本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# Amazon 的静态数据加密 DataZone
<a name="encryption-rest-datazone"></a>

默认情况下，静态数据加密有助于降低保护敏感数据的操作开销和复杂性。同时，它还支持构建符合严格加密合规性和监管要求的安全应用程序。

Amazon DataZone 使用默认 AWS拥有的密钥自动加密您的静态数据。您无法查看、管理或审核 AWS 自有密钥的使用情况。有关更多信息，请参阅 [AWS 拥有的密钥](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk)。

虽然您无法禁用此加密层或选择其他加密类型，但您可以在创建 Amazon DataZone 域名时选择客户管理的密钥。Amazon DataZone 支持使用您可以创建、拥有和管理的对称客户托管密钥。由于您能够完全控制加密，因此可执行以下任务：
+ 建立和维护密钥策略
+ 创建和维护 IAM 策略和授权
+ 启用和禁用密钥策略
+ 轮换密钥加密材料
+ 添加标签
+ 创建密钥别名
+ 计划密钥删除

要使用自己的密钥，请在创建 Amazon DataZone 域名时选择客户托管密钥。

有关更多信息，请参阅[客户自主管理型密钥](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk)。

**注意**  
Amazon 使用 AWS 自有密钥 DataZone 自动启用静态加密，从而免费保护客户数据。  
AWS 使用客户托管密钥需支付 KMS 费用。有关定价的更多信息，请参阅 [AWS Key Management Service 定价](https://aws.amazon.com/kms/pricing/)。

## 亚马逊如何 DataZone 使用补助金 AWS KMS
<a name="encryption-grants"></a>

Amazon DataZone 需要两项[授权](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html)才能使用您的客户托管密钥。当您创建使用客户托管密钥加密的亚马逊 DataZone 域名时，亚马逊 DataZone 会通过向 AWS KMS 发送[CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html)请求来代表您创建授权。 AWS KMS 中的赠款用于授予亚马逊 DataZone 访问您账户中的 KMS 密钥的权限。Amazon DataZone 创建以下授权，以使用您的客户托管密钥进行以下内部操作：

**一项用于为以下操作加密静态数据的授权：**
+ 向 AWS KMS 发送[DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html)请求，以验证在创建 Amazon DataZone 域时输入的对称客户托管 KMS 密钥 ID 是否有效。
+ 发送[GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html)到 AWS KMS 以生成由您的客户托管密钥加密的数据密钥。
+ 发送[解密](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html)请求使 Amazon DataZone 能够解密存储的数据。
+ [RetireGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html)在删除域名时取消授权。

**一项用于搜索、发现和[导出](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/sagemaker-unified-studio-export-asset-metadata-kms-permissions.html)数据的资助：**
+ [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html)-提供客户托管的密钥详情， DataZone允许亚马逊验证密钥。
+ [解密-允许](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) Amazon DataZone 解密存储的数据。

您可以随时撤消对指向客户自主管理型密钥的授权的访问权限。如果您这样做，Amazon 将 DataZone 无法访问由客户托管密钥加密的任何数据，这会影响依赖该数据的操作。

## 创建客户托管密钥
<a name="create-kms-key-datazone"></a>

您可以使用 AWS 管理控制台或 AWS KMS API 创建对称客户托管密钥。

 要创建对称客户托管密钥，请按照《密钥管理服务开发人员指南》中[创建对称客户托管](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-symmetric-cmk) AWS 密钥的步骤进行操作。

**密钥策略** – 密钥策略控制对客户自主管理型密钥的访问。每个客户托管式密钥必须只有一个密钥策略，其中包含确定谁可以使用密钥以及如何使用密钥的声明。创建客户托管式密钥时，可以指定密钥策略。有关更多信息，请参阅《[密钥管理服务开发人员指南》中的管理客户托管密 AWS 钥的访问权限](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html)。

要将您的客户托管密钥与您的 Amazon DataZone 资源一起使用，密钥政策中必须允许以下 API 操作：
+ [kms: CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) — 向客户托管密钥添加授权。授予对指定 KMS 密钥的控制访问权限，从而允许访问[授予 Amazon DataZone 要求的操作](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)。有关[使用授权](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html)的更多信息，请参阅 AWS 密钥管理服务开发人员指南。
+ [kms: DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) — 提供客户托管密钥详细信息以允许 Amazon DataZone 验证密钥。
+ [kms: GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html) — 返回一个唯一的对称数据密钥以供在 AWS KMS 之外使用。
+ [kms:Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) – 解密已通过 KMS 密钥加密的加密文字。

以下是您可以为 Amazon 添加的政策声明示例 DataZone：

```
"Statement": [
    {
      "Sid": "Enable IAM User Permissions for DescribeKey",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
      },
      "Action": "kms:DescribeKey",
      "Resource": "arn:aws:kms:{{region}}:111122223333:key/{{key_ID}}"
    },
    {
      "Sid": "Allow access to principals authorized to manage Amazon DataZone",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
      },
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "arn:aws:kms:{{region}}:111122223333:key/{{key_ID}}",
      "Condition": {
        "ForAnyValue:StringEquals": {
          "kms:EncryptionContextKeys": "aws:datazone:domainId"
        }
      }
    },
    {
      "Sid": "Allow creating grants when creating an Amazon DataZone for all principals in the account that are authorized to manage Amazon DataZone",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
      },
      "Action": "kms:CreateGrant",
      "Resource": "arn:aws:kms:{{region}}:111122223333:key/{{key_ID}}",
      "Condition": {
        "StringLike": {
          "kms:CallerAccount": "111122223333",
          "kms:ViaService": "datazone.{{region}}.amazonaws.com"
        },
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        },
        "ForAnyValue:StringEquals": {
          "kms:EncryptionContextKeys": "aws:datazone:domainId"
        }
      }
    }
]
```

**注意**  
通过域名执行角色主体，Amazon DataZone 数据门户有权访问您的客户托管密钥。

有关在[策略中指定权限的](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html)更多信息，请参阅 AWS 密钥管理服务开发人员指南。

有关[密钥访问疑难解答](https://docs.aws.amazon.com/kms/latest/developerguide/policy-evaluation.html#example-no-iam)的更多信息，请参阅 AWS 密钥管理服务开发人员指南。

## 为 Amazon 指定客户托管密钥 DataZone
<a name="specify-kms-key-datazone"></a>

在[域创建](create-domain.md)过程中，您可以将客户自主管理型密钥指定为第二层加密。

## Amazon DataZone 加密环境
<a name="specify-kms-key-datazone"></a>

[加密上下文](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context)是一组可选的键值对，包含有关数据的其他上下文信息。

AWS KMS 使用加密上下文作为[额外的经过身份验证的数据](https://docs.aws.amazon.com/crypto/latest/userguide/cryptography-concepts.html#term-aad)来支持[经过身份验证的加密](https://docs.aws.amazon.com/crypto/latest/userguide/cryptography-concepts.html#define-authenticated-encryption)。当您在加密数据的请求中包含加密上下文时， AWS KMS 会将加密上下文绑定到加密数据。要解密数据，您必须在请求中包含相同的加密上下文。

Amazon DataZone 使用以下加密环境：

```
"encryptionContextSubset": {
    "aws:datazone:domainId": "{{{dzd_samleid}}}"
}
```

**使用加密环境进行监控**-当您使用对称客户托管密钥加密 Amazon 时 DataZone，您还可以在审计记录和日志中使用加密上下文来识别客户托管密钥的使用情况。加密上下文还会显示在 AWS CloudTrail 或 Amazon Logs 生成的 CloudWatch 日志中。

**使用加密上下文控制对客户自主管理型密钥的访问** – 您可以使用密钥策略和 IAM 策略中的加密上下文作为条件来控制对您的对称客户自主管理型密钥的访问。您也可以在授予中使用加密上下文约束。

Amazon 在授权中 DataZone 使用加密上下文限制来控制对您账户或地区中客户托管密钥的访问权限。授权约束要求授权允许的操作使用指定的加密上下文。

以下是密钥策略声明示例，用于授予对特定加密上下文的客户托管密钥的访问权限。

```
 {
      "Sid": "Enable DescribeKey",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:role/ExampleRole"
      },
      "Action": "kms:DescribeKey",
      "Resource": "arn:aws:kms:{{region}}:111122223333:key/{{key_ID}}"
    },
    {
      "Sid": "Allow access to principal to manage an Amazon DataZone domain with the given domain id",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:role/ExampleRole"
      },
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "arn:aws:kms:{{region}}:111122223333:key/{{key_ID}}",
      "Condition": {
        "StringEquals": {
          "kms:EncryptionContext:aws:datazone:domainId": "{{dzd_sampleid}}"
        }
      }
    },
    {
      "Sid": "Allow creating grants when creating an Amazon DataZone domain to principal",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:role/ExampleRole"
      },
      "Action": "kms:CreateGrant",
      "Resource": "arn:aws:kms:{{region}}:111122223333:key/{{key_ID}}",
      "Condition": {
        "StringLike": {
          "kms:CallerAccount": "111122223333",
          "kms:ViaService": "datazone.{{region}}.amazonaws.com"
        },
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        },
        "ForAnyValue:StringEquals": {
          "kms:EncryptionContextKeys": "aws:datazone:domainId"
        }
      }
    }
```

## 监控您的 Amazon 加密密钥 DataZone
<a name="monitoring-encryption"></a>

当您在亚马逊 DataZone 资源中使用 AWS KMS 客户托管密钥时，您可以使用[AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html)来跟踪亚马逊 DataZone 向 AWS KMS 发送的请求。以下示例是`CreateGrant`、`GenerateDataKey``Decrypt`、和`RetireGrant`监控 Amazon DataZone 为访问由您的客户托管密钥加密的数据而调用的 KMS 操作 AWS CloudTrail 的事件。

------
#### [ CreateGrant ]

当您使用 AWS KMS 客户托管密钥加密您的亚马逊 DataZone 域名时，亚马逊 DataZone 会代表您发送访问您 AWS 账户中的 KMS 密钥的`CreateGrant`请求。Amazon DataZone 创建的授权特定于与 AWS KMS 客户托管密钥关联的资源。此外，当您删除域名时，Amazon 会 DataZone 使用该`RetireGrant`操作来删除授权。

以下示例事件记录了 `CreateGrant` 操作：

```
{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
        "arn": "arn:aws:sts::111122223333:assumed-role/Example/Sampleuser01",
        "accountId": "111122223333",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AROAIGDTESTANDEXAMPLE",
                "arn": "arn:aws:iam::111122223333:role/Example",
                "accountId": "111122223333",
                "userName": "Example"
            },
            "attributes": {
                "creationDate": "2024-04-22T17:02:00Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "datazone.amazonaws.com"
    },
    "eventTime": "2024-04-22T17:02:00Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "CreateGrant",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "datazone.amazonaws.com",
    "userAgent": "datazone.amazonaws.com",
    "requestParameters": {
        "retiringPrincipal": "datazone.us-east-2.amazonaws.com",
        "operations": [
            "GenerateDataKey",
            "RetireGrant",
            "DescribeKey",
            "Decrypt"
        ],
        "granteePrincipal": "datazone.us-east-2.amazonaws.com",
        "constraints": {
            "encryptionContextSubset": {
                "aws:datazone:domainId": "dzd_sampleid"
            }
        },
        "keyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
    },
    "responseElements": {
        "grantId": "0ab0ac0d0b000f00ea00cc0a0e00fc00bce000c000f0000000c0bc0a0000aaafSAMPLE",
        "keyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
    },
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": false,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "eventCategory": "Management",
    "sessionCredentialFromConsole": "true"
}
```

```
{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
        "arn": "arn:aws:sts::111122223333:assumed-role/Example/Sampleuser01",
        "accountId": "111122223333",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AROAIGDTESTANDEXAMPLE",
                "arn": "arn:aws:iam::111122223333:role/Example",
                "accountId": "111122223333",
                "userName": "Example"
            },
            "attributes": {
                "creationDate": "2024-04-22T17:10:00Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "datazone.amazonaws.com"
    },
    "eventTime": "2024-04-22T17:49:00Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "CreateGrant",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "datazone.amazonaws.com",
    "userAgent": "datazone.amazonaws.com",
    "requestParameters": {
        "retiringPrincipal": "datazone.us-east-2.amazonaws.com",
        "operations": [
            "DescribeKey",
            "Decrypt"
        ],
        "granteePrincipal": "datazone.us-east-2.amazonaws.com",
        "constraints": {
            "encryptionContextSubset": {
                "aws:datazone:domainId": "dzd_sampleid"
            }
        },
        "keyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
    },
    "responseElements": {
        "grantId": "0ab0ac0d0b000f00ea00cc0a0e00fc00bce000c000f0000000c0bc0a0000aaafSAMPLE",
        "keyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
    },
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": false,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "eventCategory": "Management",
    "sessionCredentialFromConsole": "true"
}
```

------
#### [ GenerateDataKey ]

当您为亚马逊 DataZone 域名启用 AWS KMS 客户托管密钥时，亚马逊 DataZone 会生成数据密钥。它向 AWS KMS 发送`GenerateDataKey`请求，指定该域的 AWS KMS 客户托管密钥。

 以下示例事件记录了该 GenerateDataKey 操作：

```
{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROAIGDTESTANDEXAMPLE:AmazonSageMakerDomainExecution",
        "arn": "arn:aws:sts::111122223333:assumed-role/AmazonSageMakerDomainExecution/AmazonSageMakerDomainExecution",
        "accountId": "111122223333",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AROAIGDTESTANDEXAMPLE",
                "arn": "arn:aws:iam::111122223333:role/service-role/AmazonSageMakerDomainExecution",
                "accountId": "111122223333",
                "userName": "AmazonSageMakerDomainExecution"
            },
            "attributes": {
                "creationDate": "2024-04-22T19:50:39Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "datazone.amazonaws.com"
    },
    "eventTime": "2024-04-22T19:50:40Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "GenerateDataKey",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "datazone.amazonaws.com",
    "userAgent": "datazone.amazonaws.com",
    "requestParameters": {
        "keySpec": "AES_256",
        "encryptionContext": {
            "aws:datazone:domainId": "dzd_sampleid",
            "V": "2024-04-22T17:49:12.98177136Z|cacf3df7-7b99-49f6-ae14-sample",
            "version": "0",
            "N": "dzd_sampleid|arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
            "*aws-kms-table*": "awsdatazoneroaring-data-store-datakeys-prod-us-east-2"
        },
        "keyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
    },
    "responseElements": null,
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": true,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "eventCategory": "Management"
}
```

```
{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AWSService",
        "invokedBy": "AWS Internal"
    },
    "eventTime": "2024-04-22T19:50:40Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "GenerateDataKey",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "AWS Internal",
    "userAgent": "AWS Internal",
    "requestParameters": {
        "encryptionContext": {
            "aws:datazone:domainId": "dzd_sampleid",
            "aws:s3:arn": "arn:aws:s3:::amazon-datazone-us-east-2-422ceee9465430bdb354d1c9efsample"
        },
        "keyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
        "keySpec": "AES_256"
    },
    "responseElements": null,
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": true,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "sharedEventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventCategory": "Management"
}
```

------
#### [ Decrypt ]

当您访问加密的 Amazon DataZone 域名时，Amazon 会 DataZone 调用该`Decrypt`操作以使用存储的加密数据密钥来访问加密数据。

 以下示例事件记录了 `Decrypt` 操作：

```
{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROAIGDTESTANDEXAMPLE:AmazonSageMakerDomainExecution",
        "arn": "arn:aws:sts::111122223333:assumed-role/AmazonSageMakerDomainExecution/AmazonSageMakerDomainExecution",
        "accountId": "111122223333",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AROAIGDTESTANDEXAMPLE",
                "arn": "arn:aws:iam::111122223333:role/service-role/AmazonSageMakerDomainExecution",
                "accountId": "111122223333",
                "userName": "AmazonSageMakerDomainExecution"
            },
            "attributes": {
                "creationDate": "2024-04-22T19:50:39Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "datazone.amazonaws.com"
    },
    "eventTime": "2024-04-22T19:51:54Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "Decrypt",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "datazone.amazonaws.com",
    "userAgent": "datazone.amazonaws.com",
    "requestParameters": {
        "encryptionAlgorithm": "SYMMETRIC_DEFAULT",
        "encryptionContext": {
            "aws:datazone:domainId": "dzd_sampleid",
            "V": "2024-04-22T17:49:12.98177136Z|cacf3df7-7b99-49f6-ae14-sample",
            "version": "0",
            "N": "dzd_sampleid|arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
            "*aws-kms-table*": "awsdatazoneroaring-data-store-datakeys-prod-us-east-2"
        }
    },
    "responseElements": null,
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": true,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "eventCategory": "Management"
}
```

```
{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AWSService",
        "invokedBy": "datazone.amazonaws.com"
    },
    "eventTime": "2024-04-22T19:51:54Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "Decrypt",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "datazone.amazonaws.com",
    "userAgent": "datazone.amazonaws.com",
    "requestParameters": {
        "encryptionContext": {
            "aws:datazone:domainId": "dzd_sampleid",
            "V": "2024-04-22T17:49:12.98177136Z|cacf3df7-7b99-49f6-ae14-sample",
            "version": "0",
            "N": "dzd_sampleid|arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
            "*aws-kms-table*": "awsdatazoneroaring-data-store-datakeys-prod-us-east-2"
        },
        "encryptionAlgorithm": "SYMMETRIC_DEFAULT"
    },
    "responseElements": null,
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": true,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "sharedEventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventCategory": "Management"
}
```

```
{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AWSService",
        "invokedBy": "AWS Internal"
    },
    "eventTime": "2024-04-22T19:51:54Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "Decrypt",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "AWS Internal",
    "userAgent": "AWS Internal",
    "requestParameters": {
        "encryptionAlgorithm": "SYMMETRIC_DEFAULT",
        "encryptionContext": {
            "aws:datazone:domainId": "dzd_sampleid",
            "aws:s3:arn": "arn:aws:s3:::amazon-datazone-us-east-2-422ceee9465430bdb354d1c9efsample"
        }
    },
    "responseElements": null,
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": true,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "sharedEventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventCategory": "Management"
}
```

