本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
Amazon DocumentDB Elastic Clusters 的靜態靜態資料加密
下列主題可協助您了解、建立和監控 Amazon DocumentDB 彈性叢集的AWS Key Management Service加密金鑰:
Amazon DocumentDB 彈性叢集會自動與 AWS Key Management Service (AWS KMS) 整合以進行金鑰管理,並使用稱為包絡加密的方法來保護您的資料。如需封套加密的詳細資訊,請參閱 AWS Key Management Service 開發人員指南中的封套加密。
AWS KMS key 是加密金鑰的邏輯表示。KMS 金鑰包含金鑰 ID、建立日期、說明和金鑰狀態等中繼資料。KMS 金鑰也包含可用來加密和解密資料的金鑰材料。如需 KMS 金鑰的詳細資訊,請參閱《AWS Key Management Service 開發人員指南》中的 AWS KMS keys。
Amazon DocumentDB 彈性叢集支援使用兩種金鑰類型的加密:
AWS擁有的金鑰 — Amazon DocumentDB 彈性叢集預設會使用這些金鑰來自動加密個人識別資料。您無法檢視、管理或使用 AWS-擁有的金鑰,或稽核其使用方式。但是,您不必採取任何動作或變更任何程式,即可保護加密您資料的金鑰,即可保護加密您的資料的金鑰,如需詳細資訊,請參閱AWS Key Management Service開發人員指南中的AWS擁有金鑰。
客戶受管金鑰 AWS KMS keys — 您建立、擁有和管理的對稱。由於您可以完全控制此加密層,因此您可以執行以下工作:
建立和維護關鍵政策
建立和維護 IAM 政策和撥款
啟用和停用金鑰政策
輪換金鑰加密材料
新增標籤
建立金鑰別名
排程要刪除的金鑰
如需詳細資訊,請參閱AWS Key Management Service開發人員指南中的客戶管理金鑰。
您必須使用對稱加密 KMS 金鑰,因為 Amazon DocumentDB 僅支援對稱加密 KMS 金鑰,因為 Amazon DocumentDB 僅支援對稱加密 KMS 金鑰,因 請勿使用非對稱 KMS 金鑰來嘗試加密 Amazon DocumentDB Elastic Clusters Elastic Clusters 中的資料加密。如需詳細資訊,請參閱AWS Key Management Service開發人員指南AWS KMS中的非對稱金鑰。
如果 Amazon DocumentDB 再也無法存取叢集加密金鑰的存取 — 例如,當撤銷對金鑰的存取 — 加密的叢集會進入終止狀態。在此情況下,您只能從備份中還原叢集。對於 Amazon DocumentDB,備份始終啟用 1 天。此外,如果停用加密 Amazon DocumentDB 叢集的金鑰,您最終將失去該叢集的讀取和寫入存取權。當 Amazon DocumentDB 遇到經過金鑰加密的叢集,但 Amazon DocumentDB 會使叢集進入終止狀態。在此情況下,該叢集再也無法使用,而且無法復原資料庫的目前狀態。若要還原叢集,您必須重新啟用對 Amazon DocumentDB 加密金鑰的存取,然後從備份中還原叢集的存取。
當您建立加密叢集的 KMS 金鑰在建立加密叢集後,您就無法變更它的 KMS 金鑰,請務必在建立加密的彈性叢集前,先決定您的加密金鑰要求要求。
Amazon DocumentDB 彈性集群如何使用授權 AWS KMS
Amazon DocumentDB Elastic Clusters 需要授予,才能使用您的客戶受管金鑰,以使用您
當您建立使用客戶受管金鑰加密的叢集,Amazon DocumentDB Elastic Clusters 會將CreateGrant請求傳送給,以代表您建立授予。AWS KMS中的授予AWS KMS是用來授予 Amazon DocumentDB Elastic Clusters 對客戶帳戶中 KMS 金鑰的存取權限。
Amazon DocumentDB Elastic Clusters 需要授予,才能在下列內部操作中使用客戶受管金鑰受管金鑰進行個體:
傳送DescribeKeyAWS KMS要求以確認建立追蹤器或地理圍欄集合時輸入的對稱客戶管理 KMS 金鑰 ID 是否有效。
傳送GenerateDataKey要求AWS KMS以產生由客戶管理金鑰加密的資料金鑰。
將Decrypt請求傳送AWS KMS至,以解密加密的資料金鑰,如此就能將這些金鑰傳送給,以便將這些金鑰傳送給
您可以隨時撤銷授予的存取權,或移除服務對客戶受管金鑰的存取權。如果您這麼做,Amazon DocumentDB Elastic Clusters 將無法存取由客戶受管金鑰加密的任何資料,這會影響與該資料有關的操作。
建立客戶受管金鑰受管
您可以使用或 API 來建立對稱的客戶受管金鑰受管金鑰,使用AWS Management Console或 AWS KMS API 來建立對稱
對稱式客戶管理金鑰建立
按照AWS Key Management Service開發人員指南中有關創建對稱客戶管理密鑰的步驟進行操作。
金鑰政策
關鍵原則可控制對客戶管理金鑰的存取。每個客戶受管金鑰必須只有一個金鑰政策,其中包含決定誰可以使用金鑰的陳述式,以及可以使用金鑰的使用方式。當您建立客戶受管金鑰時,您可以指定金鑰政策。如需詳細資訊,請參閱AWS Key Management Service開發人員指南AWS Key Management Service概觀中的 KMS 金鑰存取資訊。
若要將您的客戶受管金鑰與 Amazon DocumentDB 彈性叢集資源搭配使用,必須在金鑰政策中允許下列 API 操作:
如需詳細資訊,請參閱金鑰原則中的AWS服務權限和AWS Key Management Service開發人員指南中的金鑰存取疑難排解。
透過 IAM 政策限制客戶受管金鑰存取
除了 KMS 金鑰政策之外,您還可以在 IAM 政策中限制 KMS 金鑰許可。
您可以透過各種方式使 IAM 政策更加嚴格。例如,若要允許客戶受管金鑰僅用於源自 Amazon DocumentDB Elastic Clusters 的請求,您可以使用kms:ViaService條件金鑰搭配值。docdb-elastic.<region-name>.amazonaws.com
如需詳細資訊,請參閱 AWS Key Management Service 開發人員指南中的允許其他帳戶中的使用者使用 KMS 金鑰。
監控 Amazon DocumentDB Elastic Clusters Clusters 的加密金鑰,以
當您將AWS KMS key客戶託管密鑰與文檔庫彈性資源一起使用時,可以使用AWS CloudTrail或亞馬遜CloudWatch日誌來跟踪文檔庫彈性發送到的請求。AWS KMS
下列範例是 Amazon DocumentDB 彈性叢集呼叫的AWS KMS key操作 GenerateDataKeyWithoutPlainTextDecrypt,DescribeKey以存取由客戶受管金鑰加密的資料所呼叫的、、和監控AWS CloudTrail事件:CreateGrant
- CreateGrant
-
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIGDTESTANDEXAMPLE",
