本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 数据加密
借助 AWS HealthImaging,您可以为云中的静态数据增加一层安全保护,提供可扩展且高效的加密功能。这些方法包括:
+ 大多数 AWS 服务都提供静态数据加密功能
+ 灵活的密钥管理选项 AWS Key Management Service,包括,您可以使用这些选项来选择是 AWS 管理加密密钥还是完全控制自己的密钥。
+ AWS 拥有的 AWS KMS 加密密钥
+ 加密消息队列,可用于使用适用于 Amazon SQS 的服务器端加密(SSE)传输敏感数据。
此外, AWS 还 APIs 允许您将加密和数据保护与您在 AWS 环境中开发或部署的任何服务集成。
## 创建客户托管密钥
您可以使用 AWS 管理控制台 或创建对称的客户托管密钥。 AWS KMS APIs有关更多信息,请参阅*AWS Key Management Service 《开发人员指南》*中的[创建对称 KMS 密钥](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-symmetric-cmk)。
密钥政策控制对客户托管密钥的访问。每个客户托管式密钥必须只有一个密钥策略,其中包含确定谁可以使用密钥以及如何使用密钥的声明。创建客户托管式密钥时,可以指定密钥策略。有关更多信息,请参阅**《AWS Key Management Service 开发人员指南》中的[管理对客户托管密钥的访问](https://docs.aws.amazon.com/kms/latest/developerguide/control-access-overview.html#managing-access)。
要将客户托管密钥用于您的 HealthImaging 资源,必须在[密钥策略中允许 kms: CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) 操作。这会向客户托管密钥添加授权,该密钥控制对指定 KMS 密钥的访问权限,从而允许用户访问[授权操作](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations) HealthImaging 所需的权限。有关更多信息,请参阅*《AWS Key Management Service 开发人员指南》*的[AWS KMS中的授权](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html)。
要将客户托管的 KMS 密钥 HealthImaging 用于您的资源,必须在密钥策略中允许以下 API 操作:
+ `kms:DescribeKey` 提供验证密钥所需的客户托管式密钥详细信息。这是所有操作所必需的。
+ `kms:GenerateDataKey` 为所有写入操作提供对静态加密资源的访问权限。
+ `kms:Decrypt` 提供对加密资源的读取或搜索操作的访问权限。
+ `kms:ReEncrypt*` 提供重新加密资源的访问权限。
以下是一个策略声明示例,允许用户创建由 HealthImaging 该密钥加密的数据存储并与之交互:
```
{
"Sid": "Allow access to create data stores and perform CRUD and search in HealthImaging",
"Effect": "Allow",
"Principal": {
"Service": [
"medical-imaging.amazonaws.com"
]
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:kms-arn": "arn:aws:kms:us-east-1:123456789012:key/bec71d48-3462-4cdd-9514-77a7226e001f",
"kms:EncryptionContext:aws:medical-imaging:datastoreId": "datastoreId"
}
}
}
```
## 使用客户托管 KMS 密钥时所需的 IAM 权限
使用客户托管的 KMS 密钥创建启用 AWS KMS 加密的数据存储时,创建 HealthImaging 数据存储的用户或角色需要密钥策略和 IAM 策略的权限。
有关密钥策略的更多信息,请参阅*《AWS Key Management Service 开发人员指南》*中的 [ 启用 IAM Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam)。
创建存储库的 IAM 用户、IAM 角色或 AWS 账户必须拥有以下策略的权限,以及 AWS 的必要权限 HealthImaging。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:GenerateDataKey",
"kms:RetireGrant",
"kms:Decrypt",
"kms:ReEncrypt*"
],
"Resource": "arn:aws:kms:us-east-1:123456789012:key/bec71d48-3462-4cdd-9514-77a7226e001f"
}
]
}
```
------
### 如何在中 HealthImaging 使用补助金 AWS KMS
HealthImaging 需要获得[授权](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html)才能使用您的客户托管的 KMS 密钥。当您创建使用客户托管的 KMS 密钥加密的数据存储时, HealthImaging 会通过向发送[CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html)请求来代表您创建授权 AWS KMS。中的授权 AWS KMS 用于授予对客户账户中的 KMS 密钥的 HealthImaging 访问权限。
代表您 HealthImaging 创建的赠款不应被撤销或撤销。如果您撤销或取消授予您账户中 AWS KMS 密钥使用 HealthImaging 权限的授权,则 HealthImaging 无法访问这些数据、加密推送到数据存储的新图像资源,也无法在提取时对其进行解密。当您撤销或撤销的授予时 HealthImaging,更改会立即生效。要撤销访问权限,则应删除数据存储,而不是撤销该授权。删除数据存储后, HealthImaging 将代表您停用授权。
### 监控您的加密密钥 HealthImaging
使用 CloudTrail 客户托管的 KMS 密钥时,您可以使用来跟踪代表您 HealthImaging 发送的请求。 AWS KMS 日志中的日志条目显示`medical-imaging.amazonaws.com`在`userAgent`字段中,以明确区分由发出的请求 HealthImaging。 CloudTrail
以下示例是`CreateGrant`、、和 CloudTrail 的事件 `GenerateDataKey``Decrypt`,用于监控`DescribeKey`为访问由 HealthImaging 您的客户托管密钥加密的数据而调用的 AWS KMS 操作。
以下内容显示了`CreateGrant`如何使用允许 HealthImaging 访问客户提供的 KMS 密钥,从而 HealthImaging 允许使用该 KMS 密钥加密所有静态客户数据。
用户无需创建自己的授权。 HealthImaging 通过向发送`CreateGrant`请求来代表您创建授权 AWS KMS。中的授权 AWS KMS 用于授予对客户账户中 AWS KMS 密钥的 HealthImaging 访问权限。
```
{
"KeyId": "arn:aws:kms:us-east-1:147997158357:key/8e1c34df-5fd2-49fa-8986-4618c9829a8c",
"GrantId": "44e88bc45b769499ce5ec4abd5ecb27eeb3b178a4782452aae65fe885ee5ba20",
"Name": "MedicalImagingGrantForQIDO_ebff634a-2d16-4046-9238-e3dc4ab54d29",
"CreationDate": "2025-04-17T20:12:49+00:00",
"GranteePrincipal": "AWS Internal",
"RetiringPrincipal": "medical-imaging.us-east-1.amazonaws.com",
"IssuingAccount": "medical-imaging.us-east-1.amazonaws.com",
"Operations": [
"Decrypt",
"Encrypt",
"GenerateDataKey",
"GenerateDataKeyWithoutPlaintext",
"ReEncryptFrom",
"ReEncryptTo",
"CreateGrant",
"RetireGrant",
"DescribeKey"
]
},
{
"KeyId": "arn:aws:kms:us-east-1:147997158357:key/8e1c34df-5fd2-49fa-8986-4618c9829a8c",
"GrantId": "9e5fd5ba7812daf75be4a86efb2b1920d6c0c9c0b19781549556bf2ff98953a1",
"Name": "2025-04-17T20:12:38",
"CreationDate": "2025-04-17T20:12:38+00:00",
"GranteePrincipal": "medical-imaging.us-east-1.amazonaws.com",
"RetiringPrincipal": "medical-imaging.us-east-1.amazonaws.com",
"IssuingAccount": "AWS Internal",
"Operations": [
"Decrypt",
"Encrypt",
"GenerateDataKey",
"GenerateDataKeyWithoutPlaintext",
"ReEncryptFrom",
"ReEncryptTo",
"CreateGrant",
"RetireGrant",
"DescribeKey"
]
},
{
"KeyId": "arn:aws:kms:us-east-1:147997158357:key/8e1c34df-5fd2-49fa-8986-4618c9829a8c",
"GrantId": "ab4a9b919f6ca8eb2bd08ee72475658ee76cfc639f721c9caaa3a148941bcd16",
"Name": "9d060e5b5d4144a895e9b24901088ca5",
"CreationDate": "2025-04-17T20:12:39+00:00",
"GranteePrincipal": "AWS Internal",
"RetiringPrincipal": "medical-imaging.us-east-1.amazonaws.com",
"IssuingAccount": "medical-imaging.us-east-1.amazonaws.com",
"Operations": [
"Decrypt",
"Encrypt",
"GenerateDataKey",
"GenerateDataKeyWithoutPlaintext",
"ReEncryptFrom",
"ReEncryptTo",
"DescribeKey"
],
"Constraints": {
"EncryptionContextSubset": {
"kms-arn": "arn:aws:kms:us-east-1:147997158357:key/8e1c34df-5fd2-49fa-8986-4618c9829a8c"
}
}
}
```
以下示例说明如何使用 `GenerateDataKey` 来确保用户在存储数据之前拥有加密数据的必要权限。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "EXAMPLEUSER",
"arn": "arn:aws:sts::111122223333:assumed-role/Sampleuser01",
"accountId": "111122223333",
"accessKeyId": "EXAMPLEKEYID",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "EXAMPLEROLE",
"arn": "arn:aws:iam::111122223333:role/Sampleuser01",
"accountId": "111122223333",
"userName": "Sampleuser01"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2021-06-30T21:17:06Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "medical-imaging.amazonaws.com"
},
"eventTime": "2021-06-30T21:17:37Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKey",
"awsRegion": "us-east-1",
"sourceIPAddress": "medical-imaging.amazonaws.com",
"userAgent": "medical-imaging.amazonaws.com",
"requestParameters": {
"keySpec": "AES_256",
"keyId": "arn:aws:kms:us-east-1:111122223333:key/EXAMPLE_KEY_ARN"
},
"responseElements": null,
"requestID": "EXAMPLE_ID_01",
"eventID": "EXAMPLE_ID_02",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-east-1:111122223333:key/EXAMPLE_KEY_ARN"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
以下示例显示如何 HealthImaging 调用该`Decrypt`操作以使用存储的加密数据密钥来访问加密数据。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "EXAMPLEUSER",
"arn": "arn:aws:sts::111122223333:assumed-role/Sampleuser01",
"accountId": "111122223333",
"accessKeyId": "EXAMPLEKEYID",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "EXAMPLEROLE",
"arn": "arn:aws:iam::111122223333:role/Sampleuser01",
"accountId": "111122223333",
"userName": "Sampleuser01"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2021-06-30T21:17:06Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "medical-imaging.amazonaws.com"
},
"eventTime": "2021-06-30T21:21:59Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-east-1",
"sourceIPAddress": "medical-imaging.amazonaws.com",
"userAgent": "medical-imaging.amazonaws.com",
"requestParameters": {
"encryptionAlgorithm": "SYMMETRIC_DEFAULT",
"keyId": "arn:aws:kms:us-east-1:111122223333:key/EXAMPLE_KEY_ARN"
},
"responseElements": null,
"requestID": "EXAMPLE_ID_01",
"eventID": "EXAMPLE_ID_02",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-east-1:111122223333:key/EXAMPLE_KEY_ARN"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
以下示例显示了如何 HealthImaging 使用该`DescribeKey`操作来验证 AWS KMS 客户拥有的 AWS KMS 密钥是否处于可用状态,以及如何帮助用户对其无法运行进行故障排除。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "EXAMPLEUSER",
"arn": "arn:aws:sts::111122223333:assumed-role/Sampleuser01",
"accountId": "111122223333",
"accessKeyId": "EXAMPLEKEYID",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "EXAMPLEROLE",
"arn": "arn:aws:iam::111122223333:role/Sampleuser01",
"accountId": "111122223333",
"userName": "Sampleuser01"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2021-07-01T18:36:14Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "medical-imaging.amazonaws.com"
},
"eventTime": "2021-07-01T18:36:36Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DescribeKey",
"awsRegion": "us-east-1",
"sourceIPAddress": "medical-imaging.amazonaws.com",
"userAgent": "medical-imaging.amazonaws.com",
"requestParameters": {
"keyId": "arn:aws:kms:us-east-1:111122223333:key/EXAMPLE_KEY_ARN"
},
"responseElements": null,
"requestID": "EXAMPLE_ID_01",
"eventID": "EXAMPLE_ID_02",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-east-1:111122223333:key/EXAMPLE_KEY_ARN"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
### 了解详情
以下资源提供了有关静态数据加密的更多信息,其位于《AWS Key Management Service 开发人员指南》**中。
+ [AWS KMS 概念](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html)
+ [以下方面的安全最佳实践 AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/best-practices.html)