本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# TLE 和 OEM 星历数据的静态加密
## TLE 和 OEM 星历表的关键政策要求
要将客户托管密钥与星历数据一起使用,您的密钥策略必须向该服务授予以下权限: AWS Ground Station
+ [https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html)-为客户管理的密钥创建访问授权。[授予对客户托管密钥执行授权操作](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)的 AWS Ground Station 访问权限,以读取和存储加密数据。
+ [https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html)-提供客户管理的密钥详细信息, AWS Ground Station 以便在尝试使用提供的密钥之前验证密钥。
有关[使用授权](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html)的更多信息,请参阅 AWS Key Management Service 开发者指南。
## 使用客户托管密钥创建星历的 IAM 用户权限
在加密操作中 AWS Ground Station 使用客户托管密钥时,它代表创建星历表资源的用户行事。
要使用客户托管密钥创建星历资源,用户必须有权对客户托管密钥进行以下操作:
+ [https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html)-允许用户代表对客户管理的密钥创建授权 AWS Ground Station。
+ [https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html)-允许用户查看客户管理的密钥详细信息以验证密钥。
您可以在密钥策略中指定这些所需权限,或者在密钥策略允许的情况下在 IAM 策略中指定这些权限。这些权限确保用户可以授权 AWS Ground Station 他们使用客户托管密钥进行加密操作。
## 如何在 AWS Ground Station 星历中 AWS KMS 使用赠款
AWS Ground Station 需要[密钥授予](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html)才能使用您的客户管理的密钥。
当您上传使用客户托管密钥加密的星历时, AWS Ground Station 会通过向发送请求来代表您创建密钥授权。[CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) AWS KMS中的授权 AWS KMS 用于授予对您账户中 AWS KMS 密钥的 AWS Ground Station 访问权限。
这 AWS Ground Station 允许执行以下操作:
+ 调用 [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html) 生成加密的数据密钥并将其存储,因为数据密钥不会立即用于加密。
+ 调用 [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) 使用存储的加密数据密钥访问加密数据。
+ 调用 [Encryp](https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html) t 使用数据密钥加密数据。
+ 设置停用主体,以允许服务 [RetireGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html)。
您可以随时撤消对授权的访问权限。如果这样做,将 AWS Ground Station 无法访问由客户托管密钥加密的任何数据,这会影响依赖该数据的操作。例如,如果您从当前用于联系人的星历中删除密钥授权,则在接触期间 AWS Ground Station 将无法使用提供的星历数据来指向天线。这将导致该联系以“失败”状态结束。
## 星历加密上下文
加密星历资源的密钥授权绑定到特定的卫星 ARN。
```
"encryptionContext": {
"aws:groundstation:arn": "arn:aws:groundstation::111122223333:satellite/00a770b0-082d-45a4-80ed-SAMPLE",
"aws:s3:arn": "arn:aws:s3:::customerephemerisbucket/0034abcd-12ab-34cd-56ef-123456SAMPLE"
}
```
**注意**
密钥授权可重复用于同一密钥卫星。
## 使用加密上下文进行监控
使用对称的客户托管密钥来加密您的星历表时,您还可以使用审计记录和日志中的加密上下文来识别客户托管密钥的使用情况。加密上下文还会显示在[AWS CloudTrail 或 Amazon Logs 生成的 CloudWatch 日志](https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html)中。
## 使用加密上下文控制对客户托管式密钥的访问
您可以使用密钥策略和 IAM 策略中的加密上下文作为 `conditions` 来控制对您的对称客户托管密钥的访问。您还可以在授权中使用加密上下文约束。
AWS Ground Station 在授权中使用加密上下文约束来控制对您的账户或区域中客户托管密钥的访问权限。授权约束要求授权允许的操作使用指定的加密上下文。
以下是密钥策略声明示例,用于授予对特定加密上下文的客户托管密钥的访问权限。此策略语句中的条件要求授权具有指定加密上下文的加密上下文约束。
以下示例显示了绑定到卫星的星历数据的关键策略:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Allow AWS Ground Station to Describe key",
"Effect": "Allow",
"Principal": {
"Service": "groundstation.us-east-1.amazonaws.com"
},
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "Allow AWS Ground Station to Create Grant on key",
"Effect": "Allow",
"Principal": {
"Service": "groundstation.us-east-1.amazonaws.com"
},
"Action": "kms:CreateGrant",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:aws:groundstation:arn": "arn:aws:groundstation::123456789012:satellite/satellite-id"
}
}
}
]
}
```
------
## 监控您的加密密钥中是否有星历
当您将 AWS Key Management Service 客户托管密钥与您的星历资源一起使用时,您可以使用或 [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html)A [mazon CloudWatch 日志](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html)来跟踪发送到的 AWS Ground Station 请求。 AWS KMS以下示例是[CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html)、[GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html)、[Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) 和[DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html)监视 AWS KMS 操作 CloudTrail的事件,这些操作被调用 AWS Ground Station 以访问由您的客户托管密钥加密的数据。
------
#### [ CreateGrant ]
当您使用 AWS KMS 客户管理的密钥加密您的星历表资源时, AWS Ground Station 会代表您发送访问您账户中 AWS KMS 密钥的[CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html)请求。 AWS AWS Ground Station 创建的授权特定于与 AWS KMS 客户托管密钥关联的资源。此外,在您删除资源时, AWS Ground Station 使用[RetireGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html)操作来移除授权。
以下示例事件记录了[CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html)星历的操作:
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "ASIAIOSFODNN7EXAMPLE",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/SampleUser01",
"accountId": "111122223333",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "ASIAIOSFODNN7EXAMPLE",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-02-22T22:22:22Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "AWS Internal"
},
"eventTime": "2022-02-22T22:22:22Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "ExampleDesktop/1.0 (V1; OS)",
"requestParameters": {
"operations": [
"GenerateDataKeyWithoutPlaintext",
"Decrypt",
"Encrypt"
],
"constraints": {
"encryptionContextSubset": {
"aws:groundstation:arn": "arn:aws:groundstation::111122223333:satellite/00a770b0-082d-45a4-80ed-SAMPLE"
}
},
"granteePrincipal": "groundstation.us-west-2.amazonaws.com",
"retiringPrincipal": "groundstation.us-west-2.amazonaws.com",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
},
"responseElements": {
"grantId": "0ab0ac0d0b000f00ea00cc0a0e00fc00bce000c000f0000000c0bc0a0000aaafSAMPLE"
},
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
------
#### [ DescribeKey ]
当您使用 AWS KMS 客户托管密钥加密您的星历表资源时, AWS Ground Station 会代表您发送[DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html)请求的密钥以验证您的账户中是否存在所请求的密钥。
以下示例事件记录了 [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) 操作:
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "ASIAIOSFODNN7EXAMPLE",
"arn": "arn:aws:sts::111122223333:assumed-role/User/Role",
"accountId": "111122223333",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "ASIAIOSFODNN7EXAMPLE",
"arn": "arn:aws:iam::111122223333:role/Role",
"accountId": "111122223333",
"userName": "User"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-02-22T22:22:22Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "AWS Internal"
},
"eventTime": "2022-02-22T22:22:22Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DescribeKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
------
#### [ GenerateDataKey ]
当您使用 AWS KMS 客户托管密钥加密您的星历资源时, AWS Ground Station 会向发送[GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html)请求以生成用于加密数据的数据密钥。
以下示例事件记录了[GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html)星历的操作:
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSService",
"invokedBy": "AWS Internal"
},
"eventTime": "2022-02-22T22:22:22Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": {
"keySpec": "AES_256",
"encryptionContext": {
"aws:groundstation:arn": "arn:aws:groundstation::111122223333:satellite/00a770b0-082d-45a4-80ed-SAMPLE",
"aws:s3:arn": "arn:aws:s3:::customerephemerisbucket/0034abcd-12ab-34cd-56ef-123456SAMPLE"
},
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"sharedEventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventCategory": "Management"
}
```
------
#### [ Decrypt ]
当您使用 AWS KMS 客户托管密钥加密您的星历资源时,如果提供的星历已经 AWS Ground Station 使用相同的客户托管[密钥加密](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html),则使用解密操作来解密所提供的星历表。例如,如果从 S3 存储桶上传星历并使用给定密钥对该桶中星历进行加密。
以下示例事件记录了星历的[解密](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html)操作:
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSService",
"invokedBy": "AWS Internal"
},
"eventTime": "2022-02-22T22:22:22Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": {
"encryptionContext": {
"aws:groundstation:arn": "arn:aws:groundstation::111122223333:satellite/00a770b0-082d-45a4-80ed-SAMPLE",
"aws:s3:arn": "arn:aws:s3:::customerephemerisbucket/0034abcd-12ab-34cd-56ef-123456SAMPLE"
},
"encryptionAlgorithm": "SYMMETRIC_DEFAULT"
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"sharedEventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventCategory": "Management"
}
```
------