Amazon 如何在 AWS KMS 中 DataZone 使用补助金创建客户托管密钥为 Amazon 指定客户托管密钥 DataZone Amazon DataZone 加密环境监控您的 Amazon 加密密钥 DataZone 创建涉及加密 AWS Glue 目录的数据湖环境

Amazon 的静态数据加密 DataZone

默认情况下，静态数据加密有助于降低保护敏感数据的操作开销和复杂性。同时，它还支持构建符合严格加密合规性和监管要求的安全应用程序。

Amazon DataZone 使用默认 AWS拥有的密钥自动加密您的静态数据。您无法查看、管理或审核 AWS 自有密钥的使用情况。有关更多信息，请参阅 AWS 拥有的密钥。

虽然您无法禁用此加密层或选择其他加密类型，但您可以在创建 Amazon DataZone 域名时选择客户管理的密钥。Amazon DataZone 支持使用您可以创建、拥有和管理的对称客户托管密钥。由于您可以完全控制加密，因此可以执行以下任务：

建立和维护密钥政策
创建和维护 IAM 策略和授权
启用和禁用密钥政策
轮换密钥加密材料
添加标签
创建密钥别名
计划密钥删除

要使用自己的密钥，请在创建 Amazon DataZone 域名时选择客户托管密钥。

有关更多信息，请参阅客户自主管理型密钥。

注意

Amazon 使用 AWS 自有密钥 DataZone 自动启用静态加密，从而免费保护客户数据。

AWS 使用客户托管密钥需支付 KMS 费用。有关定价的更多信息，请参阅 AWS Key Management Service 定价。

Amazon 如何在 AWS KMS 中 DataZone 使用补助金

Amazon DataZone 需要两项授权才能使用您的客户托管密钥。当您创建使用客户托管密钥加密的亚马逊 DataZone 域名时，亚马逊 DataZone 会通过向 AWS KMS 发送CreateGrant请求来代表您创建授权。 AWS KMS 中的赠款用于授予亚马逊 DataZone 访问您账户中的 KMS 密钥的权限。Amazon DataZone 创建以下授权，以使用您的客户托管密钥进行以下内部操作：

一项用于为以下操作加密静态数据的授权：

向 AWS KMS 发送DescribeKey请求，以验证在创建 Amazon DataZone 域时输入的对称客户托管 KMS 密钥 ID 是否有效。
发送GenerateDataKey到 AWS KMS 以生成由您的客户托管密钥加密的数据密钥。
发送解密请求使 Amazon DataZone 能够解密存储的数据。
RetireGrant在删除域名时取消授权。

一项用于搜索和发现您的数据的资助：

DescribeKey-提供客户托管的密钥详情， DataZone允许亚马逊验证密钥。
解密-允许 Amazon DataZone 解密存储的数据。

您可以随时撤销对客户托管密钥的授予的访问权限。如果您这样做，Amazon 将 DataZone 无法访问由客户托管密钥加密的任何数据，这会影响依赖该数据的操作。

创建客户托管密钥

您可以使用管理控制台或 KMS 创建对称客户托管 AWS 密钥 APIs。 AWS

要创建对称客户托管密钥，请按照《密钥管理服务开发人员指南》中创建对称客户托管 AWS 密钥的步骤进行操作。

密钥政策 – 密钥政策控制对客户自主管理型密钥的访问。每个客户托管式密钥必须只有一个密钥策略，其中包含确定谁可以使用密钥以及如何使用密钥的声明。创建客户托管式密钥时，可以指定密钥策略。有关更多信息，请参阅《密钥管理服务开发人员指南》中的管理客户托管密 AWS 钥的访问权限。

要将您的客户托管密钥与您的 Amazon DataZone 资源一起使用，密钥政策中必须允许以下 API 操作：

kms: CreateGrant — 向客户托管密钥添加授权。授予对指定 KMS 密钥的控制访问权限，从而允许访问授予 Amazon DataZone 要求的操作。有关使用授权的更多信息，请参阅 AWS 密钥管理服务开发人员指南。
kms: DescribeKey — 提供客户托管密钥详细信息以允许 Amazon DataZone 验证密钥。
kms: GenerateDataKey — 返回一个唯一的对称数据密钥以供在 AWS KMS 之外使用。
kms:Decrypt – 解密已通过 KMS 密钥加密的加密文字。

