Esempio due di Amazon EC2 - AWS Key Management Service

Le traduzioni sono generate tramite traduzione automatica. In caso di conflitto tra il contenuto di una traduzione e la versione originale in Inglese, quest'ultima prevarrà.

Esempio due di Amazon EC2

Nell'esempio seguente, un principale IAM che esegue un'istanza Amazon EC2 crea e monta un volume di dati crittografato in una chiave KMS. Questa azione genera più record di CloudTrail registro.

Quando il volume viene creato, Amazon EC2, agendo per conto del cliente, ottiene una chiave dati crittografata da AWS KMS (GenerateDataKeyWithoutPlaintext). Quindi crea un’autorizzazione (CreateGrant) che gli consente di decrittografare la chiave dati. Quando il volume è montato, Amazon EC2 chiama AWS KMS per decrittare la chiave dati (Decrypt).

instanceId dell'istanza Amazon EC2, "i-81e2f56c", viene visualizzato nell'evento RunInstances. Lo stesso ID dell’istanza qualifica l’elemento granteePrincipal dell’autorizzazione creato ("111122223333:aws:ec2-infrastructure:i-81e2f56c") e il ruolo assunto che è l'entità nella chiamata Decrypt ("arn:aws:sts::111122223333:assumed-role/aws:ec2-infrastructure/i-81e2f56c").

L'ARN della chiave KMS che protegge il volume dei dati, arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab, viene mostrato in tutte e tre le chiamate AWS KMS (CreateGrant, GenerateDataKeyWithoutPlaintext e Decrypt).

{ "Records": [ { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-11-05T21:35:27Z", "eventSource": "ec2.amazonaws.com", "eventName": "RunInstances", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "instancesSet": { "items": [ { "imageId": "ami-b66ed3de", "minCount": 1, "maxCount": 1 } ] }, "groupSet": { "items": [ { "groupId": "sg-98b6e0f2" } ] }, "instanceType": "m3.medium", "blockDeviceMapping": { "items": [ { "deviceName": "/dev/xvda", "ebs": { "volumeSize": 8, "deleteOnTermination": true, "volumeType": "gp2" } }, { "deviceName": "/dev/sdb", "ebs": { "volumeSize": 8, "deleteOnTermination": false, "volumeType": "gp2", "encrypted": true } } ] }, "monitoring": { "enabled": false }, "disableApiTermination": false, "instanceInitiatedShutdownBehavior": "stop", "clientToken": "XdKUT141516171819", "ebsOptimized": false }, "responseElements": { "reservationId": "r-5ebc9f74", "ownerId": "111122223333", "groupSet": { "items": [ { "groupId": "sg-98b6e0f2", "groupName": "launch-wizard-2" } ] }, "instancesSet": { "items": [ { "instanceId": "i-81e2f56c", "imageId": "ami-b66ed3de", "instanceState": { "code": 0, "name": "pending" }, "amiLaunchIndex": 0, "productCodes": { }, "instanceType": "m3.medium", "launchTime": 1415223328000, "placement": { "availabilityZone": "us-east-1a", "tenancy": "default" }, "monitoring": { "state": "disabled" }, "stateReason": { "code": "pending", "message": "pending" }, "architecture": "x86_64", "rootDeviceType": "ebs", "rootDeviceName": "/dev/xvda", "blockDeviceMapping": { }, "virtualizationType": "hvm", "hypervisor": "xen", "clientToken": "XdKUT1415223327917", "groupSet": { "items": [ { "groupId": "sg-98b6e0f2", "groupName": "launch-wizard-2" } ] }, "networkInterfaceSet": { }, "ebsOptimized": false } ] } }, "requestID": "41c4b4f7-8bce-4773-bf0e-5ae3bb5cbce2", "eventID": "cd75a605-2fee-4fda-b847-9c3d330ebaae", "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }, { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-11-05T21:35:35Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateGrant", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "constraints": { "encryptionContextSubset": { "aws:ebs:id": "vol-f67bafb2" } }, "granteePrincipal": "111122223333:aws:ec2-infrastructure:i-81e2f56c", "keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, "responseElements": { "grantId": "abcde1237f76e4ba7987489ac329fbfba6ad343d6f7075dbd1ef191f0120514a" }, "requestID": "41c4b4f7-8bce-4773-bf0e-5ae3bb5cbce2", "eventID": "c1ad79e3-0d3f-402a-b119-d5c31d7c6a6c", "readOnly": false, "resources": [ { "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }, { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-11-05T21:35:32Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKeyWithoutPlaintext", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "encryptionContext": { "aws:ebs:id": "vol-f67bafb2" }, "numberOfBytes": 64, "keyId": "alias/aws/ebs" }, "responseElements": null, "requestID": "create-111122223333-758247346-1415223332", "eventID": "ac3cab10-ce93-4953-9d62-0b6e5cba651d", "readOnly": true, "resources": [ { "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }, { "eventVersion": "1.02", "userIdentity": { "type": "AssumedRole", "principalId": "111122223333:aws:ec2-infrastructure:i-81e2f56c", "arn": "arn:aws:sts::111122223333:assumed-role/aws:ec2-infrastructure/i-81e2f56c", "accountId": "111122223333", "accessKeyId": "", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2014-11-05T21:35:38Z" }, "sessionIssuer": { "type": "Role", "principalId": "111122223333:aws:ec2-infrastructure", "arn": "arn:aws:iam::111122223333:role/aws:ec2-infrastructure", "accountId": "111122223333", "userName": "aws:ec2-infrastructure" } } }, "eventTime": "2014-11-05T21:35:47Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "requestParameters": { "encryptionContext": { "aws:ebs:id": "vol-f67bafb2" } }, "responseElements": null, "requestID": "b4b27883-6533-11e4-b4d9-751f1761e9e5", "eventID": "edb65380-0a3e-4123-bbc8-3d1b7cff49b0", "readOnly": true, "resources": [ { "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" } ] }