本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。 # 监控加密密钥 Amazon Chime SDK 语音连接器向 AWS KMS 发送请求,您可以在 CloudTrail 或 CloudWatch 日志中跟踪这些请求。 ------ #### [ CreateGrant ] 当您使用客户管理的密钥创建语音配置文件域资源时,关联的 Voice Connector 会代表您发送访问您 AWS 账户中的 KMS 密钥的`CreateGrant`请求。Voice Connector 创建的授权特定于与客户托管密钥关联的资源。当您删除资源时,Voice C `RetireGrant` onnector 还使用该操作来删除授权。 以下示例记录了一个`CreateGrant`操作。 ``` { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "{{AROAIGDTESTANDEXAMPLE}}:{{Sampleuser01}}", "arn": "arn:aws:sts::{{111122223333}}:assumed-role/Admin/{{Sampleuser01}}", "accountId": "{{111122223333}}", "accessKeyId": "{{AKIAIOSFODNN7EXAMPLE3}}", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "{{AROAIGDTESTANDEXAMPLE}}:{{Sampleuser01}}", "arn": "arn:aws:sts::{{111122223333}}:assumed-role/Admin/{{Sampleuser01}}", "accountId": "{{111122223333}}", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "{{2021-04-22T17:02:00Z}}" } }, "invokedBy": "AWS Internal" }, "eventTime": "{{2021-04-22T17:07:02Z}}", "eventSource": "kms.amazonaws.com", "eventName": "CreateGrant", "awsRegion": "us-west-2", "sourceIPAddress": "172.12.34.56", "userAgent": "{{ExampleDesktop}}/1.0 (V1; OS)", "requestParameters": { "constraints": { "encryptionContextSubset": { "aws:chime:voice-profile-domain:arn": "arn:aws:chime:us-west-2:{{111122223333}}:voice-profile-domain/sample-domain-id" } }, "retiringPrincipal": "chimevoiceconnector.region.amazonaws.com", "operations": [ "GenerateDataKey", "Decrypt", "DescribeKey", "RetireGrant" ], "keyId": "arn:aws:kms:us-west-2:{{111122223333}}:key/1234abcd-12ab-34cd-56ef-123456SAMPLE", "granteePrincipal": "chimevoiceconnector.region.amazonaws.com", "retiringPrincipal": "chimevoiceconnector.region.amazonaws.com" }, "responseElements": { "grantId": "0ab0ac0d0b000f00ea00cc0a0e00fc00bce000c000f0000000c0bc0a0000aaafSAMPLE" }, "requestID": "{{ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE}}", "eventID": "{{ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE}}", "readOnly": false, "resources": [ { "accountId": "{{111122223333}}", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:{{111122223333}}:key/1234abcd-12ab-34cd-56ef-123456SAMPLE" } ], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "{{111122223333}}" } ``` ------ #### [ GenerateDataKey ] 当您创建语音配置文件域并为该域分配客户管理的密钥时,关联的 Voice Connector 会创建一个唯一的数据密钥来加密每位发言者的注册音频。语音连接器向 AWS KMS 发送`GenerateDataKey`请求,指定资源的密钥。 以下示例记录了一个`GenerateDataKey`操作。 ``` { "eventVersion": "1.08", "userIdentity": { "type": "AWSService", "invokedBy": "AWS Internal" }, "eventTime": "{{2021-04-22T17:07:02Z}}", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKey", "awsRegion": "us-west-2", "sourceIPAddress": "172.12.34.56", "userAgent": "{{ExampleDesktop}}/1.0 (V1; OS)", "requestParameters": { "encryptionContext": { "aws:chime:voice-profile-domain:arn": "arn:aws:chime:us-west-2:{{111122223333}}:{{voice-profile-domain}}/{{sample-domain-id}}" }, "keySpec": "AES_256", "keyId": "arn:aws:kms:us-west-2:{{111122223333}}:key/{{1234abcd-12ab-34cd-56ef-123456SAMPLE}}" }, "responseElements": null, "requestID": "{{ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE}}", "eventID": "{{ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE}}", "readOnly": true, "resources": [ { "accountId": "{{111122223333}}", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:{{111122223333}}:key/{{1234abcd-12ab-34cd-56ef-123456SAMPLE}}" } ], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "{{111122223333}}", "sharedEventID": "{{57f5dbee-16da-413e-979f-2c4c6663475e}}" } ``` ------ #### [ Decrypt ] 当语音配置文件域中的语音配置文件由于较新的语音识别模式而需要升级其语音打印时,关联的 Voice Connector 会调用该`Decrypt`操作,使用存储的加密数据密钥来访问加密数据。 以下示例记录了一个`Decrypt`操作。 ``` { "eventVersion": "1.08", "userIdentity": { "type": "AWSService", "invokedBy": "AWS Internal" }, "eventTime": "{{2021-10-12T23:59:34Z}}", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-west-2", "sourceIPAddress": "172.12.34.56", "userAgent": "{{ExampleDesktop}}/1.0 (V1; OS)", "requestParameters": { "encryptionContext": { "keyId": "arn:aws:kms:us-west-2:{{111122223333}}:key/44444444-3333-2222-1111-EXAMPLE11111", "encryptionContext": { "aws:chime:voice-profile-domain:arn": "arn:aws:chime:us-west-2:{{111122223333}}:{{voice-profile-domain}}/{{sample-domain-id}}" }, "encryptionAlgorithm": "SYMMETRIC_DEFAULT" }, "responseElements": null, "requestID": "ed0fe4ab-305b-4388-8adf-7e8e3a4e80fe", "eventID": "31d0d7c6-ce5b-4caf-901f-025bf71241f6", "readOnly": true, "resources": [{ "accountId": "{{111122223333}}", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:{{111122223333}}:key/{{00000000-1111-2222-3333-9999999999999}}" }], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "{{111122223333}}", "sharedEventID": "{{35d58aa1-26b2-427a-908f-025bf71241f6}}", "eventCategory": "Management" } ``` ------ #### [ DescribeKey ] Voice Connectors 使用该`DescribeKey`操作来验证账户和区域中是否存在与语音配置文件域关联的密钥。 以下示例记录了一个`DescribeKey`操作。 ``` { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "{{AROAIGDTESTANDEXAMPLE}}:{{Sampleuser01}}", "arn": "arn:aws:sts::{{111122223333}}:assumed-role/Admin/{{Sampleuser01}}", "accountId": "{{111122223333}}", "accessKeyId": "{{AKIAIOSFODNN7EXAMPLE3}}", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "{{AROAIGDTESTANDEXAMPLE}}:{{Sampleuser01}}", "arn": "arn:aws:sts::{{111122223333}}:assumed-role/Admin/{{Sampleuser01}}", "accountId": "{{111122223333}}", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "{{2021-04-22T17:02:00Z}}" } }, "invokedBy": "AWS Internal" }, "eventTime": "{{2021-04-22T17:07:02Z}}", "eventSource": "kms.amazonaws.com", "eventName": "DescribeKey", "awsRegion": "us-west-2", "sourceIPAddress": "172.12.34.56", "userAgent": "{{ExampleDesktop}}/1.0 (V1; OS)", "requestParameters": { "keyId": "{{00dd0db0-0000-0000-ac00-b0c000SAMPLE}}" }, "responseElements": null, "requestID": "{{ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE}}", "eventID": "{{ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE}}", "readOnly": true, "resources": [ { "accountId": "{{111122223333}}", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:{{111122223333}}:key/{{1234abcd-12ab-34cd-56ef-123456SAMPLE}}" } ], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "{{111122223333}}" } ``` ------