以下是您可以为 Amazon 添加的政策声明示例 DataZone：



"Statement": [
    {
      "Sid": "Enable IAM User Permissions for DescribeKey",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
      },
      "Action": "kms:DescribeKey",
      "Resource": "arn:aws:kms:region:111122223333:key/key_ID"
    },
    {
      "Sid": "Allow access to principals authorized to manage Amazon DataZone",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
      },
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "arn:aws:kms:region:111122223333:key/key_ID",
      "Condition": {
        "ForAnyValue:StringEquals": {
          "kms:EncryptionContextKeys": "aws:datazone:domainId"
        }
      }
    },
    {
      "Sid": "Allow creating grants when creating an Amazon DataZone for all principals in the account that are authorized to manage Amazon DataZone",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
      },
      "Action": "kms:CreateGrant",
      "Resource": "arn:aws:kms:region:111122223333:key/key_ID",
      "Condition": {
        "StringLike": {
          "kms:CallerAccount": "111122223333",
          "kms:ViaService": "datazone.region.amazonaws.com"
        },
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        },
        "ForAnyValue:StringEquals": {
          "kms:EncryptionContextKeys": "aws:datazone:domainId"
        }
      }
    }
]

注意

通过域名执行角色主体，Amazon DataZone 数据门户有权访问您的客户托管密钥。

有关在策略中指定权限的更多信息，请参阅 AWS 密钥管理服务开发人员指南。

有关密钥访问疑难解答的更多信息，请参阅 AWS 密钥管理服务开发人员指南。

为 Amazon 指定客户托管密钥 DataZone

在创建域时，您可以将客户托管密钥指定为第二层加密。

Amazon DataZone 加密环境

加密上下文是一组可选的键值对，包含有关数据的其他上下文信息。

AWS KMS 使用加密上下文作为额外的经过身份验证的数据来支持经过身份验证的加密。当您在加密数据的请求中包含加密上下文时， AWS KMS 会将加密上下文绑定到加密数据。要解密数据，您必须在请求中包含相同的加密上下文。

Amazon DataZone 使用以下加密环境：



"encryptionContextSubset": {
    "aws:datazone:domainId": "{dzd_samleid}"
}

使用加密环境进行监控-当您使用对称客户托管密钥加密 Amazon 时 DataZone，您还可以在审计记录和日志中使用加密上下文来识别客户托管密钥的使用情况。加密上下文还会显示在 AWS CloudTrail 或 Amazon Logs 生成的 CloudWatch 日志中。

使用加密上下文控制对客户自主管理型密钥的访问 – 您可以使用密钥策略和 IAM 策略中的加密上下文作为条件来控制对您的对称客户自主管理型密钥的访问。您也可以在授予中使用加密上下文约束。

Amazon 在授权中 DataZone 使用加密上下文限制来控制对您账户或地区中客户托管密钥的访问权限。授权约束要求授权允许的操作使用指定的加密上下文。

以下是密钥政策声明示例，用于授予对特定加密上下文的客户托管密钥的访问权限。



 {
      "Sid": "Enable DescribeKey",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:role/ExampleRole"
      },
      "Action": "kms:DescribeKey",
      "Resource": "arn:aws:kms:region:111122223333:key/key_ID"
    },
    {
      "Sid": "Allow access to principal to manage an Amazon DataZone domain with the given domain id",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:role/ExampleRole"
      },
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "arn:aws:kms:region:111122223333:key/key_ID",
      "Condition": {
        "StringEquals": {
          "kms:EncryptionContext:aws:datazone:domainId": "dzd_sampleid"
        }
      }
    },
    {
      "Sid": "Allow creating grants when creating an Amazon DataZone domain to principal",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:role/ExampleRole"
      },
      "Action": "kms:CreateGrant",
      "Resource": "arn:aws:kms:region:111122223333:key/key_ID",
      "Condition": {
        "StringLike": {
          "kms:CallerAccount": "111122223333",
          "kms:ViaService": "datazone.region.amazonaws.com"
        },
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        },
        "ForAnyValue:StringEquals": {
          "kms:EncryptionContextKeys": "aws:datazone:domainId"
        }
      }
    }

