本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 适用于 Amazon S3 数据访问的密钥管理
此页面特定于 Amazon S3 数据访问类型,在这种类型中,提供商共享使用 SSE-KMS 加密的对象。订阅者必须拥有对用于访问的密钥的授权。
如果您的 Amazon S3 存储桶包含使用 AWS KMS 客户托管密钥加密的数据,则必须 AWS KMS keys 与共享这些数据 AWS Data Exchange 才能配置 Amazon S3 数据访问数据集。有关更多信息,请参阅 [步骤 2:配置 Amazon S3 数据访问](publish-s3-data-access-product.md#configure-s3-data-access-product)。
**Topics**
+ [
## 创建 AWS KMS 补助金
](#create-kms-grants)
+ [
## 加密上下文和授权约束
](#encryption-context-grant-constraint)
+ [
## 监视你的 AWS KMS keys in AWS Data Exchange
](#monitoring-your-kms-keys)
## 创建 AWS KMS 补助金
当您提供 AWS KMS keys 作为 Amazon S3 数据访问数据集的一部分时, AWS Data Exchange 会为每个 AWS KMS key 共享数据创建 AWS KMS 授权。这种授权,称为*家长授权*,用于授予为订阅者创建额外 AWS KMS 授予的 AWS Data Exchange 权限。这些额外授权被称为*子授权*。允许每位订阅者 AWS KMS 获得一次授权。订阅者获得解密权限. AWS KMS key然后,他们可以解密,并使用与他们共享的加密 Amazon S3 对象。有关更多信息,请参阅《AWS Key Management Service 开发人员指南》**中的 [AWS KMS中的授权](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html)。
AWS Data Exchange 还使用 AWS KMS 父级拨款来管理其创建的 AWS KMS 赠款的生命周期。订阅结束后,将 AWS Data Exchange 停用为相应订阅者创建的 AWS KMS 子女补助金。如果修订版被撤销或数据集被删除,则会 AWS Data Exchange 停用 AWS KMS 父授权。有关 AWS KMS 操作的更多信息,请参阅 [AWS KMS API 参考](https://docs.aws.amazon.com/kms/latest/APIReference/API_Operations.html)。
## 加密上下文和授权约束
AWS Data Exchange 仅当请求包含指定的加密上下文时,才使用授权约束允许解密操作。您可以使用 Amazon S3 存储桶密钥功能来加密您的 Amazon S3 对象并与之共享 AWS Data Exchange。Amazon S3 隐式使用存储桶 Amazon 资源名称 (ARN) 作为加密上下文。以下示例显示了 AWS Data Exchange 使用存储桶 ARN 作为其创建的所有 AWS KMS 授权的授予约束。
```
"Constraints": {
"EncryptionContextSubset": "aws:s3:arn": “arn:aws:s3:::"
}
}
```
## 监视你的 AWS KMS keys in AWS Data Exchange
当您与共享 AWS KMS 客户托管密钥时 AWS Data Exchange,您可以使用[AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html)来跟踪 AWS Data Exchange 或数据订阅者向其发送的请求 AWS KMS。以下示例说明了`CreateGrant`和`Decrypt`调用的 CloudTrail 日志会是什么样子 AWS KMS。
------
#### [ CreateGrant for parent ]
`CreateGrant`用于为自己创建的家长补助金。 AWS Data Exchange
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:Provider01",
"arn": "arn:aws:sts:::assumed-role/Admin/Provider01",
"accountId": "",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIGDTESTANDEXAMPLE",
"arn": "arn:aws:iam:::role/Admin/Provider01”,
"accountId": "",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-02-16T17:29:23Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "datax.amazonaws.com"
},
"eventTime": "2023-02-16T17:32:47Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "us-east-2",
"sourceIPAddress": "datax.amazonaws.com",
"userAgent": "datax.amazonaws.com",
"requestParameters": {
"keyId": "",
"operations": [
"CreateGrant",
"Decrypt",
"RetireGrant"
],
"granteePrincipal": "dataexchange.us-east-2.amazonaws.com",
"retiringPrincipal": "dataexchange.us-east-2.amazonaws.com",
"constraints": {
"encryptionContextSubset": { AWS:s3:arn": "arn:aws:s3:::"
}
}
},
"responseElements": {
"grantId": "",
"keyId": ""
},
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": false,
"resources": [
{
"accountId": "",
"type": "AWS::KMS::Key",
"ARN": ""
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "",
"eventCategory": "Management"
}
```
------
#### [ CreateGrant for child ]
`CreateGrant`用于为订阅者创建的 AWS Data Exchange 儿童补助金。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSService",
"invokedBy": "datax.amazonaws.com"
},
"eventTime": "2023-02-15T23:15:49Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "us-east-2",
"sourceIPAddress": "datax.amazonaws.com",
"userAgent": "datax.amazonaws.com",
"requestParameters": {
"keyId": "",
"operations": [
"Decrypt"
],
"granteePrincipal": “”,
"retiringPrincipal": "dataexchange.us-east-2.amazonaws.com",
"constraints": {
"encryptionContextSubset": {
"aws:s3:arn": "arn:aws:s3:::"
}
}
},
"responseElements": {
"grantId": "",
"keyId": ""
},
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": false,
"resources": [
{
"accountId": "",
"type": "AWS::KMS::Key",
"ARN": ""
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "",
"sharedEventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE ",
"eventCategory": "Management"
}
```
------
#### [ Decrypt ]
`Decrypt` 由订阅者在尝试读取其订阅的加密数据时调用。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSAccount",
"principalId": "AROAIGDTESTANDEXAMPLE:Subscriber01",
"accountId": "",
"invokedBy": ""
},
"eventTime": "2023-02-15T23:28:30Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-east-2",
"sourceIPAddress": "",
"userAgent": "",
"requestParameters": {
"encryptionContext": {
"aws:s3:arn": "arn:aws:s3:::"
},
"encryptionAlgorithm": "SYMMETRIC_DEFAULT"
},
"responseElements": null,
"requestID": ""ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": ""ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE”,
"readOnly": true,
"resources": [
{
"accountId": "",
"type": "AWS::KMS::Key",
"ARN": ""
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "602466227860",
"sharedEventID": "bcf4d02a-31ea-4497-9c98-4c3549f20a7b",
"eventCategory": "Management"
}
```
------