本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# Amazon WorkSpaces 安全瀏覽器的靜態加密
根據預設*,靜態加密*是設定,而 WorkSpaces 安全瀏覽器中使用的所有客戶資料 (例如瀏覽器政策陳述式、使用者名稱、記錄或 IP 地址) 都會使用 加密 AWS KMS。根據預設,WorkSpaces 安全瀏覽器會使用 AWS擁有的金鑰啟用加密。您也可以在資源建立時指定 CMK,以使用客戶受管金鑰 (CMK)。這目前僅透過 CLI 支援。
如果您選擇傳遞 CMK,提供的金鑰必須是對稱加密 AWS KMS 金鑰,而且身為管理員的您必須具有下列許可:
```
kms:DescribeKey
kms:GenerateDataKey
kms:GenerateDataKeyWithoutPlaintext
kms:Decrypt
kms:ReEncryptTo
kms:ReEncryptFrom
```
如果您使用 CMK,則需要允許列出 WorkSpaces 安全瀏覽器外部服務主體以存取金鑰。
如需詳細資訊,請參閱 [aws:SourceAccount 的 CMK 金鑰政策範圍範例]()
WorkSpaces 安全瀏覽器會盡可能使用轉送存取工作階段 (FAS) 登入資料來存取您的金鑰。如需 FAS 的詳細資訊,請參閱[轉送存取工作階段](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html)。
在某些情況下,WorkSpaces 安全瀏覽器可能需要以非同步方式存取您的金鑰。透過在金鑰政策中允許列出 WorkSpaces 安全瀏覽器外部服務主體,WorkSpaces 安全瀏覽器將能夠使用金鑰執行允許列出的一組密碼編譯操作。
建立資源之後,就無法再移除或變更金鑰。如果您使用 CMK,身為存取資源的管理員,您必須擁有下列許可:
```
kms:GenerateDataKey
kms:GenerateDataKeyWithoutPlaintext
kms:Decrypt
kms:ReEncryptTo
kms:ReEncryptFrom
```
如果您在使用主控台時看到**存取遭拒**錯誤,則存取主控台的使用者可能沒有在正在使用的金鑰上使用 CMK 所需的許可。
## WorkSpaces 安全瀏覽器的金鑰政策和範圍範例
CMKs需要下列金鑰政策:
```
{
"Version": "2012-10-17",
"Statement": [
...,
{
"Sid": "Allow WorkSpaces Secure Browser to encrypt/decrypt",
"Effect": "Allow",
"Principal": {
"Service": "workspaces-web.amazonaws.com"
},
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*",
}
]
}
```
WorkSpaces 安全瀏覽器需要下列許可:
+ `kms:DescribeKey` — 驗證提供的 AWS KMS 金鑰已正確設定。
+ `kms:GenerateDataKeyWithoutPlaintext` 和 `kms:GenerateDataKey` — 請求 AWS KMS 金鑰建立用於加密物件的資料金鑰。
+ `kms:Decrypt` — 請求 AWS KMS 金鑰以解密加密的資料金鑰。這些資料金鑰用於加密您的資料。
+ `kms:ReEncryptTo` 和 `kms:ReEncryptFrom` — 請求 AWS KMS 金鑰允許從 KMS 金鑰重新加密或重新加密至 KMS 金鑰。
### 在 AWS KMS 金鑰上擴展 WorkSpaces 安全瀏覽器許可
當金鑰政策陳述式中的委託人是[AWS 服務委託人](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services)時,我們強烈建議您在加密內容之外,使用 [ aws:SourceArn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) 或 [ aws:SourceAccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) 全域條件金鑰。
用於資源的加密內容一律會包含 格式的項目,`aws:workspaces-web:RESOURCE_TYPE:id`以及對應的資源 ID。
只有在 AWS KMS 請求來自其他服務時,來源 ARN 和來源帳戶值才會包含在授權內容中 AWS 。這個條件組合會實作最低權限許可,並避免潛在的[混淆代理人案例](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html)。如需詳細資訊,請參閱[金鑰政策中 AWS 服務的許可](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html.html)。
```
"Condition": {
"StringEquals": {
"aws:SourceAccount": "AccountId",
"kms:EncryptionContext:aws:workspaces-web:resourceType:id": "resourceId"
},
"ArnEquals": {
"aws:SourceArn": [
"arn:aws:workspaces-web:Region:AccountId:resourceType/resourceId"
]
},
}
```
**注意**
在建立資源之前,金鑰政策應該僅使用 `aws:SourceAccount` 條件,因為完整的資源 ARN 尚不存在。建立資源後,可以更新金鑰政策以包含 `aws:SourceArn`和 `kms:EncryptionContext`條件。
### 使用 的範圍 CMK 金鑰政策範例 `aws:SourceAccount`
```