监控您的 Amazon 加密密钥 DataZone

当您在亚马逊 DataZone 资源中使用 AWS KMS 客户托管密钥时，您可以使用AWS CloudTrail来跟踪亚马逊 DataZone 向 AWS KMS 发送的请求。以下示例是CreateGrant、GenerateDataKeyDecrypt、和RetireGrant监控 Amazon DataZone 为访问由您的客户托管密钥加密的数据而调用的 KMS 操作 AWS CloudTrail 的事件。

CreateGrant

当您使用 AWS KMS 客户托管密钥加密您的亚马逊 DataZone 域名时，亚马逊 DataZone 会代表您发送访问您 AWS 账户中的 KMS 密钥的CreateGrant请求。Amazon DataZone 创建的授权特定于与 AWS KMS 客户托管密钥关联的资源。此外，当您删除域名时，Amazon 会 DataZone 使用该RetireGrant操作来删除授权。

以下示例事件记录了 CreateGrant 操作：



{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
        "arn": "arn:aws:sts::111122223333:assumed-role/Example/Sampleuser01",
        "accountId": "111122223333",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AROAIGDTESTANDEXAMPLE",
                "arn": "arn:aws:iam::111122223333:role/Example",
                "accountId": "111122223333",
                "userName": "Example"
            },
            "attributes": {
                "creationDate": "2024-04-22T17:02:00Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "datazone.amazonaws.com"
    },
    "eventTime": "2024-04-22T17:02:00Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "CreateGrant",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "datazone.amazonaws.com",
    "userAgent": "datazone.amazonaws.com",
    "requestParameters": {
        "retiringPrincipal": "datazone.us-east-2.amazonaws.com",
        "operations": [
            "GenerateDataKey",
            "RetireGrant",
            "DescribeKey",
            "Decrypt"
        ],
        "granteePrincipal": "datazone.us-east-2.amazonaws.com",
        "constraints": {
            "encryptionContextSubset": {
                "aws:datazone:domainId": "dzd_sampleid"
            }
        },
        "keyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
    },
    "responseElements": {
        "grantId": "0ab0ac0d0b000f00ea00cc0a0e00fc00bce000c000f0000000c0bc0a0000aaafSAMPLE",
        "keyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
    },
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": false,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "eventCategory": "Management",
    "sessionCredentialFromConsole": "true"
}



{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
        "arn": "arn:aws:sts::111122223333:assumed-role/Example/Sampleuser01",
        "accountId": "111122223333",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AROAIGDTESTANDEXAMPLE",
                "arn": "arn:aws:iam::111122223333:role/Example",
                "accountId": "111122223333",
                "userName": "Example"
            },
            "attributes": {
                "creationDate": "2024-04-22T17:10:00Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "datazone.amazonaws.com"
    },
    "eventTime": "2024-04-22T17:49:00Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "CreateGrant",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "datazone.amazonaws.com",
    "userAgent": "datazone.amazonaws.com",
    "requestParameters": {
        "retiringPrincipal": "datazone.us-east-2.amazonaws.com",
        "operations": [
            "DescribeKey",
            "Decrypt"
        ],
        "granteePrincipal": "datazone.us-east-2.amazonaws.com",
        "constraints": {
            "encryptionContextSubset": {
                "aws:datazone:domainId": "dzd_sampleid"
            }
        },
        "keyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
    },
    "responseElements": {
        "grantId": "0ab0ac0d0b000f00ea00cc0a0e00fc00bce000c000f0000000c0bc0a0000aaafSAMPLE",
        "keyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
    },
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": false,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "eventCategory": "Management",
    "sessionCredentialFromConsole": "true"
}

