本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# Amazon S3 資料存取的金鑰管理
<a name="key-management"></a>

此頁面專屬於提供者共用使用 SSE-KMS 加密之物件的 Amazon S3 資料存取類型。訂閱者必須擁有用於存取之金鑰的授予。

如果您的 Amazon S3 儲存貯體包含使用 AWS KMS 客戶受管金鑰加密的資料，您必須 AWS KMS keys 與 共用這些資料 AWS Data Exchange ，以設定 Amazon S3 資料存取資料集。如需詳細資訊，請參閱[步驟 2：設定 Amazon S3 資料存取](publish-s3-data-access-product.md#configure-s3-data-access-product)。

**Topics**
+ [建立 AWS KMS 授予](#create-kms-grants)
+ [加密內容和授予限制](#encryption-context-grant-constraint)
+ [在 AWS KMS keys 中監控您的 AWS Data Exchange](#monitoring-your-kms-keys)

## 建立 AWS KMS 授予
<a name="create-kms-grants"></a>

當您 AWS KMS keys 在 Amazon S3 資料存取資料集中提供 時， AWS Data Exchange 會為每個 AWS KMS key 共用的 建立 AWS KMS 授權。此授予稱為*父授予*，用於授予為訂閱者建立其他 AWS KMS 授予的 AWS Data Exchange 許可。這些額外的授與稱為*子授與*。允許每位訂閱者授予一次 AWS KMS 。訂閱者取得解密 的許可 AWS KMS key。然後，他們可以解密並使用與其共用的加密 Amazon S3 物件。如需詳細資訊，請參閱《 *AWS Key Management Service 開發人員指南*》中的在 中[授予 AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html)。

AWS Data Exchange 也會使用 AWS KMS 父項授予來管理其建立之 AWS KMS 授予的生命週期。當訂閱結束時， 會 AWS Data Exchange 淘汰為對應訂閱者建立的 AWS KMS 子授權。如果修訂遭到撤銷，或資料集遭到刪除， 會 AWS Data Exchange 淘汰 AWS KMS 父項授予。如需 AWS KMS 動作的詳細資訊，請參閱 [AWS KMS API 參考](https://docs.aws.amazon.com/kms/latest/APIReference/API_Operations.html)。

## 加密內容和授予限制
<a name="encryption-context-grant-constraint"></a>

AWS Data Exchange 只有在請求包含指定的加密內容時， 才會使用授予限制來允許解密操作。您可以使用 Amazon S3 儲存貯體金鑰功能來加密您的 Amazon S3 物件並與其共用 AWS Data Exchange。Amazon S3 隱含使用儲存貯體 Amazon Resource Name (ARN) 做為加密內容。下列範例顯示 AWS Data Exchange 使用儲存貯體 ARN 做為其建立之所有授予的 AWS KMS 授予限制。

```
"Constraints": {
   "EncryptionContextSubset":  "aws:s3:arn": “arn:aws:s3:::<Bucket ARN>"
   }
}
```

## 在 AWS KMS keys 中監控您的 AWS Data Exchange
<a name="monitoring-your-kms-keys"></a>

當您與 共用 AWS KMS 客戶受管金鑰時 AWS Data Exchange，您可以使用 [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) 來追蹤 AWS Data Exchange 或資料訂閱者傳送的請求 AWS KMS。以下是 CloudTrail 日誌對 `CreateGrant`和 `Decrypt`呼叫的外觀範例 AWS KMS。

------
#### [ CreateGrant for parent ]

