AWS Lambda 的靜態資料加密
Lambda 一律使用 AWS 擁有的金鑰或 AWS 受管金鑰 為下列資源提供靜態加密:
-
環境變數
-
您上傳到 Lambda 的檔案,包括部署套件和層封存
-
事件來源映射篩選條件物件
您可以選擇將 Lambda 設定為使用客戶受管金鑰來加密環境變數、.zip 部署套件和篩選條件物件。
根據預設,Amazon CloudWatch Logs 和 AWS X-Ray 也可加密資料,並可設定為使用客戶受管金鑰。如需詳細資訊,請參閱在 CloudWatch Logs 中加密日誌資料和AWS X-Ray 中的資料保護。
監控 Lambda 的加密金鑰
當您搭配 Lambda 使用 AWS KMS 客戶受管金鑰時,您可以使用 AWS CloudTrail。下列範例是 Lambda 為存取客戶受管金鑰加密的資料而進行的 Decrypt、 DescribeKey 和 GenerateDataKey 呼叫的 CloudTrail 事件。
- Decrypt
-
如果您使用 AWS KMS 客戶受管金鑰來加密篩選條件物件,Lambda 會在您嘗試以純文字存取該金鑰時 (例如,從
ListEventSourceMappings呼叫),代表您傳送Decrypt請求。下面的範例事件會記錄Decrypt操作:{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "AROA123456789EXAMPLE:example", "arn": "arn:aws:sts::123456789012:assumed-role/role-name/example", "accountId": "123456789012", "accessKeyId": "ASIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROA123456789EXAMPLE", "arn": "arn:aws:iam::123456789012:role/role-name", "accountId": "123456789012", "userName": "role-name" }, "attributes": { "creationDate": "2024-05-30T00:45:23Z", "mfaAuthenticated": "false" } }, "invokedBy": "lambda.amazonaws.com" }, "eventTime": "2024-05-30T01:05:46Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "eu-west-1", "sourceIPAddress": "lambda.amazonaws.com", "userAgent": "lambda.amazonaws.com", "requestParameters": { "keyId": "arn:aws:kms:eu-west-1:123456789012:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "encryptionContext": { "aws-crypto-public-key": "ABCD+7876787678+CDEFGHIJKL/888666888999888555444111555222888333111==", "aws:lambda:EventSourceArn": "arn:aws:sqs:eu-west-1:123456789012:sample-source", "aws:lambda:FunctionArn": "arn:aws:lambda:eu-west-1:123456789012:function:sample-function" }, "encryptionAlgorithm": "SYMMETRIC_DEFAULT" }, "responseElements": null, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb", "readOnly": true, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:eu-west-1:123456789012:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management", "sessionCredentialFromConsole": "true" } - DescribeKey
-
如果您使用 AWS KMS 客戶受管金鑰來加密篩選條件物件,Lambda 會在您嘗試存取該金鑰時 (例如,從
GetEventSourceMapping呼叫),代表您傳送DescribeKey請求。下面的範例事件會記錄DescribeKey操作:{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "AROA123456789EXAMPLE:example", "arn": "arn:aws:sts::123456789012:assumed-role/role-name/example", "accountId": "123456789012", "accessKeyId": "ASIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROA123456789EXAMPLE", "arn": "arn:aws:iam::123456789012:role/role-name", "accountId": "123456789012", "userName": "role-name" }, "attributes": { "creationDate": "2024-05-30T00:45:23Z", "mfaAuthenticated": "false" } } }, "eventTime": "2024-05-30T01:09:40Z", "eventSource": "kms.amazonaws.com", "eventName": "DescribeKey", "awsRegion": "eu-west-1", "sourceIPAddress": "54.240.197.238", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36", "requestParameters": { "keyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "responseElements": null, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb", "readOnly": true, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:eu-west-1:123456789012:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_256_GCM_SHA384", "clientProvidedHostHeader": "kms.eu-west-1.amazonaws.com" }, "sessionCredentialFromConsole": "true" } - GenerateDataKey
-
當您使用 AWS KMS 客戶受管金鑰來加密
CreateEventSourceMapping或UpdateEventSourceMapping呼叫中的篩選條件物件時,Lambda 會代表您傳送GenerateDataKey請求,以產生資料金鑰來加密篩選條件 (封套加密)。下面的範例事件會記錄GenerateDataKey操作:{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "AROA123456789EXAMPLE:example", "arn": "arn:aws:sts::123456789012:assumed-role/role-name/example", "accountId": "123456789012", "accessKeyId": "ASIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROA123456789EXAMPLE", "arn": "arn:aws:iam::123456789012:role/role-name", "accountId": "123456789012", "userName": "role-name" }, "attributes": { "creationDate": "2024-05-30T00:06:07Z", "mfaAuthenticated": "false" } }, "invokedBy": "lambda.amazonaws.com" }, "eventTime": "2024-05-30T01:04:18Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKey", "awsRegion": "eu-west-1", "sourceIPAddress": "lambda.amazonaws.com", "userAgent": "lambda.amazonaws.com", "requestParameters": { "numberOfBytes": 32, "keyId": "arn:aws:kms:eu-west-1:123456789012:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "encryptionContext": { "aws-crypto-public-key": "ABCD+7876787678+CDEFGHIJKL/888666888999888555444111555222888333111==", "aws:lambda:EventSourceArn": "arn:aws:sqs:eu-west-1:123456789012:sample-source", "aws:lambda:FunctionArn": "arn:aws:lambda:eu-west-1:123456789012:function:sample-function" }, }, "responseElements": null, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb", "readOnly": true, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:eu-west-1:123456789012:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management" }
資料保護
身分和存取權管理