GenerateDataKey

当您为亚马逊 DataZone 域名启用 AWS KMS 客户托管密钥时，亚马逊 DataZone 会生成数据密钥。它向 AWS KMS 发送GenerateDataKey请求，指定该域的 AWS KMS 客户托管密钥。

以下示例事件记录了该 GenerateDataKey 操作：



{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROAIGDTESTANDEXAMPLE:AmazonSageMakerDomainExecution",
        "arn": "arn:aws:sts::111122223333:assumed-role/AmazonSageMakerDomainExecution/AmazonSageMakerDomainExecution",
        "accountId": "111122223333",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AROAIGDTESTANDEXAMPLE",
                "arn": "arn:aws:iam::111122223333:role/service-role/AmazonSageMakerDomainExecution",
                "accountId": "111122223333",
                "userName": "AmazonSageMakerDomainExecution"
            },
            "attributes": {
                "creationDate": "2024-04-22T19:50:39Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "datazone.amazonaws.com"
    },
    "eventTime": "2024-04-22T19:50:40Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "GenerateDataKey",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "datazone.amazonaws.com",
    "userAgent": "datazone.amazonaws.com",
    "requestParameters": {
        "keySpec": "AES_256",
        "encryptionContext": {
            "aws:datazone:domainId": "dzd_sampleid",
            "V": "2024-04-22T17:49:12.98177136Z|cacf3df7-7b99-49f6-ae14-sample",
            "version": "0",
            "N": "dzd_sampleid|arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
            "*aws-kms-table*": "awsdatazoneroaring-data-store-datakeys-prod-us-east-2"
        },
        "keyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
    },
    "responseElements": null,
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": true,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "eventCategory": "Management"
}



{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AWSService",
        "invokedBy": "AWS Internal"
    },
    "eventTime": "2024-04-22T19:50:40Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "GenerateDataKey",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "AWS Internal",
    "userAgent": "AWS Internal",
    "requestParameters": {
        "encryptionContext": {
            "aws:datazone:domainId": "dzd_sampleid",
            "aws:s3:arn": "arn:aws:s3:::amazon-datazone-us-east-2-422ceee9465430bdb354d1c9efsample"
        },
        "keyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
        "keySpec": "AES_256"
    },
    "responseElements": null,
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": true,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "sharedEventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventCategory": "Management"
}

Decrypt

当您访问加密的 Amazon DataZone 域名时，Amazon 会 DataZone 调用该Decrypt操作以使用存储的加密数据密钥来访问加密数据。

以下示例事件记录了 Decrypt 操作：



{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROAIGDTESTANDEXAMPLE:AmazonSageMakerDomainExecution",
        "arn": "arn:aws:sts::111122223333:assumed-role/AmazonSageMakerDomainExecution/AmazonSageMakerDomainExecution",
        "accountId": "111122223333",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AROAIGDTESTANDEXAMPLE",
                "arn": "arn:aws:iam::111122223333:role/service-role/AmazonSageMakerDomainExecution",
                "accountId": "111122223333",
                "userName": "AmazonSageMakerDomainExecution"
            },
            "attributes": {
                "creationDate": "2024-04-22T19:50:39Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "datazone.amazonaws.com"
    },
    "eventTime": "2024-04-22T19:51:54Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "Decrypt",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "datazone.amazonaws.com",
    "userAgent": "datazone.amazonaws.com",
    "requestParameters": {
        "encryptionAlgorithm": "SYMMETRIC_DEFAULT",
        "encryptionContext": {
            "aws:datazone:domainId": "dzd_sampleid",
            "V": "2024-04-22T17:49:12.98177136Z|cacf3df7-7b99-49f6-ae14-sample",
            "version": "0",
            "N": "dzd_sampleid|arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
            "*aws-kms-table*": "awsdatazoneroaring-data-store-datakeys-prod-us-east-2"
        }
    },
    "responseElements": null,
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": true,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "eventCategory": "Management"
}



