本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 使用 Amazon SageMaker 地理空間功能的 AWS KMS 許可
您可以使用 SageMaker 地理空間功能的加密來保護靜態資料。依預設,它會使用伺服器端加密搭配 Amazon SageMaker 地理空間擁有的金鑰。SageMaker 地理空間功能也支援使用客戶管理 KMS 金鑰進行伺服器端加密的選項。
## 伺服器端加密搭配 Amazon SageMaker 地理空間管理的金鑰 (預設)。
SageMaker 地理空間功能會加密您的所有資料,包括來自地球觀測工作 (EOJ) 和向量豐富工作 (VEJ) 的運算結果,以及您所有的服務中繼資料。SageMaker 地理空間功能中儲存的資料均已加密。它使用預設 AWS 擁有的金鑰來加密所有資料。
## 伺服器端加密搭配客戶管理的KMS 金鑰 (選用)
SageMaker 地理空間功能支援使用您建立、擁有和管理的對稱客戶受管金鑰,以透過現有 AWS 擁有的加密新增第二層加密。您可以完全控制此層加密,因此能執行以下任務:
+ 建立和維護金鑰政策
+ 建立和維護 IAM 政策和授予操作
+ 啟用和停用金鑰政策
+ 輪換金鑰密碼編譯資料
+ 新增 標籤
+ 建立金鑰別名
+ 安排金鑰供刪除
如需更多資訊,請參閱 *AWS Key Management Service 開發人員指南*中的[客戶受管金鑰](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk)。
## SageMaker 地理空間功能如何在 中使用授予 AWS KMS
SageMaker 地理空間功能需要授權,才能使用您的客戶受管金鑰。當您建立 EOJ 或使用客戶受管金鑰加密的 VEJ 時,SageMaker 地理空間功能會透過傳送`CreateGrant`請求至 來代表您建立授予 AWS KMS。中的授予 AWS KMS 用於授予 SageMaker 地理空間功能存取客戶帳戶中 KMS 金鑰的權限。您可以隨時撤銷授予的存取權,或移除服務對客戶受管金鑰的存取權。如果您這麼做,SageMaker 地理空間功能就無法存取客戶受管金鑰的任何資料,這會影響與該資料相依的操作。
## 建立客戶受管金鑰
您可以使用 AWS 管理主控台或 AWS KMS APIs 來建立對稱客戶受管金鑰。
**建立對稱客戶受管金鑰**
請遵循《 AWS Key Management Service 開發人員指南》中的[建立對稱加密 KMS 金鑰](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-symmetric-cmk)的步驟。
**金鑰政策**
金鑰政策會控制客戶受管金鑰的存取權限。每個客戶受管金鑰都必須只有一個金鑰政策,其中包含決定誰可以使用金鑰及其使用方式的陳述式。在建立客戶受管金鑰時,可以指定金鑰政策。如需詳細資訊,請參閱《 *AWS Key Management Service 開發人員指南*》中的[判斷 AWS KMS 金鑰的存取權](https://docs.aws.amazon.com/kms/latest/developerguide/determining-access.html)。
若要將客戶受管金鑰與 SageMaker 地理空間功能資源搭配使用,必須在金鑰政策中允許下列 API 作業。這些作業的主體應該是您在 SageMaker 地理空間功能請求中提供的執行角色。SageMaker 地理空間功能會在請求中採用提供的執行角色,以執行這些 KMS 作業。
+ `[kms:CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html)`
+ `kms:GenerateDataKey`
+ `kms:Decrypt`
+ `kms:GenerateDataKeyWithoutPlaintext`
以下是您可以為 SageMaker 地理空間功能新增的政策陳述式範例:
**CreateGrant**
```
"Statement" : [
{
"Sid" : "Allow access to Amazon SageMaker geospatial capabilities",
"Effect" : "Allow",
"Principal" : {
"AWS" : ""
},
"Action" : [
"kms:CreateGrant",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource" : "*",
},
]
```
如需有關在政策中指定許可的更多相關資訊,請參閱 *AWS Key Management Service 開發人員指南*中的[AWS KMS 許可](https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)。如需有關故障診斷的更多相關資訊,請參閱 *AWS Key Management Service 開發人員指南*中的[對金鑰存取進行故障診斷](https://docs.aws.amazon.com/kms/latest/developerguide/policy-evaluation.html)。
如果您的金鑰政策沒有您的帳戶根作為金鑰管理員,您需要在執行角色 ARN 上新增相同的 KMS 許可。以下是您可以新增至執行角色的政策範例:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"kms:CreateGrant",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": [
"arn:aws:kms:us-east-1:111122223333:key/key-id"
],
"Effect": "Allow"
}
]
}
```
------
## 監控您的加密金鑰以取得 SageMaker 地理空間功能
當您搭配 SageMaker 地理空間功能資源使用 AWS KMS 客戶受管金鑰時,您可以使用 AWS CloudTrail 或 Amazon CloudWatch Logs 來追蹤 SageMaker 地理空間傳送的請求 AWS KMS。
選取下表中的索引標籤,以查看監控 SageMaker 地理空間功能呼叫的 KMS 操作 AWS CloudTrail 的事件範例,以存取客戶受管金鑰加密的資料。
------
#### [ CreateGrant ]
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:SageMaker-Geospatial-StartEOJ-KMSAccess",
"arn": "arn:aws:sts::111122223333:assumed-role/SageMakerGeospatialCustomerRole/SageMaker-Geospatial-StartEOJ-KMSAccess",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AKIAIOSFODNN7EXAMPLE3",
"arn": "arn:aws:sts::111122223333:assumed-role/SageMakerGeospatialCustomerRole",
"accountId": "111122223333",
"userName": "SageMakerGeospatialCustomerRole"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-03-17T18:02:06Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "arn:aws:iam::111122223333:root"
},
"eventTime": "2023-03-17T18:02:06Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "us-west-2",
"sourceIPAddress": "172.12.34.56",
"userAgent": "ExampleDesktop/1.0 (V1; OS)",
"requestParameters": {
"retiringPrincipal": "sagemaker-geospatial.us-west-2.amazonaws.com",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
"operations": [
"Decrypt"
],
"granteePrincipal": "sagemaker-geospatial.us-west-2.amazonaws.com"
},
"responseElements": {
"grantId": "0ab0ac0d0b000f00ea00cc0a0e00fc00bce000c000f0000000c0bc0a0000aaafSAMPLE",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
},
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
------
#### [ GenerateDataKey ]
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSService",
"invokedBy": "sagemaker-geospatial.amazonaws.com"
},
"eventTime": "2023-03-24T00:29:45Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "sagemaker-geospatial.amazonaws.com",
"userAgent": "sagemaker-geospatial.amazonaws.com",
"requestParameters": {
"encryptionContext": {
"aws:s3:arn": "arn:aws:s3:::axis-earth-observation-job-378778860802/111122223333/napy9eintp64/output/consolidated/32PPR/2022-01-04T09:58:03Z/S2B_32PPR_20220104_0_L2A_msavi.tif"
},
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
"keySpec": "AES_256"
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
------
#### [ Decrypt ]
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSService",
"invokedBy": "sagemaker-geospatial.amazonaws.com"
},
"eventTime": "2023-03-28T22:04:24Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-west-2",
"sourceIPAddress": "sagemaker-geospatial.amazonaws.com",
"userAgent": "sagemaker-geospatial.amazonaws.com",
"requestParameters": {
"encryptionAlgorithm": "SYMMETRIC_DEFAULT",
"encryptionContext": {
"aws:s3:arn": "arn:aws:s3:::axis-earth-observation-job-378778860802/111122223333/napy9eintp64/output/consolidated/32PPR/2022-01-04T09:58:03Z/S2B_32PPR_20220104_0_L2A_msavi.tif"
},
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
------
#### [ GenerateDataKeyWithoutPlainText ]
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:SageMaker-Geospatial-StartEOJ-KMSAccess",
"arn": "arn:aws:sts::111122223333:assumed-role/SageMakerGeospatialCustomerRole/SageMaker-Geospatial-StartEOJ-KMSAccess",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AKIAIOSFODNN7EXAMPLE3",
"arn": "arn:aws:sts::111122223333:assumed-role/SageMakerGeospatialCustomerRole",
"accountId": "111122223333",
"userName": "SageMakerGeospatialCustomerRole"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-03-17T18:02:06Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "arn:aws:iam::111122223333:root"
},
"eventTime": "2023-03-28T22:09:16Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKeyWithoutPlaintext",
"awsRegion": "us-west-2",
"sourceIPAddress": "172.12.34.56",
"userAgent": "ExampleDesktop/1.0 (V1; OS)",
"requestParameters": {
"keySpec": "AES_256",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
------