本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
Amazon S3 資料存取的金鑰管理
此頁面特定於 Amazon S3 資料存取類型,供應商共用使用 SSE-加密的物件KMS。訂閱者必須對用於存取的金鑰具有授權。
如果您的 Amazon S3 儲存貯體包含使用 AWS KMS 客戶受管金鑰加密的資料,您必須 AWS KMS keys 與共用這些資料 AWS Data Exchange 才能設定 Amazon S3 資料存取資料集。如需詳細資訊,請參閱步驟 2:設定 Amazon S3 資料存取。
創建 AWS KMS 補助金
當您提供 AWS KMS keys Amazon S3 資料存取資料集的一部分時, AWS Data Exchange
會在每個 AWS KMS key 共用資料集上建立 AWS KMS 授權。此授權 (稱為父授權) 是用來授予 AWS Data Exchange 權限,以便為訂閱者建立其他 AWS KMS 授權。這些額外贈款被稱為兒童贈款。每個訂戶被允許一個 AWS KMS 授予. 訂閱者取得解密的權限 AWS KMS key。然後,他們可以解密和使用與他們共用的加密 Amazon S3 物件。如需詳細資訊,請參閱AWS Key Management Service 開發人員指南 AWS KMS中的授權。
AWS Data Exchange 也會使用 AWS KMS 父授權來管理其建立之 AWS KMS 授權的生命週期。訂閱結束時,會 AWS Data Exchange 淘汰為對應訂閱者建立的 AWS KMS 子授權。如果修訂已撤銷,或刪除資料集,則會 AWS Data Exchange 淘汰 AWS KMS 父授權。如需有關 AWS KMS 動作的詳細資訊,請參閱參AWS KMS
API考資料。
加密上下文和授予約束
AWS Data Exchange 只有在要求包含指定的加密內容時,才會使用授與條件約束來允許解密作業。您可以使用 Amazon S3 儲存貯體金鑰功能來加密 Amazon S3 物件並與之共用 AWS Data Exchange。Amazon S3 隱含地使用儲存貯體亞馬遜資源名稱 (ARN) 做為加密上下文。下列範例顯示 AWS Data Exchange 使用值區ARN做為所建立之所有 AWS KMS 授權的授與限制。
"Constraints": {
"EncryptionContextSubset": "aws:s3:arn": “arn:aws:s3:::<Bucket ARN>"
}
}
監控您 AWS KMS keys 的 AWS Data Exchange
當您與之共用 AWS KMS 客戶受管金鑰時 AWS Data Exchange,您可以使用AWS CloudTrail來追蹤要求 AWS Data Exchange 或資料訂閱者傳送的要求 AWS KMS。下列範例說明記 CloudTrail 錄在CreateGrant和Decrypt呼叫時的外觀 AWS KMS。
- CreateGrant for parent
-
CreateGrant用於為自己創建 AWS Data Exchange 的父授予。
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:Provider01",
"arn": "arn:aws:sts::<your-account-id>:assumed-role/Admin/Provider01",
"accountId": "<your-account-id>",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIGDTESTANDEXAMPLE",
"arn": "arn:aws:iam::<your-account-id>:role/Admin/Provider01”,
"accountId": "<your-account-id>",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-02-16T17:29:23Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "datax.amazonaws.com"
},
"eventTime": "2023-02-16T17:32:47Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "us-east-2",
"sourceIPAddress": "datax.amazonaws.com",
"userAgent": "datax.amazonaws.com",
"requestParameters": {
"keyId": "<Key ARN of the Key you shared with AWS Data Exchange>",
"operations": [
"CreateGrant",
"Decrypt",
"RetireGrant"
],
"granteePrincipal": "dataexchange.us-east-2.amazonaws.com",
"retiringPrincipal": "dataexchange.us-east-2.amazonaws.com",
"constraints": {
"encryptionContextSubset": {
aws:s3:arn": "arn:aws:s3:::<Your Bucket ARN>"
}
}
},
"responseElements": {
"grantId": "<KMS Grant ID of the created Grant>",
"keyId": "<Key ARN of the Key you shared with AWS Data Exchange>"
},
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": false,
"resources": [
{
"accountId": "<Your Account Id>",
"type": "AWS::KMS::Key",
"ARN": "<Key ARN of the Key you shared with AWS Data Exchange>"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "<Your Account Id>",
"eventCategory": "Management"
}
- CreateGrant for child
-
CreateGrant適用於由訂閱者建立 AWS Data Exchange 的兒童贈款。
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSService",
"invokedBy": "datax.amazonaws.com"
},
"eventTime": "2023-02-15T23:15:49Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "us-east-2",
"sourceIPAddress": "datax.amazonaws.com",
"userAgent": "datax.amazonaws.com",
"requestParameters": {
"keyId": "<Key ARN of the Key you shared with AWS Data Exchange>",
"operations": [
"Decrypt"
],
"granteePrincipal": “<Subscriber’s account Id>”,
"retiringPrincipal": "dataexchange.us-east-2.amazonaws.com",
"constraints": {
"encryptionContextSubset": {
"aws:s3:arn": "arn:aws:s3:::<Your Bucket ARN>"
}
}
},
"responseElements": {
"grantId": "<KMS Grant ID of the created Grant>",
"keyId": "<Key ARN of the Key you shared with AWS Data Exchange>"
},
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": false,
"resources": [
{
"accountId": "<Your Account Id>",
"type": "AWS::KMS::Key",
"ARN": "<Key ARN of the Key you shared with AWS Data Exchange>"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "<Your Account Id>",
"sharedEventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE ",
"eventCategory": "Management"
}
- 解密
-
Decrypt當訂閱者嘗試讀取訂閱的加密資料時,會呼叫這些資料。
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSAccount",
"principalId": "AROAIGDTESTANDEXAMPLE:Subscriber01",
"accountId": "<subscriber-account-id>",
"invokedBy": "<subscriber’s IAM identity>"
},
"eventTime": "2023-02-15T23:28:30Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-east-2",
"sourceIPAddress": "<subscriber’s IP address>",
"userAgent": "<subscriber’s user agent>",
"requestParameters": {
"encryptionContext": {
"aws:s3:arn": "arn:aws:s3:::<Your Bucket ARN>"
},
"encryptionAlgorithm": "SYMMETRIC_DEFAULT"
},
"responseElements": null,
"requestID": ""ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": ""ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE”,
"readOnly": true,
"resources": [
{
"accountId": "<Your Account Id>",
"type": "AWS::KMS::Key",
"ARN": "<Key ARN of the Key you shared with AWS Data Exchange>"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "602466227860",
"sharedEventID": "bcf4d02a-31ea-4497-9c98-4c3549f20a7b",
"eventCategory": "Management"
}
