本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 密钥管理
创建新服务器场时,您可以选择以下密钥之一来加密服务器场数据:
+ **AWS 拥有的 KMS 密钥**-如果您在创建服务器场时未指定密钥,则为默认加密类型。KMS 密钥归所有者 AWS Deadline Cloud。您无法查看、管理或使用 AWS 自有密钥。但是,您无需采取任何措施来保护加密数据的密钥。有关更多信息,请参阅*AWS Key Management Service 开发者指南*中的[AWS 自有密钥](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk)。
+ **客户托管的 KMS 密钥**-您在创建服务器场时指定客户托管密钥。服务器场中的所有内容均使用 KMS 密钥进行加密。密钥存储在您的账户中,由您创建、拥有和管理,并 AWS KMS 收取费用。您对 KMS 密钥拥有完全控制权。您可以执行以下任务:
+ 制定和维护关键政策
+ 建立和维护 IAM 策略和授权
+ 启用和禁用密钥策略
+ 添加 标签
+ 创建密钥别名
您无法手动轮换用于 Deadline Cloud 服务器场的客户拥有的密钥。支持密钥的自动轮换。
有关更多信息,请参阅《*AWS Key Management Service 开发者指南》*中的[客户拥有的密钥](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk)。
要创建客户托管密钥,请按照《*AWS Key Management Service 开发人员指南*》中[创建对称客户托管密钥](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-symmetric-cmk)的步骤进行操作。
## 操作方法 Deadline Cloud uses AWS KMS 补助金
Deadline Cloud 需要获得[授权](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html)才能使用您的客户托管密钥。当您创建使用客户托管密钥加密的场时, Deadline Cloud 会向发送`[CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html)`请求 AWS KMS 以获取您指定的 KMS 密钥的访问权限,从而代表您创建授权。
Deadline Cloud 使用多个授权。每项拨款都由需要加密或解密您的数据的不同部分使用。 Deadline Cloud Deadline Cloud 还使用授权来允许访问用于代表您存储数据的其他 AWS 服务,例如亚马逊简单存储服务、Amazon Elastic Block Store 或 OpenSearch。
Deadline Cloud 允许管理服务管理队列中的计算机的授权包括 Deadline Cloud 账号和角色,`GranteePrincipal`而不是服务委托人。虽然不常见,但这是使用为服务器场指定的客户托管 KMS 密钥为服务托管队伍中的工作人员加密 Amazon EBS 卷所必需的。
## 客户自主管理型密钥策略
密钥政策控制对客户托管密钥的访问。每个密钥必须只有一个密钥策略,其中包含用于确定谁可以使用密钥以及如何使用密钥的声明。在创建客户托管密钥时,您可以指定密钥策略。有关更多信息,请参阅**《AWS Key Management Service 开发人员指南》中的[管理对客户托管密钥的访问](https://docs.aws.amazon.com/kms/latest/developerguide/control-access-overview.html#managing-access)。
### 适用的最低 IAM 政策 CreateFarm
要使用您的客户托管密钥通过控制台或 `[CreateFarm](https://docs.aws.amazon.com/deadline-cloud/latest/APIReference/API_CreateFarm.html)` API 操作创建农场,必须允许以下 AWS KMS API 操作:
+ `[kms:CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html)`:向客户托管密钥添加授权。授予对指定 AWS KMS 密钥的控制台访问权限。有关更多信息,请参阅*AWS Key Management Service 开发者指南*中的[使用授权](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html)。
+ `[kms:Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html)`— Deadline Cloud 允许解密服务器场中的数据。
+ `[kms:DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html)`— 提供客户管理的密钥详细信息 Deadline Cloud 以允许验证密钥。
+ `[kms:GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html)`— Deadline Cloud 允许使用唯一的数据密钥对数据进行加密。
以下策略声明授予`CreateFarm`操作所需的权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DeadlineCreateGrants",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:CreateGrant",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-west-2:{{111122223333}}:key/{{1234567890abcdef0}}",
"Condition": {
"StringEquals": {
"kms:ViaService": "deadline.us-west-2.amazonaws.com"
}
}
}
]
}
```
------
### 只读操作的最低 IAM 政策
使用您的客户托管密钥进行只读 Deadline Cloud 操作,例如获取有关农场、队列和队列的信息。必须允许以下 AWS KMS API 操作:
+ `[kms:Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html)`— Deadline Cloud 允许解密服务器场中的数据。
+ `[kms:DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html)`— 提供客户管理的密钥详细信息 Deadline Cloud 以允许验证密钥。
以下策略声明授予只读操作所需的权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DeadlineReadOnly",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-west-2:{{111122223333}}:key/{{a1b2c3d4-5678-90ab-cdef-EXAMPLE11111}}",
"Condition": {
"StringEquals": {
"kms:ViaService": "deadline.us-west-2.amazonaws.com"
}
}
}
]
}
```
------
### 用于读写操作的最低 IAM 策略
使用您的客户托管密钥进行读写 Deadline Cloud 操作,例如创建和更新服务器场、队列和队列。必须允许以下 AWS KMS API 操作:
+ `[kms:Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html)`— Deadline Cloud 允许解密服务器场中的数据。
+ `[kms:DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html)`— 提供客户管理的密钥详细信息 Deadline Cloud 以允许验证密钥。
+ `[kms:GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html)`— Deadline Cloud 允许使用唯一的数据密钥对数据进行加密。
以下策略声明授予`CreateFarm`操作所需的权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DeadlineReadWrite",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:us-west-2:{{111122223333}}:key/{{a1b2c3d4-5678-90ab-cdef-EXAMPLE11111}}",
"Condition": {
"StringEquals": {
"kms:ViaService": "deadline.us-west-2.amazonaws.com"
}
}
}
]
}
```
------
## 监控您的加密密钥
当您在 Deadline Cloud 服务器场中使用 AWS KMS 客户托管密钥时,您可以使用[AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html)或 [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html) 来跟踪 Deadline Cloud 发送到的请求 AWS KMS。
### CloudTrail 补助金活动
以下示例 CloudTrail 事件发生在创建授权时,通常是在您调用`CreateFarm``CreateMonitor`、或`CreateFleet`操作时。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "{{AROAIGDTESTANDEXAMPLE}}:{{SampleUser01}}",
"arn": "arn:aws::sts::{{111122223333}}:assumed-role/Admin/{{SampleUser01}}",
"accountId": "{{111122223333}}",
"accessKeyId": "{{AKIAIOSFODNN7EXAMPLE3}}",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "{{AROAIGDTESTANDEXAMPLE}}",
"arn": "arn:aws::iam::{{111122223333}}:role/Admin",
"accountId": "{{111122223333}}",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2024-04-23T02:05:26Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "deadline.amazonaws.com"
},
"eventTime": "2024-04-23T02:05:35Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "us-west-2",
"sourceIPAddress": "deadline.amazonaws.com",
"userAgent": "deadline.amazonaws.com",
"requestParameters": {
"operations": [
"CreateGrant",
"Decrypt",
"DescribeKey",
"Encrypt",
"GenerateDataKey"
],
"constraints": {
"encryptionContextSubset": {
"aws:deadline:farmId": "farm-{{abcdef12345678900987654321fedcba}}",
"aws:deadline:accountId": "{{111122223333}}"
}
},
"granteePrincipal": "deadline.amazonaws.com",
"keyId": "arn:aws::kms:us-west-2:{{111122223333}}:key/{{a1b2c3d4-5678-90ab-cdef-EXAMPLE11111}}",
"retiringPrincipal": "deadline.amazonaws.com"
},
"responseElements": {
"grantId": "{{6bbe819394822a400fe5e3a75d0e9ef16c1733143fff0c1fc00dc7ac282a18a0}}",
"keyId": "arn:aws::kms:us-west-2:{{111122223333}}:key/{{a1b2c3d4-5678-90ab-cdef-EXAMPLE11111}}"
},
"requestID": "{{a1b2c3d4-5678-90ab-cdef-EXAMPLE22222}}",
"eventID": "{{a1b2c3d4-5678-90ab-cdef-EXAMPLE33333}}",
"readOnly": false,
"resources": [
{
"accountId": "AWS Internal",
"type": "AWS::KMS::Key",
"ARN": "arn:aws::kms:us-west-2:{{111122223333}}:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE44444"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "{{111122223333}}",
"eventCategory": "Management"
}
```
### CloudTrail 用于解密的事件
使用客户托管的 KMS 密钥解密值时会发生以下示例 CloudTrail 事件。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "{{AROAIGDTESTANDEXAMPLE}}:{{SampleUser01}}",
"arn": "arn:aws::sts::111122223333:assumed-role/{{SampleRole}}/{{SampleUser01}}",
"accountId": "111122223333",
"accessKeyId": "{{AKIAIOSFODNN7EXAMPLE}}",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "{{AROAIGDTESTANDEXAMPLE}}",
"arn": "arn:aws::iam::{{111122223333}}:role/{{SampleRole}}",
"accountId": "{{111122223333}}",
"userName": "{{SampleRole}}"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2024-04-23T18:46:51Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "deadline.amazonaws.com"
},
"eventTime": "2024-04-23T18:51:44Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-west-2",
"sourceIPAddress": "deadline.amazonaws.com",
"userAgent": "deadline.amazonaws.com",
"requestParameters": {
"encryptionContext": {
"aws:deadline:farmId": "farm-{{abcdef12345678900987654321fedcba}}",
"aws:deadline:accountId": "{{111122223333}}",
"aws-crypto-public-key": "{{AotL+SAMPLEVALUEiOMEXAMPLEaaqNOTREALaGTESTONLY+p/5H+EuKd4Q==}}"
},
"encryptionAlgorithm": "SYMMETRIC_DEFAULT",
"keyId": "arn:aws::kms:us-west-2:{{111122223333}}:key/{{a1b2c3d4-5678-90ab-cdef-EXAMPLE11111}}"
},
"responseElements": null,
"requestID": "{{aaaaaaaa-bbbb-cccc-dddd-eeeeeeffffff}}",
"eventID": "{{ffffffff-eeee-dddd-cccc-bbbbbbaaaaaa}}",
"readOnly": true,
"resources": [
{
"accountId": "{{111122223333}}",
"type": "AWS::KMS::Key",
"ARN": "arn:aws::kms:us-west-2:{{111122223333}}:key/{{a1b2c3d4-5678-90ab-cdef-EXAMPLE11111}}"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "{{111122223333}}",
"eventCategory": "Management"
}
```
### CloudTrail 加密事件
使用客户托管的 KMS 密钥对值进行加密时,会发生以下示例 CloudTrail 事件。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "{{AROAIGDTESTANDEXAMPLE}}:{{SampleUser01}}",
"arn": "arn:aws::sts::{{111122223333}}:assumed-role/{{SampleRole}}/{{SampleUser01}}",
"accountId": "{{111122223333}}",
"accessKeyId": "{{AKIAIOSFODNN7EXAMPLE}}",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "{{AROAIGDTESTANDEXAMPLE}}",
"arn": "arn:aws::iam::{{111122223333}}:role/{{SampleRole}}",
"accountId": "{{111122223333}}",
"userName": "SampleRole"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2024-04-23T18:46:51Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "deadline.amazonaws.com"
},
"eventTime": "2024-04-23T18:52:40Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "deadline.amazonaws.com",
"userAgent": "deadline.amazonaws.com",
"requestParameters": {
"numberOfBytes": 32,
"encryptionContext": {
"aws:deadline:farmId": "farm-{{abcdef12345678900987654321fedcba}}",
"aws:deadline:accountId": "{{111122223333}}",
"aws-crypto-public-key": "{{AotL+SAMPLEVALUEiOMEXAMPLEaaqNOTREALaGTESTONLY+p/5H+EuKd4Q==}}"
},
"keyId": "arn:aws::kms:us-west-2:{{111122223333}}:key/{{abcdef12-3456-7890-0987-654321fedcba}}"
},
"responseElements": null,
"requestID": "{{a1b2c3d4-5678-90ab-cdef-EXAMPLE11111}}",
"eventID": "{{a1b2c3d4-5678-90ab-cdef-EXAMPLE22222}}",
"readOnly": true,
"resources": [
{
"accountId": "{{111122223333}}",
"type": "AWS::KMS::Key",
"ARN": "arn:aws::kms:us-west-2:{{111122223333}}:key/{{a1b2c3d4-5678-90ab-cdef-EXAMPLE33333}}"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "{{111122223333}}",
"eventCategory": "Management"
}
```
## 删除客户托管的 KMS 密钥
删除 AWS Key Management Service (AWS KMS) 中客户管理的 KMS 密钥具有破坏性,并且具有潜在的危险。这将删除密钥材料以及与此密钥关联的所有元数据,并且不可撤销。删除客户托管 KMS 密钥后,您不能再解密用该此密钥加密的数据。删除密钥意味着数据变得不可恢复。
这就是为什么客户 AWS KMS 在删除 KMS 密钥之前有长达 30 天的等待期。默认的等待期限为 30 天。
### 关于等待期限
由于删除客户管理的 KMS 密钥具有破坏性和潜在危险,因此我们要求您将等待期设置为 7-30 天。默认的等待期限为 30 天。
但是,实际等待时间可能比您预定的时间长达 24 小时。要获取删除密钥的实际日期和时间,请使用[https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html)操作。您还可以在 [AWS KMS 控制台](https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys-console.html#viewing-details-navigate)中的密钥详细信息页面的**常规配置**部分中参阅密钥计划删除日期。注意时区。
在等待期限内,客户托管密钥状态和密钥状态为**等待删除**。
+ 待删除的客户托管 KMS 密钥不能用于任何[加密操作](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations)。
+ AWS KMS 不会[轮换待删除的客户托管 KMS 密钥的支持](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works)密钥。
有关删除客户托管的 KMS 密钥的更多信息,请参阅*《AWS Key Management Service 开发人员指南*》中的[删除客户主密钥](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html)。