本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# Amazon WorkSpaces 安全浏览器的静态加密
*静态加密*是默认配置的, WorkSpaces 安全浏览器中使用的所有客户数据(例如,浏览器策略声明、用户名、日志记录或 IP 地址)均使用 AWS KMS进行加密。默认情况下, WorkSpaces 安全浏览器启用使用 AWS自有密钥进行加密。您也可以通过在创建资源时指定您的 CMK 来使用客户托管密钥 (CMK)。这是当前唯一通过 CLI 支持的类型。
如果您选择传递 CMK,则提供的密钥必须是对称加密 AWS KMS 密钥,并且作为管理员,您必须具有以下权限:
```
kms:DescribeKey
kms:GenerateDataKey
kms:GenerateDataKeyWithoutPlaintext
kms:Decrypt
kms:ReEncryptTo
kms:ReEncryptFrom
```
如果您使用 CMK,则需要将 WorkSpaces 安全浏览器外部服务主体列入许可名单才能访问密钥。
有关更多信息,请参阅 aw [s 的作用域 CMK 密钥策略示例]():SourceAccount
只要有可能, WorkSpaces 安全浏览器就会使用正向访问会话 (FAS) 凭据来访问您的密钥。有关 FAS 的更多信息,请参阅[转发访问会话](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html)。
在某些情况下, WorkSpaces 安全浏览器可能需要异步访问您的密钥。通过在密钥策略中列入 WorkSpaces 安全浏览器外部服务主体许可名单, WorkSpaces 安全浏览器将能够使用您的密钥执行列入许可名单的一组加密操作。
创建资源后,无法再删除或更改密钥。如果您使用了 CMK,则作为访问该资源的管理员,您必须具有以下权限:
```
kms:GenerateDataKey
kms:GenerateDataKeyWithoutPlaintext
kms:Decrypt
kms:ReEncryptTo
kms:ReEncryptFrom
```
如果您在使用控制台时看到**访问被拒绝**错误,则可能表明访问控制台的用户不具备针对正在利用的密钥使用 CMK 所需的权限。
## WorkSpaces 安全浏览器的关键策略和范围界定示例
CMKs 需要以下密钥策略:
```
{
"Version": "2012-10-17",
"Statement": [
...,
{
"Sid": "Allow WorkSpaces Secure Browser to encrypt/decrypt",
"Effect": "Allow",
"Principal": {
"Service": "workspaces-web.amazonaws.com"
},
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*",
}
]
}
```
WorkSpaces 安全浏览器需要以下权限:
+ `kms:DescribeKey`— 验证提供的 AWS KMS 密钥配置是否正确。
+ `kms:GenerateDataKeyWithoutPlaintext`和 `kms:GenerateDataKey` — 请求 AWS KMS 密钥以创建用于加密对象的数据密钥。
+ `kms:Decrypt`— 请求 AWS KMS 密钥以解密加密的数据密钥。这些数据密钥用于加密您的数据。
+ `kms:ReEncryptTo`和 `kms:ReEncryptFrom` — 请求 AWS KMS 密钥以允许对 KMS 密钥进行重新加密。
### 为您的密钥设定 WorkSpaces 安全浏览器的 AWS KMS 权限范围
当密钥策略声明中的委托人是[AWS 服务委托](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services)人时,除了加密上下文之外,我们强烈建议您使用 a [ws: SourceArn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) [或 aws: SourceAccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) 全局条件密钥。
用于资源的加密上下文将始终包含 `aws:workspaces-web:RESOURCE_TYPE:id` 格式的条目和相应的资源 ID。
只有当请求 AWS KMS 来自其他 AWS 服务时,来源 ARN 和来源账户值才会包含在授权上下文中。这种条件的组合实施最低权限,避免了潜在的[混淆代理情况](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html)。有关更多信息,请参阅[密钥策略中的 AWS 服务权限](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html.html)。
```
"Condition": {
"StringEquals": {
"aws:SourceAccount": "AccountId",
"kms:EncryptionContext:aws:workspaces-web:resourceType:id": "resourceId"
},
"ArnEquals": {
"aws:SourceArn": [
"arn:aws:workspaces-web:Region:AccountId:resourceType/resourceId"
]
},
}
```
**注意**
在创建资源之前,密钥策略应仅使用 `aws:SourceAccount` 条件,因为完整的资源 ARN 尚不存在。创建资源后,可以更新密钥策略以包含 `aws:SourceArn` 和 `kms:EncryptionContext` 条件。
### 带有 `aws:SourceAccount` 的范围限定的 CMK 密钥策略示例
```
{
"Version": "2012-10-17",
