本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 將加密與語音分析搭配使用
Amazon Chime SDK 語音分析會存放用於產生語音內嵌的音訊檔案。檔案會使用您建立、擁有和管理的對稱客戶受管金鑰進行加密。由於您可以完全控制此加密層,因此您可以執行下列任務:
+ 建立和維護金鑰政策
+ 建立和維護 IAM 政策和授予操作
+ 啟用和停用金鑰政策
+ 輪換金鑰密碼編譯資料
+ 新增 標籤
+ 建立金鑰別名
+ 安排金鑰供刪除
如需詳細資訊,請參閱《*AWS Key Management Service 開發人員指南*》中的[客戶受管金鑰](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk)。
# 了解靜態加密
根據預設,語音分析會加密所有靜態使用者資料。建立新的語音設定檔網域時,您必須提供對稱客戶受管金鑰,讓服務用來加密靜態資料。您擁有、管理和控制金鑰。
金鑰只會加密用於在語音內嵌中註冊發言者的音訊檔案。
語音分析透過建立授予來存取金鑰。如需授予的詳細資訊,請參閱下一節。
# 了解語音分析如何使用授予
語音分析需要授予才能使用客戶受管金鑰。當您建立語音設定檔網域時,相關聯的 Amazon Chime SDK Voice Connector 會透過傳送`CreateGrant`請求至 AWS KMS 來代表您建立授權。需要授予才能將金鑰用於下列內部操作:
+ 將[https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html)請求傳送至 AWS KMS,以驗證提供的對稱客戶受管金鑰 ID 是否有效。
+ 將[https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html)請求傳送至 KMS 金鑰,以建立用來加密物件的資料金鑰。
+ 將[https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html)請求傳送至 AWS KMS 以解密加密的資料金鑰,以便用來加密您的資料。
+ 將[https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html)請求傳送至 AWS KMS 以淘汰用於語音設定檔網域的授予。
+ 使用伺服器端加密將檔案存放在 Amazon S3 中。
您可以隨時撤銷授予的存取權,或移除服務對您金鑰的存取權。如果您這麼做,語音分析將無法存取金鑰加密的任何資料。這會影響依賴該資料的所有操作,導致發言者搜尋工作流程發生錯誤`AccessDeniedException`和失敗。
# 語音分析的金鑰政策
金鑰政策會控制客戶受管金鑰的存取權限。每個客戶受管金鑰都必須只有一個金鑰政策,其中包含決定誰可以使用金鑰及其使用方式的政策陳述式。建立金鑰時,您可以指定金鑰政策。如需詳細資訊,請參閱《*AWS Key Management Service 開發人員指南*》中的[使用金鑰政策](https://docs.aws.amazon.com/kms/latest/developerguide/programming-key-policies.html)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Allow key access to Chime SDK voice analytics.",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/UserNameWithPath"
},
"Action": [
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": [
"chime.us-east-1.amazonaws.com"
]
}
}
}
]
}
```
------
如需有關在政策中指定許可的資訊,請參閱 [ Key Management Service 開發人員指南中的在 IAM 政策陳述式中指定 KMS](https://docs.aws.amazon.com/kms/latest/developerguide/cmks-in-iam-policies.html) *AWS 金鑰*。
如需有關對金鑰存取進行故障診斷的資訊,請參閱 Key *AWS Management Service 開發人員指南中的對金鑰*[存取進行故障診斷](https://docs.aws.amazon.com/kms/latest/developerguide/policy-evaluation.html)。
# 使用加密內容
加密內容是一組選用的金鑰/值對,其中包含有關資料的其他內容資訊。 AWS KMS 使用加密內容來支援已驗證的加密。
當您在加密請求中包含加密內容時, AWS KMS 會將加密內容繫結至加密的資料。若要解密資料,您必須在請求中包含相同的加密內容。
語音分析會在所有 AWS KMS 密碼編譯操作中使用相同的加密內容,其中金鑰為 ,`aws:chime:voice-profile-domain:arn`而值為資源 Amazon Resource Name (ARN)。
下列範例顯示典型的加密內容。
```
"encryptionContext": {
"aws:chime:voice-profile-domain:arn": "arn:aws:chime:us-west-2:111122223333:voice-profile-domain/sample-domain-id"
}
```
您也可以在稽核記錄和記錄中使用加密內容,以識別客戶受管金鑰的使用方式。加密內容也會出現在 CloudTrail 或 CloudWatch Logs 產生的日誌中。
## 使用加密內容來控制對金鑰的存取
您也可以在金鑰政策和 IAM 政策中,使用加密內容來控制對對稱客戶受管金鑰的存取。您也可以在授予中使用加密內容條件。
語音分析在授予中使用加密內容限制,以控制對您帳戶或區域中客戶受管金鑰的存取。授予條件會要求授予允許的操作使用指定的加密內容。
下列範例金鑰政策陳述式會授予特定加密內容的客戶受管金鑰存取權。政策陳述式中的 條件要求授予具有指定加密內容的加密內容限制條件。
```
{
"Sid": "Enable DescribeKey",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/ExampleReadOnlyRole"
},
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "Enable CreateGrant",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/ExampleReadOnlyRole"
},
"Action": "kms:CreateGrant",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:aws:chime:voice-profile-domain:arn": "arn:aws:chime:us-west-2:111122223333:voice-profile-domain/sample-domain-id"
}
}
}
```
# 監控加密金鑰
Amazon Chime SDK Voice Connectors 會將請求傳送至 AWS KMS,您可以在 CloudTrail 或 CloudWatch 日誌中追蹤這些請求。
------
#### [ CreateGrant ]
當您使用客戶受管金鑰建立語音設定檔網域資源時,關聯的 Voice Connector 會代表您傳送存取您 AWS 帳戶中 KMS 金鑰的`CreateGrant`請求。Voice Connector 建立的授予專屬於與客戶受管金鑰相關聯的資源。Voice Connector 也會在您刪除資源時,使用 `RetireGrant`操作移除授予。
下列範例會記錄 `CreateGrant`操作。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-04-22T17:02:00Z"
}
},
"invokedBy": "AWS Internal"
},
"eventTime": "2021-04-22T17:07:02Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "us-west-2",
"sourceIPAddress": "172.12.34.56",
"userAgent": "ExampleDesktop/1.0 (V1; OS)",
"requestParameters": {
"constraints": {
"encryptionContextSubset": {
"aws:chime:voice-profile-domain:arn": "arn:aws:chime:us-west-2:111122223333:voice-profile-domain/sample-domain-id"
}
},
"retiringPrincipal": "chimevoiceconnector.region.amazonaws.com",
"operations": [
"GenerateDataKey",
"Decrypt",
"DescribeKey",
"RetireGrant"
],
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
"granteePrincipal": "chimevoiceconnector.region.amazonaws.com",
"retiringPrincipal": "chimevoiceconnector.region.amazonaws.com"
},
"responseElements": {
"grantId": "0ab0ac0d0b000f00ea00cc0a0e00fc00bce000c000f0000000c0bc0a0000aaafSAMPLE"
},
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333"
}
```
------
#### [ GenerateDataKey ]
當您建立語音設定檔網域並將客戶受管金鑰指派給網域時,相關聯的 Voice Connector 會建立唯一的資料金鑰來加密每個發言者的註冊音訊。Voice Connector 會將`GenerateDataKey`請求傳送至 AWS KMS,以指定資源的金鑰。
下列範例會記錄 `GenerateDataKey`操作。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSService",
"invokedBy": "AWS Internal"
},
"eventTime": "2021-04-22T17:07:02Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "172.12.34.56",
"userAgent": "ExampleDesktop/1.0 (V1; OS)",
"requestParameters": {
"encryptionContext": {
"aws:chime:voice-profile-domain:arn": "arn:aws:chime:us-west-2:111122223333:voice-profile-domain/sample-domain-id"
},
"keySpec": "AES_256",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333",
"sharedEventID": "57f5dbee-16da-413e-979f-2c4c6663475e"
}
```
------
#### [ 解密 ]
當語音設定檔網域中的語音設定檔因為較新的語音辨識模型而需要升級其語音列印時,相關聯的語音連接器會呼叫 `Decrypt`操作,以使用儲存的加密資料金鑰來存取加密的資料。
下列範例會記錄 `Decrypt`操作。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSService",
"invokedBy": "AWS Internal"
},
"eventTime": "2021-10-12T23:59:34Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-west-2",
"sourceIPAddress": "172.12.34.56",
"userAgent": "ExampleDesktop/1.0 (V1; OS)",
"requestParameters": {
"encryptionContext": {
"keyId": "arn:aws:kms:us-west-2:111122223333:key/44444444-3333-2222-1111-EXAMPLE11111",
"encryptionContext": {
"aws:chime:voice-profile-domain:arn": "arn:aws:chime:us-west-2:111122223333:voice-profile-domain/sample-domain-id"
},
"encryptionAlgorithm": "SYMMETRIC_DEFAULT"
},
"responseElements": null,
"requestID": "ed0fe4ab-305b-4388-8adf-7e8e3a4e80fe",
"eventID": "31d0d7c6-ce5b-4caf-901f-025bf71241f6",
"readOnly": true,
"resources": [{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/00000000-1111-2222-3333-9999999999999"
}],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"sharedEventID": "35d58aa1-26b2-427a-908f-025bf71241f6",
"eventCategory": "Management"
}
```
------
#### [ DescribeKey ]
Voice Connectors 使用 `DescribeKey`操作來驗證與語音設定檔網域相關聯的金鑰是否存在於帳戶和區域中。
下列範例會記錄 `DescribeKey`操作。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-04-22T17:02:00Z"
}
},
"invokedBy": "AWS Internal"
},
"eventTime": "2021-04-22T17:07:02Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DescribeKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "172.12.34.56",
"userAgent": "ExampleDesktop/1.0 (V1; OS)",
"requestParameters": {
"keyId": "00dd0db0-0000-0000-ac00-b0c000SAMPLE"
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333"
}
```
------