管理 Amazon ECS 的 Fargate 临时存储的 AWS KMS 密钥
创建或导入 AWS KMS 密钥以加密 Fargate 临时存储后,您可以像管理任何其他 AWS KMS 密钥一样对其进行管理。
自动轮换 AWS KMS 密钥
您可以启用自动密钥轮换,也可以手动轮换密钥。自动密钥轮换通过每年为密钥生成新的加密材料来轮换密钥。AWS KMS 还会保存所有先前版本的加密材料,以便您能够解密使用早期密钥版本的任何数据。在删除密钥之前,AWS KMS 不会删除任何轮换的材料。
自动密钥轮换属于可选功能,您可以随时启用或禁用。
禁用或撤销 AWS KMS 密钥
如果您在 AWS KMS 中禁用了某个客户自主管理型密钥,这不会对正在运行的任务产生任何影响,并且这些任务将在整个生命周期中继续正常运行。如果新任务使用已禁用或已撤销的密钥,则该任务将因无法访问该密钥而失败。建议您设置 CloudWatch 警报或类似机制,来确保永远不需要使用已禁用的密钥来解密已加密的数据。
删除 AWS KMS 密钥
删除密钥应始终是最后的选择,并且仅在您确定永远不会再需要已删除的密钥时删除密钥。尝试使用已删除密钥的新任务将失败,因为这些任务将无法访问该密钥。AWS KMS 建议您禁用密钥,而不是将其删除。如果您觉得确有必要删除密钥,我们建议您首先将其禁用,然后设置 CloudWatch 警报以确保不需要该密钥。如果您确实删除了某个密钥,AWS KMS 将至少允许您在七天内改变主意。
审计 AWS KMS 密钥访问情况
您可以使用 CloudTrail 日志来审计对 AWS KMS 密钥的访问情况。您可以检查 AWS KMS 操作 CreateGrant、GenerateDataKeyWithoutPlaintext 和 Decrypt。这些操作还将显示 aws:ecs:clusterAccount 和 aws:ecs:clusterName,以作为 CloudTrail 中记录的 EncryptionContext 的一部分。
以下是 GenerateDataKeyWithoutPlaintext、GenerateDataKeyWithoutPlaintext (DryRun)、CreateGrant、CreateGrant
(DryRun) 和 RetireGrant 的示例 CloudTrail 事件(请用您自己的值替换红色的值)。
- GenerateDataKeyWithoutPlaintext
-
{ "eventVersion": "1.08", "userIdentity": { "type": "AWSService", "invokedBy": "ec2-frontend-api.amazonaws.com" }, "eventTime": "2024-04-23T18:08:13Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKeyWithoutPlaintext", "awsRegion": "us-west-2", "sourceIPAddress": "ec2-frontend-api.amazonaws.com", "userAgent": "ec2-frontend-api.amazonaws.com", "requestParameters": { "numberOfBytes": 64, "keyId": "arn:aws:kms:us-west-2:account-id:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "encryptionContext": { "aws:ecs:clusterAccount": "account-id", "aws:ebs:id": "vol-xxxxxxx", "aws:ecs:clusterName": "cluster-name" } }, "responseElements": null, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "readOnly": true, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:account-id:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "account-id", "sharedEventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa", "eventCategory": "Management" } - GenerateDataKeyWithoutPlaintext (DryRun)
-
{ "eventVersion": "1.08", "userIdentity": { "type": "AWSService", "invokedBy": "fargate.amazonaws.com" }, "eventTime": "2024-04-23T18:08:11Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKeyWithoutPlaintext", "awsRegion": "us-west-2", "sourceIPAddress": "fargate.amazonaws.com", "userAgent": "fargate.amazonaws.com", "errorCode": "DryRunOperationException", "errorMessage": "The request would have succeeded, but the DryRun option is set.", "requestParameters": { "keyId": "arn:aws:kms:us-west-2:account-id:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "dryRun": true, "numberOfBytes": 64, "encryptionContext": { "aws:ecs:clusterAccount": "account-id", "aws:ecs:clusterName": "cluster-name" } }, "responseElements": null, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "readOnly": true, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:account-id:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "account-id", "sharedEventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa", "eventCategory": "Management" } - CreateGrant
-
{ "eventVersion": "1.08", "userIdentity": { "type": "AWSService", "invokedBy": "ec2-frontend-api.amazonaws.com" }, "eventTime": "2024-04-23T18:08:13Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateGrant", "awsRegion": "us-west-2", "sourceIPAddress": "ec2-frontend-api.amazonaws.com", "userAgent": "ec2-frontend-api.amazonaws.com", "requestParameters": { "keyId": "arn:aws:kms:us-west-2:account-id:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "granteePrincipal": "fargate.us-west-2.amazonaws.com", "operations": [ "Decrypt" ], "constraints": { "encryptionContextSubset": { "aws:ecs:clusterAccount": "account-id", "aws:ebs:id": "vol-xxxx", "aws:ecs:clusterName": "cluster-name" } }, "retiringPrincipal": "ec2.us-west-2.amazonaws.com" }, "responseElements": { "grantId": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "keyId": "arn:aws:kms:us-west-2:account-id:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "readOnly": false, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:account-id:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "account-id", "sharedEventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa", "eventCategory": "Management" } - CreateGrant (DryRun)
-
{ "eventVersion": "1.08", "userIdentity": { "type": "AWSService", "invokedBy": "fargate.amazonaws.com" }, "eventTime": "2024-04-23T18:08:11Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateGrant", "awsRegion": "us-west-2", "sourceIPAddress": "fargate.amazonaws.com", "userAgent": "fargate.amazonaws.com", "errorCode": "DryRunOperationException", "errorMessage": "The request would have succeeded, but the DryRun option is set.", "requestParameters": { "keyId": "arn:aws:kms:us-west-2:account-id:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "granteePrincipal": "fargate.us-west-2.amazonaws.com", "dryRun": true, "operations": [ "Decrypt" ], "constraints": { "encryptionContextSubset": { "aws:ecs:clusterAccount": "account-id", "aws:ecs:clusterName": "cluster-name" } } }, "responseElements": null, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "readOnly": false, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:account-id:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "account-id", "sharedEventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa", "eventCategory": "Management" } - RetireGrant
-
{ "eventVersion": "1.08", "userIdentity": { "type": "AWSService", "invokedBy": "AWS Internal" }, "eventTime": "2024-04-20T18:37:38Z", "eventSource": "kms.amazonaws.com", "eventName": "RetireGrant", "awsRegion": "us-west-2", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": null, "responseElements": { "keyId": "arn:aws:kms:us-west-2:account-id:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "additionalEventData": { "grantId": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" }, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "readOnly": false, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:account-id:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "account-id", "sharedEventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa", "eventCategory": "Management" }
为 Fargate 临时存储创建加密密钥
任务停用和维护