本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# TLE 和 OEM ephemeris 資料的靜態加密
## TLE 和 OEM ephemeris 的關鍵政策需求
若要搭配 ephemeris 資料使用客戶受管金鑰,您的金鑰政策必須將下列許可授予 AWS Ground Station 服務:
+ [https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) - 在客戶受管金鑰上建立存取授權。授予在客戶受管金鑰上執行[授予操作](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)的 AWS Ground Station 存取權,以讀取和儲存加密的資料。
+ [https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) - 提供客戶受管金鑰詳細資訊, AWS Ground Station 允許 在嘗試使用提供的金鑰之前驗證金鑰。
如需[使用授權](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html)的詳細資訊,請參閱 AWS Key Management Service 開發人員指南。
## 使用客戶受管金鑰建立 ephemeris 的 IAM 使用者許可
當 AWS Ground Station 在密碼編譯操作中使用客戶受管金鑰時,它會代表建立 ephemeris 資源的使用者。
若要使用客戶受管金鑰建立 ephemeris 資源,使用者必須具有在客戶受管金鑰上呼叫下列操作的許可:
+ [https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) - 允許使用者代表客戶受管金鑰建立授予 AWS Ground Station。
+ [https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) - 允許使用者檢視客戶受管金鑰詳細資訊,以驗證金鑰。
您可以在金鑰政策或在 IAM 政策中指定這些必要的許可 (如果金鑰政策允許)。這些許可可確保使用者可以授權 代表他們 AWS Ground Station 使用客戶受管金鑰進行加密操作。
## 如何在 中使用 AWS Ground Station AWS KMS 授予進行暫時性差異
AWS Ground Station 需要[金鑰授權](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html)才能使用您的客戶受管金鑰。
當您上傳使用客戶受管金鑰加密的 ephemeris 時, 會透過傳送 [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) 請求至 來代表您 AWS Ground Station 建立金鑰授權 AWS KMS。中的授予 AWS KMS 用於授予 AWS Ground Station 您帳戶中 AWS KMS 金鑰的存取權。
這可讓 AWS Ground Station 執行下列動作:
+ 呼叫 [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html) 以產生加密的資料金鑰並將其存放,因為不會立即使用資料金鑰進行加密。
+ 呼叫 [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) 以使用儲存的加密資料金鑰來存取加密的資料。
+ 呼叫 [Encrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html) 以使用資料金鑰來加密資料。
+ 設定淘汰委託人,以允許服務轉換為 [RetireGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html)。
您可以隨時撤銷授予的存取權。如果您這麼做, AWS Ground Station 則無法存取客戶受管金鑰加密的任何資料,這會影響依賴該資料的操作。例如,如果您從目前用於聯絡的 ephemeris 移除金鑰授予, AWS Ground Station 則 將無法在聯絡期間使用提供的 ephemeris 資料來指向天線。這會導致聯絡人以 FAILED 狀態結束。
## Ephemeris 加密內容
加密 ephemeris 資源的金鑰授予會繫結至特定的衛星 ARN。
```
"encryptionContext": {
"aws:groundstation:arn": "arn:aws:groundstation::111122223333:satellite/00a770b0-082d-45a4-80ed-SAMPLE",
"aws:s3:arn": "arn:aws:s3:::customerephemerisbucket/0034abcd-12ab-34cd-56ef-123456SAMPLE"
}
```
**注意**
金鑰授權會針對相同的金鑰衛星對重複使用。
## 使用加密內容進行監控
當您使用對稱客戶受管金鑰來加密暫時性資料時,您也可以使用稽核記錄和日誌中的加密內容來識別客戶受管金鑰的使用方式。加密內容也會出現在 [AWS CloudTrail 或 Amazon CloudWatch Logs 產生的日誌](https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html)中。
## 使用加密內容控制對客戶受管金鑰的存取
您也可以在金鑰政策和 IAM 政策中,使用加密內容作為 `conditions` 來控制對於對稱客戶受管金鑰的存取。您也可以在授予中使用加密內容條件。
AWS Ground Station 在授予中使用加密內容限制,以控制對您帳戶或區域中客戶受管金鑰的存取。授予條件會要求授予允許的操作使用指定的加密內容。
以下是授予特定加密內容之客戶受管金鑰存取權的金鑰政策陳述式範例。此政策陳述式中的條件會要求具有指定加密內容的加密內容條件。
下列範例顯示繫結至衛星之 ephemeris 資料的金鑰政策:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Allow AWS Ground Station to Describe key",
"Effect": "Allow",
"Principal": {
"Service": "groundstation.us-east-1.amazonaws.com"
},
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "Allow AWS Ground Station to Create Grant on key",
"Effect": "Allow",
"Principal": {
"Service": "groundstation.us-east-1.amazonaws.com"
},
"Action": "kms:CreateGrant",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:aws:groundstation:arn": "arn:aws:groundstation::123456789012:satellite/satellite-id"
}
}
}
]
}
```
------
## 監控 ephemeris 的加密金鑰
當您搭配 ephemeris 資源使用 AWS Key Management Service 客戶受管金鑰時,您可以使用 [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html)或 [ Amazon CloudWatch logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html)來追蹤 AWS Ground Station 傳送的請求 AWS KMS。下列範例是 [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html)、[GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html)、[Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) 和 [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) 的 CloudTrail 事件,用於監控 AWS KMS 呼叫的操作 AWS Ground Station ,以存取客戶受管金鑰加密的資料。
------
