},
"numberOfBytes": 32
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"sharedEventID": "1234abcd-12ab-34cd-56ef-123456SAMPLE",
"vpcEndpointId": "vpce-1234abcd567SAMPLE",
"vpcEndpointAccountId": "thinclient.amazonaws.com",
"eventCategory": "Management"
}
- Decrypt
-
Amazon WorkSpaces 瘦客户机使用该Decrypt操作来解密数据。
以下示例事件记录了 Decrypt 操作:
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"userName": "Admin"
},
"attributes": {
"creationDate": "2024-04-08T13:43:33Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "thinclient.amazonaws.com"
},
"eventTime": "2024-04-08T13:44:25Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "eu-west-1",
"sourceIPAddress": "thinclient.amazonaws.com",
"userAgent": "thinclient.amazonaws.com",
"requestParameters": {
"keyId": "arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
"encryptionContext": {
"aws-crypto-public-key": "ABC123def4567890abc12345678/90dE/F123abcDEF+4567890abc123D+ef1==",
"aws:thinclient:arn": "arn:aws:thinclient:eu-west-1:111122223333:environment/abcSAMPLE"
},
"encryptionAlgorithm": "SYMMETRIC_DEFAULT"
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"sharedEventID": "1234abcd-12ab-34cd-56ef-123456SAMPLE",
"vpcEndpointId": "vpce-1234abcd567SAMPLE",
"vpcEndpointAccountId": "thinclient.amazonaws.com",
"eventCategory": "Management"
}
- Decrypt (by service)
-
当 WorkSpaces 瘦客户机设备访问环境或设备信息时,该Decrypt操作用于解密数据。在 KMS 密钥策略声明中允许该Decrypt操作,Sid 为 “允许 Amazon WorkSpaces 瘦客户机服务加密和解密数据”。
以下示例事件记录了通过以下方式授权的Decrypt操作Grant:
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AWSService",
"invokedBy": "thinclient.amazonaws.com"
},
"eventTime": "2024-04-08T13:44:25Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "eu-west-1",
"sourceIPAddress": "thinclient.amazonaws.com",
"userAgent": "thinclient.amazonaws.com",
"requestParameters": {
"keyId": "arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
"encryptionContext": {
"aws-crypto-public-key": "ABC123def4567890abc12345678/90dE/F123abcDEF+4567890abc123D+ef1==",
"aws:thinclient:arn": "arn:aws:thinclient:eu-west-1:111122223333:environment/abcSAMPLE"
},
"encryptionAlgorithm": "SYMMETRIC_DEFAULT"
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"sharedEventID": "1234abcd-12ab-34cd-56ef-123456SAMPLE",
"vpcEndpointId": "vpce-1234abcd567SAMPLE",
"vpcEndpointAccountId": "thinclient.amazonaws.com",
"eventCategory": "Management"
}
了解更多
以下资源提供有关静态数据加密的更多信息:
