本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
需要證明才能使用 AWS KMS 金鑰
我們希望聽到您的意見。請進行簡短的問卷 |
下列 AWS Key Management Service (AWS KMS) 金鑰政策允許 AWS Nitro Enclave 執行個體僅在請求中的 enclave 認證文件符合條件陳述式中的測量結果時,才使用 KMS 金鑰。此政策僅允許受信任的 enclav 解密資料。如需此政策如何協助保護組織中隱私權和個人資料的詳細資訊,請參閱本指南AWS Nitro Enclaves中的 。如需可用於金鑰政策和 in AWS Identity and Access Management (IAM) 政策之條件金鑰的完整清單 AWS KMS ,請參閱 的條件金鑰 AWS KMS。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Enable enclave data processing", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/data-processing" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateRandom" ], "Resource": "*", "Condition": { "StringEqualsIgnoreCase": { "kms:RecipientAttestation:ImageSha384": "EXAMPLE8abcdef7abcdef6abcdef5abcdef4abcdef3abcdef2abcdef1abcdef1abcdef0abcdef1abcdEXAMPLE", "kms:RecipientAttestation:PCR0": "EXAMPLEbc2ecbb68ed99a13d7122abfc0666b926a79d5379bc58b9445c84217f59cfdd36c08b2c79552928702EXAMPLE", "kms:RecipientAttestation:PCR1": "EXAMPLE050abf6b993c915505f3220e2d82b51aff830ad14cbecc2eec1bf0b4ae749d311c663f464cde9f718aEXAMPLE", "kms:RecipientAttestation:PCR2": "EXAMPLEc300289e872e6ac4d19b0b5ac4a9b020c98295643ff3978610750ce6a86f7edff24e3c0a4a445f2ff8EXAMPLE", "kms:RecipientAttestation:PCR3": "EXAMPLE11de9baee597508183477f097ae385d4a2c885aa655432365b53b812694e230bbe8e1bb1b8de748fe1EXAMPLE", "kms:RecipientAttestation:PCR4": "EXAMPLE6b9b3d89a53b13f5dfd14a1049ec0b80a9ae4b159adde479e9f7f512f33e835a0b9023ca51ada02160EXAMPLE", "kms:RecipientAttestation:PCR8": "EXAMPLE34a884328944cd806127c7784677ab60a154249fd21546a217299ccfa1ebfe4fa96a163bf41d3bcfaeEXAMPLE" } } } ] }
