本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
管理 Amazon ECS Fargate 暫時性儲存的 AWS KMS 金鑰
在建立或匯入您的 AWS KMS 金鑰以加密 Fargate 暫時性儲存之後,您可以像管理任何其他 AWS KMS 金鑰一樣進行管理。
自動輪換 AWS KMS 金鑰
您可以啟用自動金鑰輪換或手動輪換。自動金鑰輪換會每年為您輪換金鑰,方法是為金鑰產生新的密碼編譯材料。 AWS KMS 也會儲存密碼編譯材料的所有先前版本,因此您可以解密使用先前金鑰版本的任何資料。在您刪除金鑰 AWS KMS 之前, 不會刪除任何輪換的資料。
自動金鑰輪換是選用的,可以隨時啟用或停用。
停用或撤銷 AWS KMS 金鑰
如果您在 中停用客戶受管金鑰 AWS KMS,對執行中的任務沒有任何影響,而且它們會在其生命週期中繼續運作。如果新任務使用已停用或已撤銷的金鑰,則任務會失敗,因為它無法存取金鑰。您應該設定 CloudWatch 警示或類似警示,以確保不再需要停用的金鑰來解密已加密的資料。
刪除 AWS KMS 金鑰
刪除金鑰應一律是最後手段,而且只有在您確定不再需要刪除的金鑰時才應完成。嘗試使用已刪除金鑰的新任務將會失敗,因為他們無法存取它。 AWS KMS 建議停用金鑰,而不是將其刪除。如果您覺得有必要刪除金鑰,建議您先停用金鑰,並設定 CloudWatch 警示以確保不需要。如果您刪除金鑰, AWS KMS 至少提供七天來改變主意。
稽核 AWS KMS 金鑰存取
您可以使用 CloudTrail 日誌來稽核對 AWS KMS 金鑰的存取。您可以檢查 AWS KMS 操作 CreateGrant、 GenerateDataKeyWithoutPlaintext和 Decrypt。這些操作也會aws:ecs:clusterName在EncryptionContext登入 CloudTrail 的 中顯示 aws:ecs:clusterAccount和 。
以下是 GenerateDataKeyWithoutPlaintext、GenerateDataKeyWithoutPlaintext (DryRun)、CreateGrant (DryRun)、 和 RetireGrant(使用您自己的值取代紅色值) 的 CloudTrail CreateGrant事件範例。
- GenerateDataKeyWithoutPlaintext
-
{ "eventVersion": "1.08", "userIdentity": { "type": "AWSService", "invokedBy": "ec2-frontend-api.amazonaws.com" }, "eventTime": "2024-04-23T18:08:13Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKeyWithoutPlaintext", "awsRegion": "us-west-2", "sourceIPAddress": "ec2-frontend-api.amazonaws.com", "userAgent": "ec2-frontend-api.amazonaws.com", "requestParameters": { "numberOfBytes": 64, "keyId": "arn:aws:kms:us-west-2:account-id:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "encryptionContext": { "aws:ecs:clusterAccount": "account-id", "aws:ebs:id": "vol-xxxxxxx", "aws:ecs:clusterName": "cluster-name" } }, "responseElements": null, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "readOnly": true, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:account-id:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "account-id", "sharedEventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa", "eventCategory": "Management" } - GenerateDataKeyWithoutPlaintext (DryRun)
-
{ "eventVersion": "1.08", "userIdentity": { "type": "AWSService", "invokedBy": "fargate.amazonaws.com" }, "eventTime": "2024-04-23T18:08:11Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKeyWithoutPlaintext", "awsRegion": "us-west-2", "sourceIPAddress": "fargate.amazonaws.com", "userAgent": "fargate.amazonaws.com", "errorCode": "DryRunOperationException", "errorMessage": "The request would have succeeded, but the DryRun option is set.", "requestParameters": { "keyId": "arn:aws:kms:us-west-2:account-id:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "dryRun": true, "numberOfBytes": 64, "encryptionContext": { "aws:ecs:clusterAccount": "account-id", "aws:ecs:clusterName": "cluster-name" } }, "responseElements": null, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "readOnly": true, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:account-id:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "account-id", "sharedEventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa", "eventCategory": "Management" } - CreateGrant
-
{ "eventVersion": "1.08", "userIdentity": { "type": "AWSService", "invokedBy": "ec2-frontend-api.amazonaws.com" }, "eventTime": "2024-04-23T18:08:13Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateGrant", "awsRegion": "us-west-2", "sourceIPAddress": "ec2-frontend-api.amazonaws.com", "userAgent": "ec2-frontend-api.amazonaws.com", "requestParameters": { "keyId": "arn:aws:kms:us-west-2:account-id:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "granteePrincipal": "fargate.us-west-2.amazonaws.com", "operations": [ "Decrypt" ], "constraints": { "encryptionContextSubset": { "aws:ecs:clusterAccount": "account-id", "aws:ebs:id": "vol-xxxx", "aws:ecs:clusterName": "cluster-name" } }, "retiringPrincipal": "ec2.us-west-2.amazonaws.com" }, "responseElements": { "grantId": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "keyId": "arn:aws:kms:us-west-2:account-id:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "readOnly": false, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:account-id:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "account-id", "sharedEventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa", "eventCategory": "Management" } - CreateGrant (DryRun)
-
{ "eventVersion": "1.08", "userIdentity": { "type": "AWSService", "invokedBy": "fargate.amazonaws.com" }, "eventTime": "2024-04-23T18:08:11Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateGrant", "awsRegion": "us-west-2", "sourceIPAddress": "fargate.amazonaws.com", "userAgent": "fargate.amazonaws.com", "errorCode": "DryRunOperationException", "errorMessage": "The request would have succeeded, but the DryRun option is set.", "requestParameters": { "keyId": "arn:aws:kms:us-west-2:account-id:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "granteePrincipal": "fargate.us-west-2.amazonaws.com", "dryRun": true, "operations": [ "Decrypt" ], "constraints": { "encryptionContextSubset": { "aws:ecs:clusterAccount": "account-id", "aws:ecs:clusterName": "cluster-name" } } }, "responseElements": null, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "readOnly": false, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:account-id:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "account-id", "sharedEventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa", "eventCategory": "Management" } - RetireGrant
-
{ "eventVersion": "1.08", "userIdentity": { "type": "AWSService", "invokedBy": "AWS Internal" }, "eventTime": "2024-04-20T18:37:38Z", "eventSource": "kms.amazonaws.com", "eventName": "RetireGrant", "awsRegion": "us-west-2", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": null, "responseElements": { "keyId": "arn:aws:kms:us-west-2:account-id:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "additionalEventData": { "grantId": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" }, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "readOnly": false, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:account-id:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "account-id", "sharedEventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa", "eventCategory": "Management" }
建立 Fargate 暫時性儲存的加密金鑰
任務淘汰和維護