{
"Version": "2012-10-17",
"Statement": [
...,
{
"Sid": "Allow WorkSpaces Secure Browser to encrypt/decrypt",
"Effect": "Allow",
"Principal": {
"Service": "workspaces-web.amazonaws.com"
},
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": ""
}
}
}
]
}
```
### 使用 `aws:SourceArn`和資源萬用字元的範圍 CMK 金鑰政策範例
```
{
"Version": "2012-10-17",
"Statement": [
...,
{
"Sid": "Allow WorkSpaces Secure Browser to encrypt/decrypt",
"Effect": "Allow",
"Principal": {
"Service": "workspaces-web.amazonaws.com"
},
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:workspaces-web:::*/*"
}
}
}
]
}
```
### 使用 的範圍 CMK 金鑰政策範例 `aws:SourceArn`
```
{
"Version": "2012-10-17",
"Statement": [
...,
{
"Sid": "Allow WorkSpaces Secure Browser to encrypt/decrypt",
"Effect": "Allow",
"Principal": {
"Service": "workspaces-web.amazonaws.com"
},
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:SourceArn": [
"arn:aws:workspaces-web:::portal/*",
"arn:aws:workspaces-web:::browserSettings/*",
"arn:aws:workspaces-web:::userSettings/*",
"arn:aws:workspaces-web:::ipAccessSettings/*"
]
}
}
]
}
```
**注意**
建立資源之後,您可以在 中`SourceArn`更新資源的萬用字元。如果您使用 WorkSpaces 安全瀏覽器建立需要 CMK 存取的新資源,請務必相應地更新其金鑰政策。
### 具有 `aws:SourceArn`和資源特定的範圍 CMK 金鑰政策範例 `EncryptionContext`
```
{
"Version": "2012-10-17",
"Statement": [
...,
{
"Sid": "Allow WorkSpaces Secure Browser to encrypt/decrypt portal",
"Effect": "Allow",
"Principal": {
"Service": "workspaces-web.amazonaws.com"
},
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "",
"kms:EncryptionContext:aws:workspaces-web:portal:id": ">"
}
}
},
{
"Sid": "Allow WorkSpaces Secure Browser to encrypt/decrypt userSettings",
"Effect": "Allow",
"Principal": {
"Service": "workspaces-web.amazonaws.com"
},
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "",
"kms:EncryptionContext:aws:workspaces-web:userSetttings:id": ""
}
}
},
{
"Sid": "Allow WorkSpaces Secure Browser to encrypt/decrypt browserSettings",
"Effect": "Allow",
"Principal": {
"Service": "workspaces-web.amazonaws.com"
},
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "",
"kms:EncryptionContext:aws:workspaces-web:browserSettings:id": ""
}
}
},
{
"Sid": "Allow WorkSpaces Secure Browser to encrypt/decrypt ipAccessSettings",
"Effect": "Allow",
"Principal": {
"Service": "workspaces-web.amazonaws.com"
},
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "",
"kms:EncryptionContext:aws:workspaces-web:ipAccessSettings:id": ""
}
}
},
]
}
```
**注意**
在相同金鑰政策`EncryptionContext`中包含特定資源時,請務必建立個別的陳述式。如需詳細資訊,請參閱 [ kms:EncryptionContext:*context-key*](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-encryption-context) 下的使用多個加密內容對一節。