本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWS Verified Access 的靜態資料加密
AWS Verified Access 預設會使用 AWS 擁有的 KMS 金鑰加密靜態資料。當靜態資料加密在預設情況下發生時,有助於降低保護敏感資料所涉及的操作開銷和複雜性。同時,其可讓您建置符合嚴格加密合規性和法規要求的安全應用程式。下列各節提供 Verified Access 如何使用 KMS 金鑰進行靜態資料加密的詳細資訊。
驗證存取和 KMS 金鑰
AWS 擁有的金鑰
Verified Access 使用 KMS 金鑰自動加密個人識別資訊 (PII)。預設會發生這種情況,您無法自行檢視、管理、使用或稽核 AWS 擁有金鑰的使用。不過,您不需要採取任何動作或變更任何程式,即可保護加密您資料的金鑰。如需詳細資訊,請參閱《AWS Key Management Service 開發人員指南》中的 AWS
擁有的金鑰。
雖然您無法停用此層加密或選取替代加密類型,但您可以在建立 Verified Access 資源時選擇客戶受管金鑰,在現有 AWS 擁有的加密金鑰上新增第二層加密。
客戶受管金鑰
Verified Access 支援使用您建立和管理的對稱客戶受管金鑰,在現有的預設加密上新增第二層加密。您可以完全控制此層加密,因此能執行以下任務:
-
建立和維護金鑰政策
-
建立和維護 IAM 政策和授予操作
-
啟用和停用金鑰政策
-
輪換金鑰密碼編譯資料
-
新增標籤
-
建立金鑰別名
-
安排金鑰供刪除
如需更多資訊,請參閱 AWS Key Management Service 開發人員指南中的客戶受管金鑰。
個人識別資訊
下表摘要說明 Verified Access 使用的個人身分識別資訊 (PII),以及加密方式。
| 資料類型 |
AWS 擁有的金鑰加密 |
客戶自管金鑰加密 (選用) |
Trust provider (user-type)使用者類型信任提供者包含 OIDC 選項,例如 AuthorizationEndpoint、UserInfoEndpoint、ClientId、ClientSecret 等,這些選項都視為 PII。 |
已啟用 |
已啟用 |
Trust provider (device-type)裝置類型信任提供者包含 TenantId,這被視為 PII。 |
已啟用 |
已啟用 |
Group policy在建立或修改 Verified Access 群組期間提供。包含授權存取請求的規則。可能包含 PII,例如使用者名稱和電子郵件地址等。 |
已啟用 |
已啟用 |
Endpoint policy在建立或修改 Verified Access 端點期間提供。包含授權存取請求的規則。可能包含 PII,例如使用者名稱和電子郵件地址等。 |
已啟用 |
已啟用 |
AWS Verified Access 如何在 中使用授予 AWS KMS
驗證存取需要授予才能使用客戶受管金鑰。
當您建立使用客戶受管金鑰加密的 Verified Access 資源時,Verified Access 會透過傳送 CreateGrant 請求至 來代表您建立授予 AWS KMS。中的授予 AWS KMS 用於授予 Verified Access 存取您帳戶中客戶受管金鑰的存取權。
Verified Access 需要授予 ,才能將客戶受管金鑰用於下列內部操作:
您可以隨時撤銷授予的存取權,或移除服務對客戶受管金鑰的存取權。如果您這麼做,Verified Access 將無法存取客戶受管金鑰加密的任何資料,這會影響依賴該資料的操作。
搭配 Verified Access 使用客戶受管金鑰
您可以使用 AWS Management Console或 AWS KMS APIs 來建立對稱客戶受管金鑰。請遵循 AWS Key Management Service 開發人員指南中建立對稱加密金鑰的步驟。
金鑰政策
金鑰政策會控制客戶受管金鑰的存取權限。每個客戶受管金鑰都必須只有一個金鑰政策,其中包含決定誰可以使用金鑰及其使用方式的陳述式。在建立客戶受管金鑰時,可以指定金鑰政策。如需詳細資訊,請參閱《 AWS Key Management Service 開發人員指南》中的金鑰政策。
若要搭配 Verified Access 資源使用客戶受管金鑰,金鑰政策中必須允許下列 API 操作:
-
kms:CreateGrant:新增客戶受管金鑰的授權。准許控制對指定 KMS 金鑰的存取,允許存取授予驗證存取所需的操作。如需詳細資訊,請參閱《 AWS Key Management Service 開發人員指南》中的授與。
這可讓 Verified Access 執行下列動作:
-
呼叫 GenerateDataKeyWithoutPlainText 以產生加密的資料金鑰並加以儲存,因為資料金鑰不會立即用來加密。
-
呼叫 Decrypt 以使用儲存的加密資料金鑰來存取加密的資料。
-
設定淘汰主體,以允許 服務至 RetireGrant。
-
kms:DescribeKey – 提供客戶受管金鑰詳細資訊,以允許 Verified Access 驗證金鑰。
-
kms:GenerateDataKey – 允許已驗證存取使用金鑰來加密資料。
-
kms:Decrypt – 允許驗證存取解密加密的資料金鑰。
以下是可用於 Verified Access 的金鑰政策範例。
"Statement" : [
{
"Sid" : "Allow access to principals authorized to use Verified Access",
"Effect" : "Allow",
"Principal" : {
"AWS" : "*"
},
"Action" : [
"kms:DescribeKey",
"kms:CreateGrant",
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"kms:ViaService" : "verified-access.region.amazonaws.com",
"kms:CallerAccount" : "111122223333"
}
},
{
"Sid": "Allow access for key administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action" : [
"kms:*"
],
"Resource": "arn:aws:kms:region:111122223333:key/key_ID"
},
{
"Sid" : "Allow read-only access to key metadata to the account",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::111122223333:root"
},
"Action" : [
"kms:Describe*",
"kms:Get*",
"kms:List*",
"kms:RevokeGrant"
],
"Resource" : "*"
}
]
如需詳細資訊,請參閱《 AWS Key Management Service 開發人員指南》中的建立金鑰政策和疑難排解金鑰存取。
指定 Verified Access 資源的客戶受管金鑰
您可以指定客戶受管金鑰,為下列資源提供第二層加密:
當您使用 建立任何這些資源時 AWS Management Console,您可以在其他加密 -- 選用區段中指定客戶受管金鑰。在此過程中,選取自訂加密設定 (進階) 核取方塊,然後輸入您要使用的 AWS KMS 金鑰 ID。您也可以在修改現有資源或使用 來完成此操作 AWS CLI。
如果用於將其他加密新增至上述任何資源的客戶受管金鑰遺失,將無法再存取資源的組態值。不過,您可以使用 AWS Management Console 或 來修改資源 AWS CLI,以套用新的客戶受管金鑰並重設組態值。
AWS 驗證存取加密內容
加密內容是一組選用的金鑰值對,其中包含有關資料的其他內容資訊。 AWS KMS 會使用加密內容做為額外的已驗證資料,以支援已驗證的加密。當您在加密資料的請求中包含加密內容時, 會將加密內容 AWS KMS 繫結至加密的資料。若要解密資料,您必須在請求中包含相同的加密內容。
AWS 驗證存取加密內容
Verified Access 在所有 AWS KMS 密碼編譯操作中使用相同的加密內容,其中金鑰為 ,aws:verified-access:arn而值為 資源 Amazon Resource Name (ARN)。以下是 Verified Access 資源的加密內容。
已驗證的存取信任提供者
"encryptionContext": {
"aws:verified-access:arn":
"arn:aws:ec2:region:111122223333:VerifiedAccessTrustProviderId"
}
已驗證的存取群組
"encryptionContext": {
"aws:verified-access:arn":
"arn:aws:ec2:region:111122223333:VerifiedAccessGroupId"
}
已驗證的存取端點
"encryptionContext": {
"aws:verified-access:arn":
"arn:aws:ec2:region:111122223333:VerifiedAccessEndpointId"
}
監控您的加密金鑰以進行 AWS Verified Access
當您將客戶受管 KMS 金鑰與 AWS Verified Access 資源搭配使用時,您可以使用 AWS CloudTrail 來追蹤 Verified Access 傳送的請求 AWS KMS。
下列範例是 CreateGrant、RetireGrant、DescribeKey、 Decrypt和 AWS CloudTrail 的事件GenerateDataKey,用於監控 Verified Access 呼叫的 KMS 操作,以存取客戶受管 KMS 金鑰加密的資料:
- CreateGrant
-
當您使用客戶受管金鑰來加密資源時,Verified Access 會代表您傳送CreateGrant請求,以存取您 AWS 帳戶中的金鑰。Verified Access 建立的授予是與客戶受管金鑰相關聯的資源特有的。
下面的範例事件會記錄 CreateGrant 操作:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-09-11T16:27:12Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "verified-access.amazonaws.com"
},
"eventTime": "2023-09-11T16:41:42Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "ca-central-1",
"sourceIPAddress": "verified-access.amazonaws.com",
"userAgent": "verified-access.amazonaws.com",
"requestParameters": {
"operations": [
"Decrypt",
"RetireGrant",
"GenerateDataKey"
],
"keyId": "arn:aws:kms:ca-central-1:111122223333:key/5ed79e7f-88c9-420c-ae1a-61ee87104dae",
"constraints": {
"encryptionContextSubset": {
"aws:verified-access:arn": "arn:aws:ec2:ca-central-1:111122223333:verified-access-trust-provider/vatp-0e54f581e2e5c97a2"
}
},
"granteePrincipal": "verified-access.ca-central-1.amazonaws.com",
"retiringPrincipal": "verified-access.ca-central-1.amazonaws.com"
},
"responseElements": {
"grantId": "e5a050fff9893ba1c43f83fddf61e5f9988f579beaadd6d4ad6d1df07df6048f",
"keyId": "arn:aws:kms:ca-central-1:111122223333:key/5ed79e7f-88c9-420c-ae1a-61ee87104dae"
},
"requestID": "0faa837e-5c69-4189-9736-3957278e6444",
"eventID": "1b6dd8b8-cbee-4a83-9b9d-d95fa5f6fd08",
"readOnly": false,
"resources": [
{
"accountId": "AWS Internal",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:ca-central-1:111122223333:key/5ed79e7f-88c9-420c-ae1a-61ee87104dae"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
- RetireGrant
-
Verified Access 使用 RetireGrant操作,在刪除資源時移除授予。
下面的範例事件會記錄 RetireGrant 操作:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-09-11T16:42:33Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "verified-access.amazonaws.com"
},
"eventTime": "2023-09-11T16:47:53Z",
"eventSource": "kms.amazonaws.com",
"eventName": "RetireGrant",
"awsRegion": "ca-central-1",
"sourceIPAddress": "verified-access.amazonaws.com",
"userAgent": "verified-access.amazonaws.com",
"requestParameters": null,
"responseElements": {
"keyId": "arn:aws:kms:ca-central-1:111122223333:key/5ed79e7f-88c9-420c-ae1a-61ee87104dae"
},
"additionalEventData": {
"grantId": "b35e66f9bacb266cec214fcaa353c9cf750785e28773e61ba6f434d8c5c7632f"
},
"requestID": "7d4a31c2-d426-434b-8f86-336532a70462",
"eventID": "17edc343-f25b-43d4-bbff-150d8fff4cf8",
"readOnly": false,
"resources": [
{
"accountId": "AWS Internal",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:ca-central-1:111122223333:key/5ed79e7f-88c9-420c-ae1a-61ee87104dae"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
- Decrypt
-
Verified Access 會呼叫 Decrypt操作,以使用儲存的加密資料金鑰來存取加密的資料。
下面的範例事件會記錄 Decrypt 操作:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-09-11T17:19:33Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "verified-access.amazonaws.com"
},
"eventTime": "2023-09-11T17:47:05Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "ca-central-1",
"sourceIPAddress": "verified-access.amazonaws.com",
"userAgent": "verified-access.amazonaws.com",
"requestParameters": {
"encryptionAlgorithm": "SYMMETRIC_DEFAULT",
"keyId": "arn:aws:kms:ca-central-1:111122223333:key/380d006e-706a-464b-99c5-68768297114e",
"encryptionContext": {
"aws:verified-access:arn": "arn:aws:ec2:ca-central-1:111122223333:verified-access-trust-provider/vatp-00f20a4e455e9340f",
"aws-crypto-public-key": "AkK+vi1W/acBKv7OR8p2DeUrA8EgpTffSrjBqNucODuBYhyZ3hlMuYYJz9x7CwQWZw=="
}
},
"responseElements": null,
"requestID": "2e920fd3-f2f6-41b2-a5e7-2c2cb6f853a9",
"eventID": "3329e0a3-bcfb-44cf-9813-8106d6eee31d",
"readOnly": true,
"resources": [
{
"accountId": "AWS Internal",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:ca-central-1:111122223333:key/380d006e-706a-464b-99c5-68768297114e"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
- DescribeKey
-
Verified Access 使用 DescribeKey操作來驗證與資源相關聯的客戶受管金鑰是否存在於帳戶和區域中。
下面的範例事件會記錄 DescribeKey 操作:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-09-11T17:19:33Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "verified-access.amazonaws.com"
},
"eventTime": "2023-09-11T17:46:48Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DescribeKey",
"awsRegion": "ca-central-1",
"sourceIPAddress": "verified-access.amazonaws.com",
"userAgent": "verified-access.amazonaws.com",
"requestParameters": {
"keyId": "arn:aws:kms:ca-central-1:111122223333:key/380d006e-706a-464b-99c5-68768297114e"
},
"responseElements": null,
"requestID": "5b127082-6691-48fa-bfb0-4d40e1503636",
"eventID": "ffcfc2bb-f94b-4c00-b6fb-feac77daff2a",
"readOnly": true,
"resources": [
{
"accountId": "AWS Internal",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:ca-central-1:111122223333:key/380d006e-706a-464b-99c5-68768297114e"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
- GenerateDataKey
-
下面的範例事件會記錄 GenerateDataKey 操作:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-09-11T17:19:33Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "verified-access.amazonaws.com"
},
"eventTime": "2023-09-11T17:46:49Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKey",
"awsRegion": "ca-central-1",
"sourceIPAddress": "verified-access.amazonaws.com",
"userAgent": "verified-access.amazonaws.com",
"requestParameters": {
"encryptionContext": {
"aws:verified-access:arn": "arn:aws:ec2:ca-central-1:111122223333:verified-access-trust-provider/vatp-00f20a4e455e9340f",
"aws-crypto-public-key": "A/ATGxaYatPUlOtM+l/mfDndkzHUmX5Hav+29IlIm+JRBKFuXf24ulztmOIsqFQliw=="
},
"numberOfBytes": 32,
"keyId": "arn:aws:kms:ca-central-1:111122223333:key/380d006e-706a-464b-99c5-68768297114e"
},
"responseElements": null,
"requestID": "06535808-7cce-4ae1-ab40-e3afbf158a43",
"eventID": "1ce79601-5a5e-412c-90b3-978925036526",
"readOnly": true,
"resources": [
{
"accountId": "AWS Internal",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:ca-central-1:111122223333:key/380d006e-706a-464b-99c5-68768297114e"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
