本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。 # 建立客戶受管金鑰以存取 AWS KMS 根據預設,您的資料會使用 [AWS 擁有的金鑰](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk)加密。這表示金鑰是由 服務建立、擁有和管理。如果您想要擁有和管理用於加密資料的金鑰,您可以建立[客戶受管 KMS 金鑰](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk)。Amazon Inspector 不會與您的資料互動。Amazon Inspector 只會從原始碼提供者中的儲存庫擷取中繼資料。如需有關如何建立客戶受管 KMS 金鑰的資訊,請參閱*AWS Key Management Service 《 使用者指南*》中的[建立 KMS 金鑰](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html)。 **政策範例** 當您[建立客戶受管金鑰](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html)時,請使用下列範例政策。 **注意** 下列政策中的 [FAS 許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html)專屬於 Amazon Inspector,因為它們允許 Amazon Inspector 僅執行這些 API 呼叫。 ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Id": "key-policy", "Statement": [ { "Sid": "Allow Q to use Encrypt Decrypt GenerateDataKey and GenerateDataKeyWithoutPlaintext", "Effect": "Allow", "Principal": { "Service": "q.amazonaws.com" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "StringEquals": { "aws:SourceAccount": "111122223333" }, "StringLike": { "kms:EncryptionContext:aws:qdeveloper:codesecurity-scope": "111122223333" }, "ArnLike": { "aws:SourceArn": "arn:aws:inspector2:us-east-1:111122223333:codesecurity-integration/*" } } }, { "Sid": "Allow Q to use DescribeKey", "Effect": "Allow", "Principal": { "Service": "q.amazonaws.com" }, "Action": "kms:DescribeKey", "Resource": "*" }, { "Sid": "Allow Inspector to use Encrypt Decrypt GenerateDataKey and GenerateDataKeyWithoutPlaintext using FAS", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/inspectorCodeSecurity" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "inspector2.us-east-1.amazonaws.com" }, "StringLike": { "kms:EncryptionContext:aws:qdeveloper:codesecurity-scope": "111122223333" } } }, { "Sid": "Allow Inspector to use DescribeKey using FAS", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/inspectorCodeSecurity" }, "Action": [ "kms:DescribeKey" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "inspector2.us-east-1.amazonaws.com" } } } ] } ``` ------ 建立 KMS 金鑰後,您可以使用下列 Amazon Inspector APIs。 + UpdateEncryptionKey – 使用 `CODE_REPOSITORY` for `resourceType`和 `CODE`作為掃描類型,以設定客戶受管 KMS 金鑰的使用。 + GetEncryptionKey – 使用 `CODE_REPOSITORY` for `resourceType`和 `CODE`作為掃描類型,以設定 KMS 金鑰組態的擷取。 + ResetEncryptionKey – 使用 `CODE_REPOSITORY` for `resourceType`和 `CODE` 來重設 KMS 金鑰組態,並使用 AWS 擁有的 KMS 金鑰。