`CreateGrant` 適用於 自行建立 AWS Data Exchange 的父項授予。

```
{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole", 
        "principalId": "AROAIGDTESTANDEXAMPLE:Provider01",
        "arn": "arn:aws:sts::<your-account-id>:assumed-role/Admin/Provider01",
        "accountId": "<your-account-id>",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AROAIGDTESTANDEXAMPLE",
                "arn": "arn:aws:iam::<your-account-id>:role/Admin/Provider01”,
                "accountId": "<your-account-id>",
                "userName": "Admin"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2023-02-16T17:29:23Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "datax.amazonaws.com"
    },
    "eventTime": "2023-02-16T17:32:47Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "CreateGrant",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "datax.amazonaws.com",
    "userAgent": "datax.amazonaws.com",
    "requestParameters": {
        "keyId": "<Key ARN of the Key you shared with AWS Data Exchange>",
        "operations": [
            "CreateGrant",
            "Decrypt",
            "RetireGrant"
        ],
        "granteePrincipal": "dataexchange.us-east-2.amazonaws.com",
        "retiringPrincipal": "dataexchange.us-east-2.amazonaws.com",
        "constraints": {
            "encryptionContextSubset": { AWS:s3:arn": "arn:aws:s3:::<Your Bucket ARN>"
            }
        }
    },
    "responseElements": {
        "grantId": "<KMS Grant ID of the created Grant>",
        "keyId": "<Key ARN of the Key you shared with AWS Data Exchange>"
    },
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": false,
    "resources": [
        {
            "accountId": "<Your Account Id>",
            "type": "AWS::KMS::Key",
            "ARN": "<Key ARN of the Key you shared with AWS Data Exchange>"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "<Your Account Id>",
    "eventCategory": "Management"
}
```

------
#### [ CreateGrant for child ]

`CreateGrant` 適用於由 AWS Data Exchange 為訂閱者建立的子授權。

```
{
      "eventVersion": "1.08",
      "userIdentity": {
         "type": "AWSService",
         "invokedBy": "datax.amazonaws.com"
     },
     "eventTime": "2023-02-15T23:15:49Z",
     "eventSource": "kms.amazonaws.com",
     "eventName": "CreateGrant",
     "awsRegion": "us-east-2",
     "sourceIPAddress": "datax.amazonaws.com",
     "userAgent": "datax.amazonaws.com",
     "requestParameters": {
         "keyId": "<Key ARN of the Key you shared with AWS Data Exchange>",
         "operations": [
             "Decrypt"
         ],
         "granteePrincipal": “<Subscriber’s account Id>”,
         "retiringPrincipal": "dataexchange.us-east-2.amazonaws.com",
         "constraints": {
             "encryptionContextSubset": {
                 "aws:s3:arn": "arn:aws:s3:::<Your Bucket ARN>"
             }
         }
     },
     "responseElements": {
         "grantId": "<KMS Grant ID of the created Grant>",
         "keyId": "<Key ARN of the Key you shared with AWS Data Exchange>"
     },
     "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
     "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
     "readOnly": false,
     "resources": [
         {
             "accountId": "<Your Account Id>",
             "type": "AWS::KMS::Key",
             "ARN": "<Key ARN of the Key you shared with AWS Data Exchange>"
         }
     ],
     "eventType": "AwsApiCall",
     "managementEvent": true,
     "recipientAccountId": "<Your Account Id>",
     "sharedEventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE ",
     "eventCategory": "Management"
}
```

------
#### [ 解密 ]

`Decrypt` 當訂閱者嘗試讀取其訂閱的加密資料時， 會呼叫 。

```
{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AWSAccount",
        "principalId": "AROAIGDTESTANDEXAMPLE:Subscriber01",
        "accountId": "<subscriber-account-id>",
        "invokedBy": "<subscriber’s IAM identity>"
    },
    "eventTime": "2023-02-15T23:28:30Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "Decrypt",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "<subscriber’s IP address>",
    "userAgent": "<subscriber’s user agent>",
    "requestParameters": {
        "encryptionContext": {
            "aws:s3:arn": "arn:aws:s3:::<Your Bucket ARN>"
        },
        "encryptionAlgorithm": "SYMMETRIC_DEFAULT"
    },
    "responseElements": null,
    "requestID": ""ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": ""ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE”,
    "readOnly": true,
    "resources": [
        {
            "accountId": "<Your Account Id>",
            "type": "AWS::KMS::Key",
            "ARN": "<Key ARN of the Key you shared with AWS Data Exchange>"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "602466227860",
    "sharedEventID": "bcf4d02a-31ea-4497-9c98-4c3549f20a7b",
    "eventCategory": "Management"
}
```

------