本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# Decrypt
这些示例显示了 [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) 操作的 AWS CloudTrail 日志条目。
`requestParameters`即使请求`encryptionAlgorithm`中未指定加密算法,`Decrypt`操作的 CloudTrail 日志条目也始终包含在中。省略了请求中的密文和响应中的明文。
**Topics**
+ [使用标准对称加密密钥解密](#ct-decrypt-default)
+ [使用标准对称加密密钥解密失败](#ct-decrypt-fail)
+ [使用密钥库中的 KMS 密钥进行 AWS CloudHSM 解密](#ct-decrypt-hsm)
+ [使用外部密钥存储中的 KMS 密钥解密](#ct-decrypt-xks)
+ [使用外部密钥存储中的 KMS 密钥解密失败](#ct-decrypt-xks-fail)
+ [通过后量子 TLS 连接使用标准对称加密密钥进行解密](#ct-decrypt-default-pqtls)
## 使用标准对称加密密钥解密
以下是使用标准对称加密密钥的`Decrypt`操作的 CloudTrail 日志条目示例。
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2025-05-20T20:45:00Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"encryptionAlgorithm": "SYMMETRIC_DEFAULT",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"encryptionContext": {
"Department": "Engineering",
"Project": "Alpha"
}
},
"responseElements": null,
"additionalEventData": {
"keyMaterialId": "123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0"
},
"requestID": "12345126-30d5-4b28-98b9-9153da559963",
"eventID": "abcde202-ba1a-467c-b4ba-f729d45ae521",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES256-GCM-SHA384",
"clientProvidedHostHeader": "kms.us-west-2.amazonaws.com"
}
}
```
## 使用标准对称加密密钥解密失败
以下示例 CloudTrail 日志条目记录了使用标准对称加密 KMS 密钥的失败`Decrypt`操作。包含异常(`errorCode`)和错误消息(`errorMessage`),可帮助您解决错误。
在这种情况下,`Decrypt` 请求中指定的对称加密 KMS 密钥不是用于加密数据的对称加密 KMS 密钥。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2022-11-24T18:57:43Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"errorCode": "IncorrectKeyException"
"errorMessage": "The key ID in the request does not identify a CMK that can perform this operation.",
"requestParameters": {
"encryptionAlgorithm": "SYMMETRIC_DEFAULT",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"encryptionContext": {
"Department": "Engineering",
"Project": "Alpha"
}
},
"responseElements": null,
"requestID": "22345126-30d5-4b28-98b9-9153da559963",
"eventID": "abcde202-ba1a-467c-b4ba-f729d45ae521",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```
## 使用密钥库中的 KMS 密钥进行 AWS CloudHSM 解密
以下示例 CloudTrail 日志条目记录了在密钥库中使用 KMS [AWS CloudHSM 密钥进行的`Decrypt`](keystore-cloudhsm.md)操作。使用自定义密钥存储中的 KMS 密钥进行加密操作的所有日志条目都包含带有 `customKeyStoreId` 和 `backingKeyId` 的 `additionalEventData` 字段。`backingKeyId` 字段中返回的值是 CloudHSM 密钥 `id` 属性。请求中未指定 `additionalEventData`。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2021-10-26T23:41:27Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"requestParameters": {
"encryptionAlgorithm": "SYMMETRIC_DEFAULT",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"encryptionContext": {
"Department": "Development",
"Purpose": "Test"
}
},
"responseElements": null,
"additionalEventData": {
"customKeyStoreId": "cks-1234567890abcdef0"
},
"requestID": "e1b881f8-2048-41f8-b6cc-382b7857ec61",
"eventID": "a79603d5-4cde-46fc-819c-a7cf547b9df4",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
## 使用外部密钥存储中的 KMS 密钥解密
以下示例 CloudTrail 日志条目记录了在[外部密钥存储中使用 KMS 密钥进行的`Decrypt`](keystore-external.md)操作。除了 `customKeyStoreId`,`additionalEventData` 字段包括[外部密钥 ID](keystore-external.md#concept-external-key)(`XksKeyId`)。请求中未指定 `additionalEventData`。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2022-11-24T00:26:58Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"requestParameters": {
"encryptionAlgorithm": "SYMMETRIC_DEFAULT",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321",
"encryptionContext": {
"Department": "Engineering",
"Purpose": "Test"
}
},
"responseElements": null,
"additionalEventData": {
"customKeyStoreId": "cks-9876543210fedcba9",
"xksKeyId": "abc01234567890fe"
},
"requestID": "f1b881f8-2048-41f8-b6cc-382b7857ec61",
"eventID": "b79603d5-4cde-46fc-819c-a7cf547b9df4",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
## 使用外部密钥存储中的 KMS 密钥解密失败
以下示例 CloudTrail 日志条目记录了使用[外部密钥存储库](keystore-external.md)中的 KMS 密钥`Decrypt`执行操作的失败请求。 CloudWatch 除了成功的请求外,还会记录失败的请求。记录失败时, CloudTrail 日志条目包括异常(ErrorCode)和随附的错误消息(ErrorMessage)。
如果失败的请求到达了您的外部密钥存储代理(如本示例所示),则您可以使用 `requestId` 值将失败的请求与您的外部密钥存储代理日志的相应请求关联起来(如果您的代理提供了这些请求)。
如需帮助解决外部密钥存储中的 `Decrypt` 请求,请参阅 [解密错误](xks-troubleshooting.md#fix-xks-decrypt)。
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2022-11-24T00:26:58Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"errorCode": "KMSInvalidStateException",
"errorMessage": "The external key store proxy rejected the request because the specified ciphertext or additional authenticated data is corrupted, missing, or otherwise invalid.",
"requestParameters": {
"encryptionAlgorithm": "SYMMETRIC_DEFAULT",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321",
"encryptionContext": {
"Department": "Engineering",
"Purpose": "Test"
}
},
"responseElements": null,
"additionalEventData": {
"customKeyStoreId": "cks-9876543210fedcba9",
"xksKeyId": "abc01234567890fe"
},
"requestID": "f1b881f8-2048-41f8-b6cc-382b7857ec61",
"eventID": "b79603d5-4cde-46fc-819c-a7cf547b9df4",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
## 通过后量子 TLS 连接使用标准对称加密密钥进行解密
以下是通过后量子 TLS 连接使用标准对称加密密钥的`Decrypt`操作的 CloudTrail 日志条目示例。该`tlsDetails`部分中的 KeyExchange 字段提到`X25519MLKEM768`。[这是一种*混合*算法,将[椭圆曲线 Diffie-Hellman (ECDH) 与[曲线 25519](https://en.wikipedia.org/wiki/Curve25519)(当今在 TL](https://en.wikipedia.org/wiki/Elliptic-curve_Diffie%E2%80%93Hellman) S 中使用的经典密钥交换算法)与[基于模块格子的密钥封装机制 (ML-KEM) 相结合,后者是一种公钥加密和密钥](https://csrc.nist.gov/pubs/fips/203/final)建立算法,被美国国家标准与技术研究所 (NIST) 指定为其第一个标准的后量子密钥协议算法。](https://csrc.nist.gov/pubs/fips/203/final)
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2025-11-12T15:16:26Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-sdk-java/2.30.22 md/io#async md/http#AwsCommonRuntime ...",
"requestParameters": {
"encryptionAlgorithm": "SYMMETRIC_DEFAULT",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"encryptionContext": {
"Department": "Engineering",
"Project": "Alpha"
}
},
"responseElements": null,
"additionalEventData": {
"keyMaterialId": "123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0"
},
"requestID": "12345126-30d5-4b28-98b9-9153da559963",
"eventID": "abcde202-ba1a-467c-b4ba-f729d45ae521",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_256_GCM_SHA384",
"clientProvidedHostHeader": "kms.us-west-2.amazonaws.com",
"keyExchange": "X25519MLKEM768"
}
}
```