#### [ CreateGrant ]
當您使用 AWS KMS 客戶受管金鑰加密 ephemeris 資源時, 會代表您 AWS Ground Station 傳送 [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) 請求,以存取您 AWS 帳戶中的 AWS KMS 金鑰。建立的 AWS Ground Station 授予專屬於與客戶 AWS KMS 受管金鑰相關聯的資源。此外, AWS Ground Station 當您刪除資源時, 會使用 [RetireGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html) 操作來移除授予。
下列範例事件會記錄 ephemeris 的 [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) 操作:
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "ASIAIOSFODNN7EXAMPLE",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/SampleUser01",
"accountId": "111122223333",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "ASIAIOSFODNN7EXAMPLE",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-02-22T22:22:22Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "AWS Internal"
},
"eventTime": "2022-02-22T22:22:22Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "ExampleDesktop/1.0 (V1; OS)",
"requestParameters": {
"operations": [
"GenerateDataKeyWithoutPlaintext",
"Decrypt",
"Encrypt"
],
"constraints": {
"encryptionContextSubset": {
"aws:groundstation:arn": "arn:aws:groundstation::111122223333:satellite/00a770b0-082d-45a4-80ed-SAMPLE"
}
},
"granteePrincipal": "groundstation.us-west-2.amazonaws.com",
"retiringPrincipal": "groundstation.us-west-2.amazonaws.com",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
},
"responseElements": {
"grantId": "0ab0ac0d0b000f00ea00cc0a0e00fc00bce000c000f0000000c0bc0a0000aaafSAMPLE"
},
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
------
#### [ DescribeKey ]
當您使用 AWS KMS 客戶受管金鑰加密 ephemeris 資源時, 會代表您 AWS Ground Station 傳送 [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) 請求,以驗證請求的金鑰是否存在於您的帳戶中。
下列範例事件會記錄 [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) 操作:
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "ASIAIOSFODNN7EXAMPLE",
"arn": "arn:aws:sts::111122223333:assumed-role/User/Role",
"accountId": "111122223333",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "ASIAIOSFODNN7EXAMPLE",
"arn": "arn:aws:iam::111122223333:role/Role",
"accountId": "111122223333",
"userName": "User"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-02-22T22:22:22Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "AWS Internal"
},
"eventTime": "2022-02-22T22:22:22Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DescribeKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
------
#### [ GenerateDataKey ]
當您使用 AWS KMS 客戶受管金鑰來加密 ephemeris 資源時, 會將 [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html) 請求 AWS Ground Station 傳送至 ,以產生用於加密資料的資料金鑰。
下列範例事件會記錄 ephemeris 的 [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html) 操作:
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSService",
"invokedBy": "AWS Internal"
},
"eventTime": "2022-02-22T22:22:22Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": {
"keySpec": "AES_256",
"encryptionContext": {
"aws:groundstation:arn": "arn:aws:groundstation::111122223333:satellite/00a770b0-082d-45a4-80ed-SAMPLE",
"aws:s3:arn": "arn:aws:s3:::customerephemerisbucket/0034abcd-12ab-34cd-56ef-123456SAMPLE"
},
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"sharedEventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventCategory": "Management"
}
```
------
#### [ Decrypt ]
當您使用 AWS KMS 客戶受管金鑰來加密 ephemeris 資源時,如果已使用相同的客戶受管金鑰加密,則 AWS Ground Station 會使用 [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) 操作來解密提供的 ephemeris。例如,如果 ephemeris 正在從 S3 儲存貯體上傳,並使用指定的金鑰在該儲存貯體中加密。
下列範例事件會記錄 ephemeris 的 [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) 操作:
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSService",
"invokedBy": "AWS Internal"
},
"eventTime": "2022-02-22T22:22:22Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": {
"encryptionContext": {
"aws:groundstation:arn": "arn:aws:groundstation::111122223333:satellite/00a770b0-082d-45a4-80ed-SAMPLE",
"aws:s3:arn": "arn:aws:s3:::customerephemerisbucket/0034abcd-12ab-34cd-56ef-123456SAMPLE"
},
"encryptionAlgorithm": "SYMMETRIC_DEFAULT"
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"sharedEventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventCategory": "Management"
}
```
------