本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# AWS Verified Access 的靜態資料加密
AWS Verified Access 預設會使用 AWS 擁有的 KMS 金鑰加密靜態資料。根據預設,當靜態資料加密時,有助於降低保護敏感資料所涉及的操作開銷和複雜性。同時,其可讓您建置符合嚴格加密合規性和法規要求的安全應用程式。下列各節提供 Verified Access 如何使用 KMS 金鑰進行靜態資料加密的詳細資訊。
**Topics**
+ [驗證存取和 KMS 金鑰](#kms-keys)
+ [個人身分識別資訊](#types-of-pii)
+ [AWS Verified Access 如何在 中使用授予 AWS KMS](#encryption-grant)
+ [搭配 Verified Access 使用客戶受管金鑰](#using-cmk)
+ [指定 Verified Access 資源的客戶受管金鑰](#enable-additional-encryption)
+ [AWS 驗證存取加密內容](#encryption-context)
+ [監控您的加密金鑰以進行 AWS Verified Access](#monitor-key-use)
## 驗證存取和 KMS 金鑰
**AWS 擁有的金鑰**
Verified Access 使用 KMS 金鑰自動加密個人身分識別資訊 (PII)。預設會發生這種情況,您無法自行檢視、管理、使用或稽核 AWS 擁有金鑰的使用。不過,您不需要採取任何動作或變更任何程式,即可保護加密您資料的金鑰。如需詳細資訊,請參閱《AWS Key Management Service 開發人員指南》**中的 [AWS 擁有的金鑰](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk)。
雖然您無法停用此層加密或選取替代加密類型,但您可以在建立 Verified Access 資源時選擇客戶受管金鑰,在現有 AWS 擁有的加密金鑰上新增第二層加密。
**客戶自管金鑰**
Verified Access 支援使用您建立和管理的對稱客戶受管金鑰,在現有的預設加密上新增第二層加密。您可以完全控制此層加密,因此能執行以下任務:
+ 建立和維護金鑰政策
+ 建立和維護 IAM 政策和授予操作
+ 啟用和停用金鑰政策
+ 輪換金鑰密碼編譯資料
+ 新增 標籤
+ 建立金鑰別名
+ 安排金鑰供刪除
如需更多資訊,請參閱 *AWS Key Management Service 開發人員指南*中的[客戶受管金鑰](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk)。
**注意**
Verified Access 使用 AWS 擁有的金鑰自動啟用靜態加密,免費保護個人身分識別資料。
不過,當您使用客戶受管金鑰時,將會產生 AWS KMS 費用。如需定價的詳細資訊,請參閱 [AWS Key Management Service 定價](https://aws.amazon.com/kms/pricing/)。
## 個人身分識別資訊
下表摘要說明 Verified Access 使用的個人身分識別資訊 (PII),以及其加密方式。
| 資料類型 | AWS 擁有的金鑰加密 | 客戶自管金鑰加密 (選用) |
| --- | --- | --- |
| Trust provider (user-type)使用者類型信任提供者包含 OIDC 選項,例如 AuthorizationEndpoint、UserInfoEndpoint、ClientId、ClientSecret 等,這些選項都視為 PII。 | 已啟用 | 已啟用 |
| Trust provider (device-type)裝置類型信任提供者包含 TenantId,其視為 PII。 | 已啟用 | 已啟用 |
| Group policy在建立或修改 Verified Access 群組期間提供。包含授權存取請求的規則。可能包含使用者名稱和電子郵件地址等 PII。 | 已啟用 | 已啟用 |
| Endpoint policy在建立或修改 Verified Access 端點期間提供。包含授權存取請求的規則。可能包含使用者名稱和電子郵件地址等 PII。 | 已啟用 | 已啟用 |
## AWS Verified Access 如何在 中使用授予 AWS KMS
Verified Access 需要[授予](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html)才能使用您的客戶受管金鑰。
當您建立使用客戶受管金鑰加密的 Verified Access 資源時,Verified Access 會透過傳送 [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) 請求給 來代表您建立授予 AWS KMS。中的授予 AWS KMS 用於授予 Verified Access 存取您帳戶中客戶受管金鑰的存取權。
Verified Access 需要授予 ,才能將客戶受管金鑰用於下列內部操作:
+ 將 [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) 請求傳送至 AWS KMS 以解密加密的資料金鑰,以便用來解密您的資料。
+ 傳送 [RetireGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html) 請求至 AWS KMS 以刪除授予。
您可以隨時撤銷授予的存取權,或移除服務對客戶受管金鑰的存取權。如果您這麼做,Verified Access 將無法存取客戶受管金鑰加密的任何資料,這會影響相依於該資料的操作。
## 搭配 Verified Access 使用客戶受管金鑰
您可以使用 AWS 管理主控台或 AWS KMS APIs 來建立對稱客戶受管金鑰。遵循《 *AWS Key Management Service 開發人員指南*》中[建立對稱加密金鑰](https://docs.aws.amazon.com/kms/latest/developerguide/create-symmetric-cmk.html)的步驟。
**金鑰政策**
金鑰政策會控制客戶受管金鑰的存取權限。每個客戶受管金鑰都必須只有一個金鑰政策,其中包含決定誰可以使用金鑰及其使用方式的陳述式。在建立客戶受管金鑰時,可以指定金鑰政策。如需詳細資訊,請參閱《 *AWS Key Management Service 開發人員指南*》中的[金鑰政策](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html)。
若要將客戶受管金鑰與 Verified Access 資源搭配使用,必須在金鑰政策中允許下列 API 操作:
+ `[kms:CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html)`:新增客戶受管金鑰的授權。授予控制對指定 KMS 金鑰的存取權,以允許存取授予[驗證存取所需的操作](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)。如需詳細資訊,請參閱《 *AWS Key Management Service 開發人員指南*》中的[授與](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html)。
這可讓 Verified Access 執行下列動作:
+ 呼叫 `GenerateDataKeyWithoutPlainText` 以產生加密的資料金鑰並加以儲存,因為資料金鑰不會立即用來加密。
+ 呼叫 `Decrypt` 以使用儲存的加密資料金鑰來存取加密的資料。
+ 設定淘汰主體,以允許服務執行 `RetireGrant`。
+ `[kms:DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html)` – 提供客戶受管金鑰詳細資訊,以允許 Verified Access 驗證金鑰。
+ `[kms:GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html)` – 允許 Verified Access 使用金鑰來加密資料。
+ `[kms:Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html)` – 允許 Verified Access 解密加密的資料金鑰。
以下是可用於 Verified Access 的金鑰政策範例。
```
"Statement" : [
{
"Sid" : "Allow access to principals authorized to use Verified Access",
"Effect" : "Allow",
"Principal" : {
"AWS" : "*"
},
"Action" : [
"kms:DescribeKey",
"kms:CreateGrant",
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"kms:ViaService" : "verified-access.region.amazonaws.com",
"kms:CallerAccount" : "111122223333"
}
},
{
"Sid": "Allow access for key administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action" : [
"kms:*"
],
"Resource": "arn:aws:kms:region:111122223333:key/key_ID"
},
{
"Sid" : "Allow read-only access to key metadata to the account",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::111122223333:root"
},
"Action" : [
"kms:Describe*",
"kms:Get*",
"kms:List*",
"kms:RevokeGrant"
],
"Resource" : "*"
}
]
```
如需詳細資訊,請參閱《 *AWS Key Management Service 開發人員指南*》中的[建立金鑰政策和](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html)[疑難排解金鑰存取](https://docs.aws.amazon.com/kms/latest/developerguide/policy-evaluation.html)。
## 指定 Verified Access 資源的客戶受管金鑰
您可以指定客戶受管金鑰,為下列資源提供第二層加密:
+ [已驗證的存取群組](verified-access-groups.md)
+ [驗證存取端點](verified-access-endpoints.md)
+ [已驗證的存取信任提供者](trust-providers.md)
當您使用 建立任何這些資源時 AWS 管理主控台,您可以在**其他加密 -- 選用**區段中指定客戶受管金鑰。在此過程中,選取**自訂加密設定 (進階)** 核取方塊,然後輸入您要使用的 AWS KMS 金鑰 ID。這也可以在修改現有資源或使用 來完成 AWS CLI。
**注意**
如果用於將其他加密新增至上述任何資源的客戶受管金鑰遺失,將無法再存取資源的組態值。不過,您可以使用 AWS 管理主控台 或 來修改資源 AWS CLI,以套用新的客戶受管金鑰並重設組態值。
## AWS 驗證存取加密內容
[加密內容](https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html)是選用的一組金鑰/值對,其中包含有關資料的其他內容資訊。 AWS KMS 會使用加密內容作為額外的已驗證資料,以支援已驗證的加密。當您在加密資料的請求中包含加密內容時, 會將加密內容 AWS KMS 繫結至加密的資料。若要解密資料,您必須在請求中包含相同的加密內容。
**AWS 驗證存取加密內容**
Verified Access 在所有 AWS KMS 密碼編譯操作中使用相同的加密內容,其中金鑰為 ,`aws:verified-access:arn`而值為資源 Amazon Resource Name (ARN)。以下是 Verified Access 資源的加密內容。
**已驗證的存取信任提供者**
```
"encryptionContext": {
"aws:verified-access:arn":
"arn:aws:ec2:region:111122223333:VerifiedAccessTrustProviderId"
}
```
**已驗證的存取群組**
```
"encryptionContext": {
"aws:verified-access:arn":
"arn:aws:ec2:region:111122223333:VerifiedAccessGroupId"
}
```
**驗證存取端點**
```
"encryptionContext": {
"aws:verified-access:arn":
"arn:aws:ec2:region:111122223333:VerifiedAccessEndpointId"
}
```
## 監控您的加密金鑰以進行 AWS Verified Access
當您搭配 AWS Verified Access 資源使用客戶受管 KMS 金鑰時,您可以使用 [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) 來追蹤 Verified Access 傳送的請求 AWS KMS。
下列範例是 `CreateGrant`、`RetireGrant`、`DescribeKey`、 `Decrypt`和 AWS CloudTrail 的事件`GenerateDataKey`,其會監控 Verified Access 呼叫的 KMS 操作,以存取客戶受管 KMS 金鑰加密的資料:
------
#### [ CreateGrant ]
當您使用客戶受管金鑰來加密資源時,Verified Access 會代表您傳送存取帳戶中 AWS 金鑰的`CreateGrant`請求。Verified Access 建立的授予專屬於與客戶受管金鑰相關聯的資源。
下面的範例事件會記錄 `CreateGrant` 操作:
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-09-11T16:27:12Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "verified-access.amazonaws.com"
},
"eventTime": "2023-09-11T16:41:42Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "ca-central-1",
"sourceIPAddress": "verified-access.amazonaws.com",
"userAgent": "verified-access.amazonaws.com",
"requestParameters": {
"operations": [
"Decrypt",
"RetireGrant",
"GenerateDataKey"
],
"keyId": "arn:aws:kms:ca-central-1:111122223333:key/5ed79e7f-88c9-420c-ae1a-61ee87104dae",
"constraints": {
"encryptionContextSubset": {
"aws:verified-access:arn": "arn:aws:ec2:ca-central-1:111122223333:verified-access-trust-provider/vatp-0e54f581e2e5c97a2"
}
},
"granteePrincipal": "verified-access.ca-central-1.amazonaws.com",
"retiringPrincipal": "verified-access.ca-central-1.amazonaws.com"
},
"responseElements": {
"grantId": "e5a050fff9893ba1c43f83fddf61e5f9988f579beaadd6d4ad6d1df07df6048f",
"keyId": "arn:aws:kms:ca-central-1:111122223333:key/5ed79e7f-88c9-420c-ae1a-61ee87104dae"
},
"requestID": "0faa837e-5c69-4189-9736-3957278e6444",
"eventID": "1b6dd8b8-cbee-4a83-9b9d-d95fa5f6fd08",
"readOnly": false,
"resources": [
{
"accountId": "AWS Internal",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:ca-central-1:111122223333:key/5ed79e7f-88c9-420c-ae1a-61ee87104dae"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
------
#### [ RetireGrant ]
Verified Access 使用 `RetireGrant`操作,在您刪除資源時移除授予。
下面的範例事件會記錄 `RetireGrant` 操作:
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-09-11T16:42:33Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "verified-access.amazonaws.com"
},
"eventTime": "2023-09-11T16:47:53Z",
"eventSource": "kms.amazonaws.com",
"eventName": "RetireGrant",
"awsRegion": "ca-central-1",
"sourceIPAddress": "verified-access.amazonaws.com",
"userAgent": "verified-access.amazonaws.com",
"requestParameters": null,
"responseElements": {
"keyId": "arn:aws:kms:ca-central-1:111122223333:key/5ed79e7f-88c9-420c-ae1a-61ee87104dae"
},
"additionalEventData": {
"grantId": "b35e66f9bacb266cec214fcaa353c9cf750785e28773e61ba6f434d8c5c7632f"
},
"requestID": "7d4a31c2-d426-434b-8f86-336532a70462",
"eventID": "17edc343-f25b-43d4-bbff-150d8fff4cf8",
"readOnly": false,
"resources": [
{
"accountId": "AWS Internal",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:ca-central-1:111122223333:key/5ed79e7f-88c9-420c-ae1a-61ee87104dae"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
------
#### [ Decrypt ]
Verified Access 會呼叫 `Decrypt`操作,以使用儲存的加密資料金鑰來存取加密的資料。
下面的範例事件會記錄 `Decrypt` 操作:
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-09-11T17:19:33Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "verified-access.amazonaws.com"
},
"eventTime": "2023-09-11T17:47:05Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "ca-central-1",
"sourceIPAddress": "verified-access.amazonaws.com",
"userAgent": "verified-access.amazonaws.com",
"requestParameters": {
"encryptionAlgorithm": "SYMMETRIC_DEFAULT",
"keyId": "arn:aws:kms:ca-central-1:111122223333:key/380d006e-706a-464b-99c5-68768297114e",
"encryptionContext": {
"aws:verified-access:arn": "arn:aws:ec2:ca-central-1:111122223333:verified-access-trust-provider/vatp-00f20a4e455e9340f",
"aws-crypto-public-key": "AkK+vi1W/acBKv7OR8p2DeUrA8EgpTffSrjBqNucODuBYhyZ3hlMuYYJz9x7CwQWZw=="
}
},
"responseElements": null,
"requestID": "2e920fd3-f2f6-41b2-a5e7-2c2cb6f853a9",
"eventID": "3329e0a3-bcfb-44cf-9813-8106d6eee31d",
"readOnly": true,
"resources": [
{
"accountId": "AWS Internal",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:ca-central-1:111122223333:key/380d006e-706a-464b-99c5-68768297114e"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
------
#### [ DescribeKey ]
Verified Access 使用 `DescribeKey`操作來驗證與您資源相關聯的客戶受管金鑰是否存在於帳戶和區域中。
下面的範例事件會記錄 `DescribeKey` 操作:
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-09-11T17:19:33Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "verified-access.amazonaws.com"
},
"eventTime": "2023-09-11T17:46:48Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DescribeKey",
"awsRegion": "ca-central-1",
"sourceIPAddress": "verified-access.amazonaws.com",
"userAgent": "verified-access.amazonaws.com",
"requestParameters": {
"keyId": "arn:aws:kms:ca-central-1:111122223333:key/380d006e-706a-464b-99c5-68768297114e"
},
"responseElements": null,
"requestID": "5b127082-6691-48fa-bfb0-4d40e1503636",
"eventID": "ffcfc2bb-f94b-4c00-b6fb-feac77daff2a",
"readOnly": true,
"resources": [
{
"accountId": "AWS Internal",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:ca-central-1:111122223333:key/380d006e-706a-464b-99c5-68768297114e"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
------
#### [ GenerateDataKey ]
下面的範例事件會記錄 `GenerateDataKey` 操作:
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-09-11T17:19:33Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "verified-access.amazonaws.com"
},
"eventTime": "2023-09-11T17:46:49Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKey",
"awsRegion": "ca-central-1",
"sourceIPAddress": "verified-access.amazonaws.com",
"userAgent": "verified-access.amazonaws.com",
"requestParameters": {
"encryptionContext": {
"aws:verified-access:arn": "arn:aws:ec2:ca-central-1:111122223333:verified-access-trust-provider/vatp-00f20a4e455e9340f",
"aws-crypto-public-key": "A/ATGxaYatPUlOtM+l/mfDndkzHUmX5Hav+29IlIm+JRBKFuXf24ulztmOIsqFQliw=="
},
"numberOfBytes": 32,
"keyId": "arn:aws:kms:ca-central-1:111122223333:key/380d006e-706a-464b-99c5-68768297114e"
},
"responseElements": null,
"requestID": "06535808-7cce-4ae1-ab40-e3afbf158a43",
"eventID": "1ce79601-5a5e-412c-90b3-978925036526",
"readOnly": true,
"resources": [
{
"accountId": "AWS Internal",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:ca-central-1:111122223333:key/380d006e-706a-464b-99c5-68768297114e"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
------