"arn": "arn:aws:iam::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"userName": "Sampleuser01"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-05-09T23:04:20Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "docdb-elastic.amazonaws.com"
},
"eventTime": "2023-05-09T23:55:48Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "us-east-1",
"sourceIPAddress": "docdb-elastic.amazonaws.com",
"userAgent": "docdb-elastic.amazonaws.com",
"requestParameters": {
"retiringPrincipal": "docdb-elastic.us-east-1.amazonaws.com",
"granteePrincipal": "docdb-elastic.us-east-1.amazonaws.com",
"operations": [
"Decrypt",
"Encrypt",
"GenerateDataKey",
"GenerateDataKeyWithoutPlaintext",
"ReEncryptFrom",
"ReEncryptTo",
"CreateGrant",
"RetireGrant",
"DescribeKey"
],
"keyId": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
},
"responseElements": {
"grantId": "0ab0ac0d0b000f00ea00cc0a0e00fc00bce000c000f0000000c0bc0a0000aaafSAMPLE",
"keyId": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
},
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": false,
"resources": [
{
"accountId": "AWS Internal",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
- GenerateDataKey
-
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIGDTESTANDEXAMPLE",
"arn": "arn:aws:iam::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"userName": "Sampleuser01"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-05-10T18:02:59Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "docdb-elastic.amazonaws.com"
},
"eventTime": "2023-05-10T18:03:25Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKey",
"awsRegion": "us-east-1",
"sourceIPAddress": "docdb-elastic.amazonaws.com",
"userAgent": "docdb-elastic.amazonaws.com",
"requestParameters": {
"keySpec": "AES_256",
"keyId": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "AWS Internal",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
- Decrypt
-
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIGDTESTANDEXAMPLE",
"arn": "arn:aws:iam::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"userName": "Sampleuser01"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-05-10T18:05:49Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "docdb-elastic.amazonaws.com"
},
"eventTime": "2023-05-10T18:06:19Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-east-1",
"sourceIPAddress": "docdb-elastic.amazonaws.com",
"userAgent": "docdb-elastic.amazonaws.com",
"requestParameters": {
"encryptionAlgorithm": "SYMMETRIC_DEFAULT"
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "AWS Internal",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
- DescribeKey
-
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIGDTESTANDEXAMPLE",
"arn": "arn:aws:iam::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"userName": "Sampleuser01"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-05-09T23:04:20Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "docdb-elastic.amazonaws.com"
},
"eventTime": "2023-05-09T23:55:48Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DescribeKey",
"awsRegion": "us-east-1",
"sourceIPAddress": "docdb-elastic.amazonaws.com",
"userAgent": "docdb-elastic.amazonaws.com",
"requestParameters": {
"keyId": "alias/SampleKmsKey"
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "AWS Internal",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
進一步了解
下列資源提供有關靜態資料加密的詳細資訊:
