本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
Amazon WorkSpaces 精簡型客戶端的靜態資料加密
Amazon WorkSpaces 精簡型客戶端預設提供加密,以使用 AWS 擁有的加密金鑰保護靜態敏感客戶資料。
依預設加密靜態資料,有助於降低保護敏感資料所涉及的營運開銷和複雜性。同時,其可讓您建置符合嚴格加密合規性和法規要求的安全應用程式。
雖然您無法停用此層加密或選取替代加密類型,但您可以在建立精簡型客戶端環境時選擇客戶自管金鑰,在 AWS 擁有的現有加密金鑰上新增第二層加密:
如需詳細資訊,請參閱《AWS Key Management Service 開發人員指南》中的客戶自管金鑰。
以下表格摘要說明 Amazon WorkSpaces 精簡型客戶端如何加密個人可識別資料。
| 資料類型 |
AWS 擁有的金鑰加密 |
客戶自管金鑰加密 (選用) |
|
環境名稱
WorkSpaces 精簡型客戶端環境名稱
|
已啟用
|
已啟用
|
|
裝置名稱
WorkSpaces 精簡型客戶端裝置名稱
|
已啟用
|
已啟用
|
|
使用者活動
WorkSpaces 精簡型客戶端使用者活動
|
已啟用
|
已啟用
|
|
裝置設定
WorkSpaces 精簡型客戶端裝置設定
|
已啟用
|
已啟用
|
|
裝置建立標籤
WorkSpaces 精簡型客戶端環境裝置建立標籤
|
已啟用
|
已啟用
|
Amazon WorkSpaces 精簡型客戶端如何使用 AWS KMS
Amazon WorkSpaces 精簡型客戶端需要金鑰政策,您才能使用客戶受管金鑰。
Amazon WorkSpaces 精簡型客戶端需要金鑰政策,才能將客戶受管金鑰用於下列內部操作:
您可以隨時移除服務對客戶受管金鑰的存取權。如果您這麼做,Amazon WorkSpaces 精簡型客戶端就無法存取由客戶自管金鑰加密的任何資料,這會影響與該資料相依的操作。例如,如果您嘗試取得 WorkSpaces 精簡型客戶端無法存取的環境詳細資訊,則操作會傳回AccessDeniedException錯誤。 WorkSpaces 此外,WorkSpaces 精簡型客戶端裝置將無法使用 WorkSpaces 精簡型客戶端環境。
建立客戶受管金鑰
您可以使用 AWS 管理主控台或 AWS KMS API 操作來建立對稱客戶受管金鑰。
建立對稱客戶自管金鑰
請依照《AWS Key Management Service 開發人員指南》中的建立對稱客戶自管金鑰的步驟進行。
金鑰政策
金鑰政策會控制客戶受管金鑰的存取權限。每個客戶受管金鑰都必須只有一個金鑰政策,其中包含決定誰可以使用金鑰及其使用方式的陳述式。在建立客戶自管金鑰時,可以指定金鑰政策。如需詳細資訊,請參閱《AWS Key Management Service 開發人員指南》中的管理客戶自管金鑰的存取。
若要將客戶自管金鑰與 Amazon WorkSpaces 精簡型客戶端資源搭配使用,必須在金鑰政策中允許下列 API 操作:
以下是您可以為 Amazon WorkSpaces 精簡型客戶端新增的政策陳述式範例:
{
"Statement":
[
{
"Sid": "Allow access to principals authorized to use Amazon WorkSpaces Thin Client",
"Effect": "Allow",
"Principal": {"AWS": "*"},
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "thinclient.region.amazonaws.com",
"kms:CallerAccount": "111122223333"
}
}
},
{
"Sid": "Allow Amazon WorkSpaces Thin Client service to encrypt and decrypt data",
"Effect": "Allow",
"Principal": {"Service": "thinclient.amazonaws.com"},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:SourceArn":
"arn:aws:thinclient:region:111122223333:*",
"kms:EncryptionContext:aws:thinclient:arn":
"arn:aws:thinclient:region:111122223333:*"
}
}
},
{
"Sid": "Allow access for key administrators",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:root"},
"Action": ["kms:*"],
"Resource": "arn:aws:kms:region:111122223333:key/key_ID"
},
{
"Sid": "Allow read-only access to key metadata to the account",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:root"},
"Action": [
"kms:Describe*",
"kms:Get*",
"kms:List*"
],
"Resource": "*"
}
]
}
如需有關在政策中指定許可的詳細資訊,請參閱《AWS Key Management Service 開發人員指南》。
如需有關針對金鑰存取進行疑難排解的詳細資訊,請參閱《AWS Key Management Service 開發人員指南》。
為 WorkSpaces 精簡型客戶端指定客戶自管金鑰
您可以將客戶自管金鑰指定為下列資源的第二層加密:
建立環境時,您可以透過提供 Amazon WorkSpaces 精簡型客戶端用來加密可識別個人資料的 kmsKeyArn,指定資料金鑰。
當新的 WorkSpaces 精簡型客戶端裝置新增至使用客戶受管金鑰加密的 WorkSpaces 精簡型客戶端環境時,WorkSpaces 精簡型客戶端裝置會從 WorkSpaces 精簡型客戶端環境繼承客戶受管金鑰設定。
加密內容是一組選用的金鑰/值對,其中包含有關資料的其他內容資訊。
AWS KMS 使用加密內容做為額外的已驗證資料,以支援已驗證的加密。當您在加密資料的請求中包含加密內容時, AWS KMS 會將加密內容繫結至加密的資料。若要解密資料,請在請求中包含相同的加密內容。
Amazon WorkSpaces 精簡型客戶端加密內容
Amazon WorkSpaces 精簡型客戶端在所有 AWS KMS 密碼編譯操作中使用相同的加密內容,其中金鑰為 ,aws:thinclient:arn值為 Amazon Resource Name (ARN)。
以下是環境加密內容:
"encryptionContext": {
"aws:thinclient:arn": "arn:aws:thinclient:region:111122223333:environment/environment_ID"
}
以下是裝置加密內容:
"encryptionContext": {
"aws:thinclient:arn": "arn:aws:thinclient:region:111122223333:device/device_ID"
}
使用加密內容進行監控
使用對稱客戶自管金鑰加密 WorkSpaces 精簡型客戶端環境和裝置資料時,您也可以在稽核記錄和日誌中使用加密內容,以識別客戶自管金鑰的使用方式。加密內容也會出現在 AWS CloudTrail 或 Amazon CloudWatch Logs 產生的日誌中。
使用加密內容控制對客戶自管金鑰的存取權限
您也可以在金鑰政策和 IAM 政策中,使用加密內容來控制對對稱客戶受管金鑰的存取。
以下是授予特定加密內容之客戶自管金鑰存取權限的金鑰政策陳述式範例。此政策陳述式中的條件要求 kms:Decrypt 呼叫具有指定加密內容的加密內容限制條件。
{
"Sid": "Enable Decrypt to access Thin Client Environment",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:role/ExampleReadOnlyRole"},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringEquals": {"kms:EncryptionContext:aws:thinclient:arn": "arn:aws:thinclient:region:111122223333:environment/environment_ID"}
}
}
監控 Amazon WorkSpaces 精簡型客戶端的加密金鑰
當您搭配 Amazon WorkSpaces 精簡型客戶端資源使用 AWS KMS 客戶受管金鑰時,您可以使用 AWS CloudTrail 或 Amazon CloudWatch Logs 來追蹤 Amazon WorkSpaces 精簡型客戶端傳送至 AWS KMS 的請求。
下列範例是 DescribeKey、GenerateDataKey、 的 AWS CloudTrail 事件Decrypt,用於監控 Amazon WorkSpaces 精簡型客戶端呼叫的 KMS 操作,以存取客戶受管金鑰加密的資料:
在下列範例中,您可以encryptionContext查看 WorkSpaces 精簡型客戶端環境。系統會為 WorkSpaces 精簡型客戶端裝置記錄類似的 CloudTrail 事件。
- DescribeKey
-
Amazon WorkSpaces 精簡型客戶端使用 DescribeKey操作來驗證 KMS 客戶受管 AWS 金鑰。
下面的範例事件會記錄 DescribeKey 操作:
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"userName": "Admin"
},
"attributes": {
"creationDate": "2024-04-08T13:43:33Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "thinclient.amazonaws.com"
},
"eventTime": "2024-04-08T13:44:22Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DescribeKey",
"awsRegion": "eu-west-1",
"sourceIPAddress": "thinclient.amazonaws.com",
"userAgent": "thinclient.amazonaws.com",
"requestParameters": {"keyId": "arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
- GenerateDataKey
-
Amazon WorkSpaces 精簡型客戶端會使用 GenerateDataKey 操作加密資料。
下面的範例事件會記錄 GenerateDataKey 操作:
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"userName": "Admin"
},
"attributes": {
"creationDate": "2024-04-08T12:21:03Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "thinclient.amazonaws.com"
},
"eventTime": "2024-04-08T13:03:56Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKey",
"awsRegion": "eu-west-1",
"sourceIPAddress": "thinclient.amazonaws.com",
"userAgent": "thinclient.amazonaws.com",
"requestParameters": {
"keyId": "arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
"encryptionContext": {
"aws-crypto-public-key": "ABC123def4567890abc12345678/90dE/F123abcDEF+4567890abc123D+ef1==",
"aws:thinclient:arn": "arn:aws:thinclient:eu-west-1:111122223333:environment/abcSAMPLE"
},
"numberOfBytes": 32
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"sharedEventID": "1234abcd-12ab-34cd-56ef-123456SAMPLE",
"vpcEndpointId": "vpce-1234abcd567SAMPLE",
"vpcEndpointAccountId": "thinclient.amazonaws.com",
"eventCategory": "Management"
}
- GenerateDataKey (by service)
-
當 Amazon WorkSpaces 精簡型客戶端使用 GenerateDataKey儲存裝置資訊時,系統會使用 GenerateDataKey操作來加密資料。
GenerateDataKey 操作在 KMS 金鑰政策陳述式中允許,其中 Sid 為「允許 Amazon WorkSpaces 精簡型用戶端服務加密和解密資料」。
下列範例事件會記錄 GenerateDataKey 操作:
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AWSService",
"invokedBy": "thinclient.amazonaws.com"
},
"eventTime": "2024-04-08T13:03:56Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKey",
"awsRegion": "eu-west-1",
"sourceIPAddress": "thinclient.amazonaws.com",
"userAgent": "thinclient.amazonaws.com",
"requestParameters": {
"keyId": "arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
"encryptionContext": {
"aws-crypto-public-key": "ABC123def4567890abc12345678/90dE/F123abcDEF+4567890abc123D+ef1==",
"aws:thinclient:arn": "arn:aws:thinclient:eu-west-1:111122223333:environment/abcSAMPLE"
},
"numberOfBytes": 32
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"sharedEventID": "1234abcd-12ab-34cd-56ef-123456SAMPLE",
"vpcEndpointId": "vpce-1234abcd567SAMPLE",
"vpcEndpointAccountId": "thinclient.amazonaws.com",
"eventCategory": "Management"
}
- Decrypt
-
Amazon WorkSpaces 精簡型客戶端會使用 Decrypt 操作解密資料。
下面的範例事件會記錄 Decrypt 操作:
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"userName": "Admin"
},
"attributes": {
"creationDate": "2024-04-08T13:43:33Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "thinclient.amazonaws.com"
},
"eventTime": "2024-04-08T13:44:25Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "eu-west-1",
"sourceIPAddress": "thinclient.amazonaws.com",
"userAgent": "thinclient.amazonaws.com",
"requestParameters": {
"keyId": "arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
"encryptionContext": {
"aws-crypto-public-key": "ABC123def4567890abc12345678/90dE/F123abcDEF+4567890abc123D+ef1==",
"aws:thinclient:arn": "arn:aws:thinclient:eu-west-1:111122223333:environment/abcSAMPLE"
},
"encryptionAlgorithm": "SYMMETRIC_DEFAULT"
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"sharedEventID": "1234abcd-12ab-34cd-56ef-123456SAMPLE",
"vpcEndpointId": "vpce-1234abcd567SAMPLE",
"vpcEndpointAccountId": "thinclient.amazonaws.com",
"eventCategory": "Management"
}
- Decrypt (by service)
-
當 WorkSpaces 精簡型客戶端裝置存取環境或裝置資訊時, Decrypt操作會用來解密資料。Decrypt 操作在 KMS 金鑰政策陳述式中允許,其中 Sid 為「允許 Amazon WorkSpaces 精簡型用戶端服務加密和解密資料」。
下列範例事件會記錄透過 授權Decrypt的操作Grant:
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AWSService",
"invokedBy": "thinclient.amazonaws.com"
},
"eventTime": "2024-04-08T13:44:25Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "eu-west-1",
"sourceIPAddress": "thinclient.amazonaws.com",
"userAgent": "thinclient.amazonaws.com",
"requestParameters": {
"keyId": "arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
"encryptionContext": {
"aws-crypto-public-key": "ABC123def4567890abc12345678/90dE/F123abcDEF+4567890abc123D+ef1==",
"aws:thinclient:arn": "arn:aws:thinclient:eu-west-1:111122223333:environment/abcSAMPLE"
},
"encryptionAlgorithm": "SYMMETRIC_DEFAULT"
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"sharedEventID": "1234abcd-12ab-34cd-56ef-123456SAMPLE",
"vpcEndpointId": "vpce-1234abcd567SAMPLE",
"vpcEndpointAccountId": "thinclient.amazonaws.com",
"eventCategory": "Management"
}
進一步了解
下列資源提供靜態資料加密的詳細資訊:
