本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 静态数据加密 AWS Verified Access
AWS 默认情况下,Verified Access 使用 AWS 拥有的 KMS 密钥对静态数据进行加密。当默认情况下对静态数据进行加密时,它有助于减少保护敏感数据所涉及的操作开销和复杂性。同时,它使您能够构建满足严格的加密合规性和监管要求的安全应用程序。以下各节详细介绍了 Verified Access 如何使用 KMS 密钥进行静态数据加密。
**Topics**
+ [Verified Access 和 KMS 密钥](#kms-keys)
+ [个人身份信息](#types-of-pii)
+ [操作方法 AWS 已验证的访问权限使用授权 AWS KMS](#encryption-grant)
+ [将客户托管密钥用于 Verified Access](#using-cmk)
+ [为 Verified Access 资源指定客户托管密钥](#enable-additional-encryption)
+ [AWS 已验证访问加密上下文](#encryption-context)
+ [监控您的加密密钥 AWS Verified Access](#monitor-key-use)
## Verified Access 和 KMS 密钥
**AWS 拥有的密钥**
Verified Access 使用 KMS 密钥自动加密个人身份信息(PII)。这是默认操作,您无法自己查看、管理、使用或审核 AWS 拥有的密钥的使用情况。但是,您无需采取任何操作或更改任何程序即可保护用于加密数据的密钥。有关更多信息,请参阅 *AWS Key Management Service 开发人员指南*中的 [AWS 自有密钥](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk)。
虽然您无法禁用此加密层或选择其他加密类型,但您可以在创建 Verified Access 资源时选择客户管理的密钥,从而在现有 AWS 拥有的加密密钥上添加第二层加密。
**客户自主管理型密钥**
Verified Access 支持使用您创建和管理的对称客户托管密钥,在现有默认加密的基础上添加第二层加密。由于您可以完全控制这一层加密,因此可以执行以下任务:
+ 制定和维护关键策略
+ 建立和维护 IAM 策略和授权
+ 启用和禁用密钥策略
+ 轮换加密材料
+ 添加 标签
+ 创建密钥别名
+ 安排密钥删除
有关更多信息,请参阅《AWS Key Management Service 开发人员指南》**中的[客户托管密钥](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk)。
**注意**
Verified Access 使用 AWS 自有密钥自动启用静态加密,从而免费保护个人身份数据。
但是,当您使用客户管理的密钥时,将 AWS KMS 收取费用。有关定价的更多信息,请参阅 [AWS Key Management Service 定价](https://aws.amazon.com/kms/pricing/)。
## 个人身份信息
下表汇总了 Verified Access 使用的个人身份信息(PII)以及加密方式。
| 数据类型 | AWS 自有密钥加密 | 客户托管密钥加密(可选) |
| --- | --- | --- |
| Trust provider (user-type)User-type 信任提供者包含 OIDC 选项 AuthorizationEndpoint,例如、、 UserInfoEndpoint ClientId ClientSecret、等,这些选项被视为 PII。 | 已启用 | 已启用 |
| Trust provider (device-type)Device-type 信任提供者包含 TenantId,这被视为 PII。 | 已启用 | 已启用 |
| Group policy在创建或修改 Verified Access 组时提供。包含授权访问请求的规则。可能包含 PII,例如用户名和电子邮件地址等。 | 已启用 | 已启用 |
| Endpoint policy在创建或修改 Verified Access 端点时提供。包含授权访问请求的规则。可能包含 PII,例如用户名和电子邮件地址等。 | 已启用 | 已启用 |
## 操作方法 AWS 已验证的访问权限使用授权 AWS KMS
Verified Access 需要[授权](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html)才能使用客户托管密钥。
当您创建使用客户托管密钥加密的已验证访问资源时,Verified Access 会通过向发送[CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html)请求来代表您创建授权 AWS KMS。中的授权 AWS KMS 用于授予已验证访问权限访问您账户中的客户托管密钥的权限。
Verified Access 需要授权才能将客户托管密钥用于以下内部操作:
+ 向发送[解密](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html)请求 AWS KMS 以解密加密的数据密钥,以便它们可用于解密您的数据。
+ 向发送[RetireGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html)请求 AWS KMS 以删除授权。
您可以随时撤销授予访问权限,或删除服务对客户托管密钥的访问权限。如果这样做,Verified Access 将无法访问由客户托管密钥加密的任何数据,这会影响依赖于该数据的操作。
## 将客户托管密钥用于 Verified Access
您可以使用或 AWS KMS API 创建对称的客户托管密钥。 AWS 管理控制台按照*AWS Key Management Service 开发人员指南*中[创建对称加密密钥](https://docs.aws.amazon.com/kms/latest/developerguide/create-symmetric-cmk.html)的步骤进行操作。
**密钥政策**
密钥政策控制对客户托管式密钥的访问。每个客户托管式密钥必须只有一个密钥策略,其中包含确定谁可以使用密钥以及如何使用密钥的声明。创建客户托管式密钥时,可以指定密钥策略。有关更多信息,请参阅*《AWS Key Management Service 开发人员指南》*中的[密钥策略](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html)?
要将客户托管密钥与 Verified Access 资源结合使用,密钥政策中必须允许以下 API 操作:
+ `[kms:CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html)` – 向客户托管密钥添加授权。授予对指定 KMS 密钥的控制访问权限,该密钥允许访问 Verified Access 所需的[授权操作](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)。[有关更多信息,请参阅《*AWS Key Management Service 开发者指南》中的 Grants*。](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html)
这允许 Verified Access 执行以下操作:
+ 调用 `GenerateDataKeyWithoutPlainText` 生成加密的数据密钥并将其存储,因为数据密钥不会立即用于加密。
+ 调用 `Decrypt` 使用存储的加密数据密钥访问加密数据。
+ 设置停用主体以允许服务 `RetireGrant`。
+ `[kms:DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html)` – 提供客户托管密钥详细信息以允许 Verified Access 验证密钥。
+ `[kms:GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html)` – 允许 Verified Access 使用密钥加密数据。
+ `[kms:Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html)` – 允许 Verified Access 解密已加密的数据密钥。
以下是可用于 Verified Access 的示例密钥政策。
```
"Statement" : [
{
"Sid" : "Allow access to principals authorized to use Verified Access",
"Effect" : "Allow",
"Principal" : {
"AWS" : "*"
},
"Action" : [
"kms:DescribeKey",
"kms:CreateGrant",
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"kms:ViaService" : "verified-access.region.amazonaws.com",
"kms:CallerAccount" : "111122223333"
}
},
{
"Sid": "Allow access for key administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action" : [
"kms:*"
],
"Resource": "arn:aws:kms:region:111122223333:key/key_ID"
},
{
"Sid" : "Allow read-only access to key metadata to the account",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::111122223333:root"
},
"Action" : [
"kms:Describe*",
"kms:Get*",
"kms:List*",
"kms:RevokeGrant"
],
"Resource" : "*"
}
]
```
有关更多信息,请参阅*AWS Key Management Service 开发人员指南*中的[创建密钥策略](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html)和[密钥访问疑难解答](https://docs.aws.amazon.com/kms/latest/developerguide/policy-evaluation.html)。
## 为 Verified Access 资源指定客户托管密钥
您可以指定客户托管密钥为以下资源提供第二层加密:
+ [Verified Access 组](verified-access-groups.md)
+ [Verified Access 端点](verified-access-endpoints.md)
+ [Verified Access 信任提供商](trust-providers.md)
使用创建这些资源中的任何一个时 AWS 管理控制台,可以在**其他加密--可选**部分指定客户托管密钥。在此过程中,选中 “**自定义加密设置(高级)**” 复选框,然后输入要使用的 AWS KMS 密钥 ID。也可以在修改现有资源时或使用 AWS CLI来完成此操作。
**注意**
如果用于向上述任何资源添加额外加密的客户自主管理型密钥丢失,则将无法再访问这些资源的配置值。但是,可以通过使用 AWS 管理控制台 或 AWS CLI修改资源来应用新的客户托管密钥并重置配置值。
## AWS 已验证访问加密上下文
[加密上下文](https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html)是一组可选的键值对,其中包含有关数据的其他上下文信息。 AWS KMS 使用加密上下文作为其他经过身份验证的数据来支持经过身份验证的加密。当您在加密数据的请求中包含加密上下文时,会将加密上下文 AWS KMS 绑定到加密数据。要解密数据,您必须在请求中包含相同的加密上下文。
**AWS 已验证访问加密上下文**
Verified Access 在所有 AWS KMS 加密操作中使用相同的加密上下文,其中密钥为`aws:verified-access:arn`,值为资源 Amazon 资源名称 (ARN)。以下是 Verified Access 资源的加密上下文。
**Verified Access 信任提供商**
```
"encryptionContext": {
"aws:verified-access:arn":
"arn:aws:ec2:region:111122223333:VerifiedAccessTrustProviderId"
}
```
**Verified Access 组**
```
"encryptionContext": {
"aws:verified-access:arn":
"arn:aws:ec2:region:111122223333:VerifiedAccessGroupId"
}
```
**Verified Access 端点**
```
"encryptionContext": {
"aws:verified-access:arn":
"arn:aws:ec2:region:111122223333:VerifiedAccessEndpointId"
}
```
## 监控您的加密密钥 AWS Verified Access
当您将客户托管的 KMS 密钥与您的 AWS 已验证访问资源一起使用时,您可以使用[AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html)来跟踪已验证访问权限发送到的请求 AWS KMS。
以下示例是`CreateGrant`、、`RetireGrant``Decrypt``DescribeKey``GenerateDataKey`、和 AWS CloudTrail 的事件,它们监控 Verified Access 调用的 KMS 操作以访问由您的客户托管 KMS 密钥加密的数据:
------
#### [ CreateGrant ]
当使用客户托管密钥加密您的资源时,Verified Access 会代表您发送 `CreateGrant` 请求以访问您的 AWS 账户中的密钥。Verified Access 创建的授权特定于与客户托管密钥关联的资源。
以下示例事件记录了 `CreateGrant` 操作:
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-09-11T16:27:12Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "verified-access.amazonaws.com"
},
"eventTime": "2023-09-11T16:41:42Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "ca-central-1",
"sourceIPAddress": "verified-access.amazonaws.com",
"userAgent": "verified-access.amazonaws.com",
"requestParameters": {
"operations": [
"Decrypt",
"RetireGrant",
"GenerateDataKey"
],
"keyId": "arn:aws:kms:ca-central-1:111122223333:key/5ed79e7f-88c9-420c-ae1a-61ee87104dae",
"constraints": {
"encryptionContextSubset": {
"aws:verified-access:arn": "arn:aws:ec2:ca-central-1:111122223333:verified-access-trust-provider/vatp-0e54f581e2e5c97a2"
}
},
"granteePrincipal": "verified-access.ca-central-1.amazonaws.com",
"retiringPrincipal": "verified-access.ca-central-1.amazonaws.com"
},
"responseElements": {
"grantId": "e5a050fff9893ba1c43f83fddf61e5f9988f579beaadd6d4ad6d1df07df6048f",
"keyId": "arn:aws:kms:ca-central-1:111122223333:key/5ed79e7f-88c9-420c-ae1a-61ee87104dae"
},
"requestID": "0faa837e-5c69-4189-9736-3957278e6444",
"eventID": "1b6dd8b8-cbee-4a83-9b9d-d95fa5f6fd08",
"readOnly": false,
"resources": [
{
"accountId": "AWS Internal",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:ca-central-1:111122223333:key/5ed79e7f-88c9-420c-ae1a-61ee87104dae"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
------
#### [ RetireGrant ]
当您删除资源时,Verified Access 使用 `RetireGrant` 操作来移除授权。
以下示例事件记录了 `RetireGrant` 操作:
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-09-11T16:42:33Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "verified-access.amazonaws.com"
},
"eventTime": "2023-09-11T16:47:53Z",
"eventSource": "kms.amazonaws.com",
"eventName": "RetireGrant",
"awsRegion": "ca-central-1",
"sourceIPAddress": "verified-access.amazonaws.com",
"userAgent": "verified-access.amazonaws.com",
"requestParameters": null,
"responseElements": {
"keyId": "arn:aws:kms:ca-central-1:111122223333:key/5ed79e7f-88c9-420c-ae1a-61ee87104dae"
},
"additionalEventData": {
"grantId": "b35e66f9bacb266cec214fcaa353c9cf750785e28773e61ba6f434d8c5c7632f"
},
"requestID": "7d4a31c2-d426-434b-8f86-336532a70462",
"eventID": "17edc343-f25b-43d4-bbff-150d8fff4cf8",
"readOnly": false,
"resources": [
{
"accountId": "AWS Internal",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:ca-central-1:111122223333:key/5ed79e7f-88c9-420c-ae1a-61ee87104dae"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
------
#### [ Decrypt ]
Verified Access 调用 `Decrypt` 操作以使用存储的加密数据密钥来访问加密数据。
以下示例事件记录了 `Decrypt` 操作:
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-09-11T17:19:33Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "verified-access.amazonaws.com"
},
