Ejemplo dos de Amazon EC2
En el ejemplo siguiente, una entidad principal de IAM que ejecuta una instancia de Amazon EC2 crea y monta un volumen de datos cifrado con una clave KMS. Esta acción genera varios registros de CloudTrail.
Cuando se crea el volumen, Amazon EC2, actuando en nombre del cliente, obtiene una clave de datos cifrada de AWS KMS (GenerateDataKeyWithoutPlaintext
). Luego crea una concesión (CreateGrant
) que le permite descifrar la clave de datos. Cuando se monta el volumen, Amazon EC2 llama a AWS KMS para descifrar la clave de datos (Decrypt
).
La instanceId
de la instancia de Amazon EC2, "i-81e2f56c"
, aparece en el evento RunInstances
. El mismo ID de instancia califica el granteePrincipal
de la concesión que se crea ("111122223333:aws:ec2-infrastructure:i-81e2f56c"
) y el rol asumido que es la entidad principal en la llamada Decrypt
("arn:aws:sts::111122223333:assumed-role/aws:ec2-infrastructure/i-81e2f56c"
).
El ARN de clave de la clave KMS que protege el volumen de datos arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
, aparece en las tres llamadas de AWS KMS (CreateGrant
, GenerateDataKeyWithoutPlaintext
y Decrypt
).
{ "Records": [ { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-11-05T21:35:27Z", "eventSource": "ec2.amazonaws.com", "eventName": "RunInstances", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "instancesSet": { "items": [ { "imageId": "ami-b66ed3de", "minCount": 1, "maxCount": 1 } ] }, "groupSet": { "items": [ { "groupId": "sg-98b6e0f2" } ] }, "instanceType": "m3.medium", "blockDeviceMapping": { "items": [ { "deviceName": "/dev/xvda", "ebs": { "volumeSize": 8, "deleteOnTermination": true, "volumeType": "gp2" } }, { "deviceName": "/dev/sdb", "ebs": { "volumeSize": 8, "deleteOnTermination": false, "volumeType": "gp2", "encrypted": true } } ] }, "monitoring": { "enabled": false }, "disableApiTermination": false, "instanceInitiatedShutdownBehavior": "stop", "clientToken": "XdKUT141516171819", "ebsOptimized": false }, "responseElements": { "reservationId": "r-5ebc9f74", "ownerId": "111122223333", "groupSet": { "items": [ { "groupId": "sg-98b6e0f2", "groupName": "launch-wizard-2" } ] }, "instancesSet": { "items": [ { "instanceId": "i-81e2f56c", "imageId": "ami-b66ed3de", "instanceState": { "code": 0, "name": "pending" }, "amiLaunchIndex": 0, "productCodes": { }, "instanceType": "m3.medium", "launchTime": 1415223328000, "placement": { "availabilityZone": "us-east-1a", "tenancy": "default" }, "monitoring": { "state": "disabled" }, "stateReason": { "code": "pending", "message": "pending" }, "architecture": "x86_64", "rootDeviceType": "ebs", "rootDeviceName": "/dev/xvda", "blockDeviceMapping": { }, "virtualizationType": "hvm", "hypervisor": "xen", "clientToken": "XdKUT1415223327917", "groupSet": { "items": [ { "groupId": "sg-98b6e0f2", "groupName": "launch-wizard-2" } ] }, "networkInterfaceSet": { }, "ebsOptimized": false } ] } }, "requestID": "41c4b4f7-8bce-4773-bf0e-5ae3bb5cbce2", "eventID": "cd75a605-2fee-4fda-b847-9c3d330ebaae", "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }, { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-11-05T21:35:35Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateGrant", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "constraints": { "encryptionContextSubset": { "aws:ebs:id": "vol-f67bafb2" } }, "granteePrincipal": "111122223333:aws:ec2-infrastructure:i-81e2f56c", "keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, "responseElements": { "grantId": "abcde1237f76e4ba7987489ac329fbfba6ad343d6f7075dbd1ef191f0120514a" }, "requestID": "41c4b4f7-8bce-4773-bf0e-5ae3bb5cbce2", "eventID": "c1ad79e3-0d3f-402a-b119-d5c31d7c6a6c", "readOnly": false, "resources": [ { "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }, { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-11-05T21:35:32Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKeyWithoutPlaintext", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "encryptionContext": { "aws:ebs:id": "vol-f67bafb2" }, "numberOfBytes": 64, "keyId": "alias/aws/ebs" }, "responseElements": null, "requestID": "create-111122223333-758247346-1415223332", "eventID": "ac3cab10-ce93-4953-9d62-0b6e5cba651d", "readOnly": true, "resources": [ { "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }, { "eventVersion": "1.02", "userIdentity": { "type": "AssumedRole", "principalId": "111122223333:aws:ec2-infrastructure:i-81e2f56c", "arn": "arn:aws:sts::111122223333:assumed-role/aws:ec2-infrastructure/i-81e2f56c", "accountId": "111122223333", "accessKeyId": "", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2014-11-05T21:35:38Z" }, "sessionIssuer": { "type": "Role", "principalId": "111122223333:aws:ec2-infrastructure", "arn": "arn:aws:iam::111122223333:role/aws:ec2-infrastructure", "accountId": "111122223333", "userName": "aws:ec2-infrastructure" } } }, "eventTime": "2014-11-05T21:35:47Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "requestParameters": { "encryptionContext": { "aws:ebs:id": "vol-f67bafb2" } }, "responseElements": null, "requestID": "b4b27883-6533-11e4-b4d9-751f1761e9e5", "eventID": "edb65380-0a3e-4123-bbc8-3d1b7cff49b0", "readOnly": true, "resources": [ { "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" } ] }