本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。 # 監控加密金鑰 Amazon Chime SDK Voice Connectors 會將請求傳送至 AWS KMS,您可以在 CloudTrail 或 CloudWatch 日誌中追蹤這些請求。 ------ #### [ CreateGrant ] 當您使用客戶受管金鑰建立語音設定檔網域資源時,關聯的 Voice Connector 會代表您傳送存取您 AWS 帳戶中 KMS 金鑰的`CreateGrant`請求。Voice Connector 建立的授予專屬於與客戶受管金鑰相關聯的資源。Voice Connector 也會在您刪除資源時,使用 `RetireGrant`操作移除授予。 下列範例會記錄 `CreateGrant`操作。 ``` { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "{{AROAIGDTESTANDEXAMPLE}}:{{Sampleuser01}}", "arn": "arn:aws:sts::{{111122223333}}:assumed-role/Admin/{{Sampleuser01}}", "accountId": "{{111122223333}}", "accessKeyId": "{{AKIAIOSFODNN7EXAMPLE3}}", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "{{AROAIGDTESTANDEXAMPLE}}:{{Sampleuser01}}", "arn": "arn:aws:sts::{{111122223333}}:assumed-role/Admin/{{Sampleuser01}}", "accountId": "{{111122223333}}", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "{{2021-04-22T17:02:00Z}}" } }, "invokedBy": "AWS Internal" }, "eventTime": "{{2021-04-22T17:07:02Z}}", "eventSource": "kms.amazonaws.com", "eventName": "CreateGrant", "awsRegion": "us-west-2", "sourceIPAddress": "172.12.34.56", "userAgent": "{{ExampleDesktop}}/1.0 (V1; OS)", "requestParameters": { "constraints": { "encryptionContextSubset": { "aws:chime:voice-profile-domain:arn": "arn:aws:chime:us-west-2:{{111122223333}}:voice-profile-domain/sample-domain-id" } }, "retiringPrincipal": "chimevoiceconnector.region.amazonaws.com", "operations": [ "GenerateDataKey", "Decrypt", "DescribeKey", "RetireGrant" ], "keyId": "arn:aws:kms:us-west-2:{{111122223333}}:key/1234abcd-12ab-34cd-56ef-123456SAMPLE", "granteePrincipal": "chimevoiceconnector.region.amazonaws.com", "retiringPrincipal": "chimevoiceconnector.region.amazonaws.com" }, "responseElements": { "grantId": "0ab0ac0d0b000f00ea00cc0a0e00fc00bce000c000f0000000c0bc0a0000aaafSAMPLE" }, "requestID": "{{ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE}}", "eventID": "{{ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE}}", "readOnly": false, "resources": [ { "accountId": "{{111122223333}}", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:{{111122223333}}:key/1234abcd-12ab-34cd-56ef-123456SAMPLE" } ], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "{{111122223333}}" } ``` ------ #### [ GenerateDataKey ] 當您建立語音設定檔網域並將客戶受管金鑰指派給網域時,相關聯的 Voice Connector 會建立唯一的資料金鑰來加密每個發言者的註冊音訊。Voice Connector 會將`GenerateDataKey`請求傳送至 AWS KMS,以指定資源的金鑰。 下列範例會記錄 `GenerateDataKey`操作。 ``` { "eventVersion": "1.08", "userIdentity": { "type": "AWSService", "invokedBy": "AWS Internal" }, "eventTime": "{{2021-04-22T17:07:02Z}}", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKey", "awsRegion": "us-west-2", "sourceIPAddress": "172.12.34.56", "userAgent": "{{ExampleDesktop}}/1.0 (V1; OS)", "requestParameters": { "encryptionContext": { "aws:chime:voice-profile-domain:arn": "arn:aws:chime:us-west-2:{{111122223333}}:{{voice-profile-domain}}/{{sample-domain-id}}" }, "keySpec": "AES_256", "keyId": "arn:aws:kms:us-west-2:{{111122223333}}:key/{{1234abcd-12ab-34cd-56ef-123456SAMPLE}}" }, "responseElements": null, "requestID": "{{ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE}}", "eventID": "{{ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE}}", "readOnly": true, "resources": [ { "accountId": "{{111122223333}}", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:{{111122223333}}:key/{{1234abcd-12ab-34cd-56ef-123456SAMPLE}}" } ], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "{{111122223333}}", "sharedEventID": "{{57f5dbee-16da-413e-979f-2c4c6663475e}}" } ``` ------ #### [ 解密 ] 當語音設定檔網域中的語音設定檔因為較新的語音辨識模型而需要升級其語音列印時,相關聯的語音連接器會呼叫 `Decrypt`操作,以使用儲存的加密資料金鑰來存取加密的資料。 下列範例會記錄 `Decrypt`操作。 ``` { "eventVersion": "1.08", "userIdentity": { "type": "AWSService", "invokedBy": "AWS Internal" }, "eventTime": "{{2021-10-12T23:59:34Z}}", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-west-2", "sourceIPAddress": "172.12.34.56", "userAgent": "{{ExampleDesktop}}/1.0 (V1; OS)", "requestParameters": { "encryptionContext": { "keyId": "arn:aws:kms:us-west-2:{{111122223333}}:key/44444444-3333-2222-1111-EXAMPLE11111", "encryptionContext": { "aws:chime:voice-profile-domain:arn": "arn:aws:chime:us-west-2:{{111122223333}}:{{voice-profile-domain}}/{{sample-domain-id}}" }, "encryptionAlgorithm": "SYMMETRIC_DEFAULT" }, "responseElements": null, "requestID": "ed0fe4ab-305b-4388-8adf-7e8e3a4e80fe", "eventID": "31d0d7c6-ce5b-4caf-901f-025bf71241f6", "readOnly": true, "resources": [{ "accountId": "{{111122223333}}", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:{{111122223333}}:key/{{00000000-1111-2222-3333-9999999999999}}" }], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "{{111122223333}}", "sharedEventID": "{{35d58aa1-26b2-427a-908f-025bf71241f6}}", "eventCategory": "Management" } ``` ------ #### [ DescribeKey ] Voice Connectors 使用 `DescribeKey`操作來驗證與語音設定檔網域相關聯的金鑰是否存在於帳戶和區域中。 下列範例會記錄 `DescribeKey`操作。 ``` { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "{{AROAIGDTESTANDEXAMPLE}}:{{Sampleuser01}}", "arn": "arn:aws:sts::{{111122223333}}:assumed-role/Admin/{{Sampleuser01}}", "accountId": "{{111122223333}}", "accessKeyId": "{{AKIAIOSFODNN7EXAMPLE3}}", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "{{AROAIGDTESTANDEXAMPLE}}:{{Sampleuser01}}", "arn": "arn:aws:sts::{{111122223333}}:assumed-role/Admin/{{Sampleuser01}}", "accountId": "{{111122223333}}", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "{{2021-04-22T17:02:00Z}}" } }, "invokedBy": "AWS Internal" }, "eventTime": "{{2021-04-22T17:07:02Z}}", "eventSource": "kms.amazonaws.com", "eventName": "DescribeKey", "awsRegion": "us-west-2", "sourceIPAddress": "172.12.34.56", "userAgent": "{{ExampleDesktop}}/1.0 (V1; OS)", "requestParameters": { "keyId": "{{00dd0db0-0000-0000-ac00-b0c000SAMPLE}}" }, "responseElements": null, "requestID": "{{ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE}}", "eventID": "{{ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE}}", "readOnly": true, "resources": [ { "accountId": "{{111122223333}}", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:{{111122223333}}:key/{{1234abcd-12ab-34cd-56ef-123456SAMPLE}}" } ], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "{{111122223333}}" } ``` ------