"eventTime": "2023-09-11T17:47:05Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "ca-central-1",
"sourceIPAddress": "verified-access.amazonaws.com",
"userAgent": "verified-access.amazonaws.com",
"requestParameters": {
"encryptionAlgorithm": "SYMMETRIC_DEFAULT",
"keyId": "arn:aws:kms:ca-central-1:111122223333:key/380d006e-706a-464b-99c5-68768297114e",
"encryptionContext": {
"aws:verified-access:arn": "arn:aws:ec2:ca-central-1:111122223333:verified-access-trust-provider/vatp-00f20a4e455e9340f",
"aws-crypto-public-key": "AkK+vi1W/acBKv7OR8p2DeUrA8EgpTffSrjBqNucODuBYhyZ3hlMuYYJz9x7CwQWZw=="
}
},
"responseElements": null,
"requestID": "2e920fd3-f2f6-41b2-a5e7-2c2cb6f853a9",
"eventID": "3329e0a3-bcfb-44cf-9813-8106d6eee31d",
"readOnly": true,
"resources": [
{
"accountId": "AWS Internal",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:ca-central-1:111122223333:key/380d006e-706a-464b-99c5-68768297114e"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
------
#### [ DescribeKey ]
Verified Access 使用 `DescribeKey` 操作来验证与您的资源关联的客户托管密钥是否存在于账户和区域中。
以下示例事件记录了 `DescribeKey` 操作:
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-09-11T17:19:33Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "verified-access.amazonaws.com"
},
"eventTime": "2023-09-11T17:46:48Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DescribeKey",
"awsRegion": "ca-central-1",
"sourceIPAddress": "verified-access.amazonaws.com",
"userAgent": "verified-access.amazonaws.com",
"requestParameters": {
"keyId": "arn:aws:kms:ca-central-1:111122223333:key/380d006e-706a-464b-99c5-68768297114e"
},
"responseElements": null,
"requestID": "5b127082-6691-48fa-bfb0-4d40e1503636",
"eventID": "ffcfc2bb-f94b-4c00-b6fb-feac77daff2a",
"readOnly": true,
"resources": [
{
"accountId": "AWS Internal",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:ca-central-1:111122223333:key/380d006e-706a-464b-99c5-68768297114e"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
------
#### [ GenerateDataKey ]
以下示例事件记录 `GenerateDataKey` 操作:
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-09-11T17:19:33Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "verified-access.amazonaws.com"
},
"eventTime": "2023-09-11T17:46:49Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKey",
"awsRegion": "ca-central-1",
"sourceIPAddress": "verified-access.amazonaws.com",
"userAgent": "verified-access.amazonaws.com",
"requestParameters": {
"encryptionContext": {
"aws:verified-access:arn": "arn:aws:ec2:ca-central-1:111122223333:verified-access-trust-provider/vatp-00f20a4e455e9340f",
"aws-crypto-public-key": "A/ATGxaYatPUlOtM+l/mfDndkzHUmX5Hav+29IlIm+JRBKFuXf24ulztmOIsqFQliw=="
},
"numberOfBytes": 32,
"keyId": "arn:aws:kms:ca-central-1:111122223333:key/380d006e-706a-464b-99c5-68768297114e"
},
"responseElements": null,
"requestID": "06535808-7cce-4ae1-ab40-e3afbf158a43",
"eventID": "1ce79601-5a5e-412c-90b3-978925036526",
"readOnly": true,
"resources": [
{
"accountId": "AWS Internal",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:ca-central-1:111122223333:key/380d006e-706a-464b-99c5-68768297114e"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
------