{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AWSService",
        "invokedBy": "datazone.amazonaws.com"
    },
    "eventTime": "2024-04-22T19:51:54Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "Decrypt",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "datazone.amazonaws.com",
    "userAgent": "datazone.amazonaws.com",
    "requestParameters": {
        "encryptionContext": {
            "aws:datazone:domainId": "dzd_sampleid",
            "V": "2024-04-22T17:49:12.98177136Z|cacf3df7-7b99-49f6-ae14-sample",
            "version": "0",
            "N": "dzd_sampleid|arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
            "*aws-kms-table*": "awsdatazoneroaring-data-store-datakeys-prod-us-east-2"
        },
        "encryptionAlgorithm": "SYMMETRIC_DEFAULT"
    },
    "responseElements": null,
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": true,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "sharedEventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventCategory": "Management"
}



{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AWSService",
        "invokedBy": "AWS Internal"
    },
    "eventTime": "2024-04-22T19:51:54Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "Decrypt",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "AWS Internal",
    "userAgent": "AWS Internal",
    "requestParameters": {
        "encryptionAlgorithm": "SYMMETRIC_DEFAULT",
        "encryptionContext": {
            "aws:datazone:domainId": "dzd_sampleid",
            "aws:s3:arn": "arn:aws:s3:::amazon-datazone-us-east-2-422ceee9465430bdb354d1c9efsample"
        }
    },
    "responseElements": null,
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": true,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "sharedEventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventCategory": "Management"
}

RetireGrant

以下示例事件记录了 RetireGrant 操作：



{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AWSService",
        "invokedBy": "datazone.amazonaws.com"
    },
    "eventTime": "2025-04-29T22:18:50Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "RetireGrant",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "datazone.amazonaws.com",
    "userAgent": "datazone.amazonaws.com",
    "requestParameters": null,
    "responseElements": {
        "keyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
    },
    "additionalEventData": {
        "grantId": "0ab0ac0d0b000f00ea00cc0a0e00fc00bce000c000f0000000c0bc0a0000aaafSAMPLE"
    },
    "requestID": "294308c0-7617-4727-b5c9-34eaf75aa8e3",
    "eventID": "273708f7-5fbb-3a90-b04d-2b3138bf0ec9",
    "readOnly": false,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "sharedEventID": "b46377d7-b3c3-4bfd-a257-722bd3f3411d",
    "eventCategory": "Management"
}

创建涉及加密 AWS Glue 目录的数据湖环境

在高级用例中，当您使用加密的 AWS Glue 目录时，必须授予对 Amazon DataZone 服务的访问权限才能使用您的客户管理的 KMS 密钥。您可以通过更新自定义 KMS 策略并在密钥中添加标签来完成此操作。要授予访问亚马逊 DataZone 服务的权限以处理加密 AWS Glue 目录中的数据，请完成以下操作：

将以下策略添加到您的自定义 KMS 密钥。有关更多信息，请参阅更改密钥政策。

重要

您必须使用要"aws:PrincipalArn" ARNs IDs 在其中创建环境的账户修改策略中的。您要在其中创建环境的每个账户都必须在策略中列为"aws:PrincipalArn"。
您还必须<GLUE_CATALOG_ID>使用您的 AWS Glue 目录所在的有效 AWS 账户 ID 进行替换。
请注意，此政策向指定账户中的所有 Amazon DataZone 环境用户角色授予使用密钥的权限。如果您只想允许特定的环境用户角色使用密钥，则必须指定整个环境用户角色名称（例如，arn:aws:iam::<ENVIRONMENT_ACCOUNT_ID>:role/datazone_usr_<ENVIRONMENT_ID>（其中<ENVIRONMENT_ID>是环境的 ID），而不是通配符格式。

将以下标签添加到您的自定义 KMS 密钥。有关更多信息，请参阅使用标签控制对 KMS 密钥的访问。
```
key: AmazonDataZoneEnvironment
value: all 
          
```

Javascript 在您的浏览器中被禁用或不可用。

要使用 Amazon Web Services 文档，必须启用 Javascript。请参阅浏览器的帮助页面以了解相关说明。

文档惯例

数据保护

使用适用于亚马逊的接口 VPC 终端节点 DataZone