------
#### [ RetireGrant ]

 以下示例事件记录了 `RetireGrant` 操作：

```
{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AWSService",
        "invokedBy": "datazone.amazonaws.com"
    },
    "eventTime": "2025-04-29T22:18:50Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "RetireGrant",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "datazone.amazonaws.com",
    "userAgent": "datazone.amazonaws.com",
    "requestParameters": null,
    "responseElements": {
        "keyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
    },
    "additionalEventData": {
        "grantId": "0ab0ac0d0b000f00ea00cc0a0e00fc00bce000c000f0000000c0bc0a0000aaafSAMPLE"
    },
    "requestID": "294308c0-7617-4727-b5c9-34eaf75aa8e3",
    "eventID": "273708f7-5fbb-3a90-b04d-2b3138bf0ec9",
    "readOnly": false,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "sharedEventID": "b46377d7-b3c3-4bfd-a257-722bd3f3411d",
    "eventCategory": "Management"
}
```

------

## 创建涉及加密的数据湖环境 AWS Glue 目录
<a name="create-project-with-data-lake"></a>

在高级用例中，当您使用加密的 AWS Glue 目录时，必须授予对 Amazon DataZone 服务的访问权限才能使用您的客户管理的 KMS 密钥。您可以通过更新自定义 KMS 策略并在密钥中添加标签来完成此操作。要授予访问亚马逊 DataZone 服务的权限以处理加密 AWS Glue 目录中的数据，请完成以下操作：
+ 将以下策略添加到您的自定义 KMS 密钥。有关更多信息，请参阅[更改密钥策略](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html)。

------
#### [ JSON ]

****  

  ```
  {
      "Version":"2012-10-17",		 	 	 
      "Statement": [
          {
              "Sid": "Allow datazone environment roles to decrypt using the key",
              "Effect": "Allow",
              "Principal": {
                  "AWS": "*"
              },
              "Action": [
                  "kms:Decrypt"
              ],
              "Resource": "*",
              "Condition": {
                  "StringEquals": {
                      "kms:EncryptionContext:glue_catalog_id": "<GLUE_CATALOG_ID>"
                  },
                  "ArnLike": {
                      "aws:PrincipalArn": [
                          "arn:aws:iam::111122223333:role/*datazone_usr*",
                          "arn:aws:iam::444455556666:role/*datazone_usr*"
                      ]
                  }
              }
          },
          {
              "Sid": "Allow datazone environment roles to describe the key",
              "Effect": "Allow",
              "Principal": {
                  "AWS": "*"
              },
              "Action": [
                  "kms:DescribeKey"
              ],
              "Resource": "*",
              "Condition": {
                  "ArnLike": {
                      "aws:PrincipalArn": [
                      "arn:aws:iam::111122223333:role/*datazone_usr*",
                      "arn:aws:iam::444455556666:role/*datazone_usr*"
                      ]
                  }
              }
          }
      ]
  }
  ```

------
**重要**  
您必须使用要在其中创建环境的账户 ID 修改策略中的 `"aws:PrincipalArn"` ARN。您要在其中创建环境的每个账户都必须在策略中列为 `"aws:PrincipalArn"`。
您还必须<GLUE\_CATALOG\_ID>使用您的 AWS Glue 目录所在的有效 AWS 账户 ID 进行替换。
请注意，此政策向指定账户中的所有 Amazon DataZone 环境用户角色授予使用密钥的权限。如果您只想允许特定的环境用户角色使用密钥，则必须指定整个环境用户角色名称，例如，`arn:aws:iam::<ENVIRONMENT_ACCOUNT_ID>:role/datazone_usr_<ENVIRONMENT_ID>`（其中 <ENVIRONMENT\_ID> 是环境的 ID，而非通配符格式）。
+ 将以下标签添加到您的自定义 KMS 密钥。有关更多信息，请参阅[使用标签控制对 KMS 密钥的访问](https://docs.aws.amazon.com/kms/latest/developerguide/tag-authorization.html)。

  ```
  key: AmazonDataZoneEnvironment
  value: all
  ```