"Statement": [
...,
{
"Sid": "Allow WorkSpaces Secure Browser to encrypt/decrypt",
"Effect": "Allow",
"Principal": {
"Service": "workspaces-web.amazonaws.com"
},
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": ""
}
}
}
]
}
```
### 带 `aws:SourceArn` 和资源通配符的范围限定的 CMK 密钥策略示例
```
{
"Version": "2012-10-17",
"Statement": [
...,
{
"Sid": "Allow WorkSpaces Secure Browser to encrypt/decrypt",
"Effect": "Allow",
"Principal": {
"Service": "workspaces-web.amazonaws.com"
},
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:workspaces-web:::*/*"
}
}
}
]
}
```
### 带有 `aws:SourceArn` 的范围限定的 CMK 密钥策略示例
```
{
"Version": "2012-10-17",
"Statement": [
...,
{
"Sid": "Allow WorkSpaces Secure Browser to encrypt/decrypt",
"Effect": "Allow",
"Principal": {
"Service": "workspaces-web.amazonaws.com"
},
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:SourceArn": [
"arn:aws:workspaces-web:::portal/*",
"arn:aws:workspaces-web:::browserSettings/*",
"arn:aws:workspaces-web:::userSettings/*",
"arn:aws:workspaces-web:::ipAccessSettings/*"
]
}
}
]
}
```
**注意**
创建资源后,您可以在 `SourceArn` 中更新其通配符。如果您使用 WorkSpaces 安全浏览器创建需要 CMK 访问权限的新资源,请确保相应地更新其密钥策略。
### 带 `aws:SourceArn` 和资源特定的 `EncryptionContext` 的范围限定的 CMK 密钥策略示例
```
{
"Version": "2012-10-17",
"Statement": [
...,
{
"Sid": "Allow WorkSpaces Secure Browser to encrypt/decrypt portal",
"Effect": "Allow",
"Principal": {
"Service": "workspaces-web.amazonaws.com"
},
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "",
"kms:EncryptionContext:aws:workspaces-web:portal:id": ">"
}
}
},
{
"Sid": "Allow WorkSpaces Secure Browser to encrypt/decrypt userSettings",
"Effect": "Allow",
"Principal": {
"Service": "workspaces-web.amazonaws.com"
},
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "",
"kms:EncryptionContext:aws:workspaces-web:userSetttings:id": ""
}
}
},
{
"Sid": "Allow WorkSpaces Secure Browser to encrypt/decrypt browserSettings",
"Effect": "Allow",
"Principal": {
"Service": "workspaces-web.amazonaws.com"
},
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "",
"kms:EncryptionContext:aws:workspaces-web:browserSettings:id": ""
}
}
},
{
"Sid": "Allow WorkSpaces Secure Browser to encrypt/decrypt ipAccessSettings",
"Effect": "Allow",
"Principal": {
"Service": "workspaces-web.amazonaws.com"
},
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "",
"kms:EncryptionContext:aws:workspaces-web:ipAccessSettings:id": ""
}
}
},
]
}
```
**注意**
在针对同一密钥策略包含资源特定的 `EncryptionContext` 时,请确保创建单独的语句。有关更多信息,请参阅 context-key 下 kms:EncryptionContext的 “使用多个加密[https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-encryption-context](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-encryption-context)对” 部分。