需要认证才能使用 AWS KMS 密钥
调查
我们很乐意听取您的意见。请通过简短的调查
以下 AWS Key Management Service(AWS KMS)密钥策略允许 AWS Nitro Enclave 实例仅当请求中的 Enclave 认证文档与条件语句中的测量值匹配时才使用 KMS 密钥。本策略仅允许受信任的 Enclave 解密数据。有关本策略如何帮助保护组织中的隐私和个人数据的更多信息,请参阅本指南中的 AWS Nitro Enclaves。有关可在密钥策略和 AWS Identity and Access Management(IAM)策略中使用的 AWS KMS 条件键的完整列表,请参阅 Condition keys for AWS KMS。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Enable enclave data processing", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/data-processing" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateRandom" ], "Resource": "*", "Condition": { "StringEqualsIgnoreCase": { "kms:RecipientAttestation:ImageSha384": "EXAMPLE8abcdef7abcdef6abcdef5abcdef4abcdef3abcdef2abcdef1abcdef1abcdef0abcdef1abcdEXAMPLE", "kms:RecipientAttestation:PCR0": "EXAMPLEbc2ecbb68ed99a13d7122abfc0666b926a79d5379bc58b9445c84217f59cfdd36c08b2c79552928702EXAMPLE", "kms:RecipientAttestation:PCR1": "EXAMPLE050abf6b993c915505f3220e2d82b51aff830ad14cbecc2eec1bf0b4ae749d311c663f464cde9f718aEXAMPLE", "kms:RecipientAttestation:PCR2": "EXAMPLEc300289e872e6ac4d19b0b5ac4a9b020c98295643ff3978610750ce6a86f7edff24e3c0a4a445f2ff8EXAMPLE", "kms:RecipientAttestation:PCR3": "EXAMPLE11de9baee597508183477f097ae385d4a2c885aa655432365b53b812694e230bbe8e1bb1b8de748fe1EXAMPLE", "kms:RecipientAttestation:PCR4": "EXAMPLE6b9b3d89a53b13f5dfd14a1049ec0b80a9ae4b159adde479e9f7f512f33e835a0b9023ca51ada02160EXAMPLE", "kms:RecipientAttestation:PCR8": "EXAMPLE34a884328944cd806127c7784677ab60a154249fd21546a217299ccfa1ebfe4fa96a163bf41d3bcfaeEXAMPLE" } } } ] }
