本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
在以下示例中,运行 Amazon EC2 实例的 IAM 委托人创建并挂载使用 KMS 密钥加密的数据卷。此操作会生成多条 CloudTrail 日志记录。
创建卷后,代表客户行事的 Amazon EC2 会从 AWS KMS (GenerateDataKeyWithoutPlaintext) 获得加密的数据密钥。然后会创建一个授权 (CreateGrant),从而允许它解密数据密钥。装入卷后,Amazon 会 EC2 调 AWS KMS 用解密数据密钥 () Decrypt。
Amazon EC2 实例的"i-81e2f56c",出现在RunInstances事件中。instanceId使用相同的实例 ID 来限定所创建授权的 granteePrincipal ("111122223333:aws:ec2-infrastructure:i-81e2f56c") 以及 Decrypt 调用中的委托人的代入角色 ("arn:aws:sts::111122223333:assumed-role/aws:ec2-infrastructure/i-81e2f56c")。
用于保护数据量的 KMS 密钥的密钥 ARN 出现在所有三个 AWS KMS 调用中(CreateGrantGenerateDataKeyWithoutPlaintext、和Decrypt)。arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
{
"Records": [
{
"eventVersion": "1.02",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2014-11-05T21:35:27Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "RunInstances",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"instancesSet": {
"items": [
{
"imageId": "ami-b66ed3de",
"minCount": 1,
"maxCount": 1
}
]
},
"groupSet": {
"items": [
{
"groupId": "sg-98b6e0f2"
}
]
},
"instanceType": "m3.medium",
"blockDeviceMapping": {
"items": [
{
"deviceName": "/dev/xvda",
"ebs": {
"volumeSize": 8,
"deleteOnTermination": true,
"volumeType": "gp2"
}
},
{
"deviceName": "/dev/sdb",
"ebs": {
"volumeSize": 8,
"deleteOnTermination": false,
"volumeType": "gp2",
"encrypted": true
}
}
]
},
"monitoring": {
"enabled": false
},
"disableApiTermination": false,
"instanceInitiatedShutdownBehavior": "stop",
"clientToken": "XdKUT141516171819",
"ebsOptimized": false
},
"responseElements": {
"reservationId": "r-5ebc9f74",
"ownerId": "111122223333",
"groupSet": {
"items": [
{
"groupId": "sg-98b6e0f2",
"groupName": "launch-wizard-2"
}
]
},
"instancesSet": {
"items": [
{
"instanceId": "i-81e2f56c",
"imageId": "ami-b66ed3de",
"instanceState": {
"code": 0,
"name": "pending"
},
"amiLaunchIndex": 0,
"productCodes": {
},
"instanceType": "m3.medium",
"launchTime": 1415223328000,
"placement": {
"availabilityZone": "us-east-1a",
"tenancy": "default"
},
"monitoring": {
"state": "disabled"
},
"stateReason": {
"code": "pending",
"message": "pending"
},
"architecture": "x86_64",
"rootDeviceType": "ebs",
"rootDeviceName": "/dev/xvda",
"blockDeviceMapping": {
},
"virtualizationType": "hvm",
"hypervisor": "xen",
"clientToken": "XdKUT1415223327917",
"groupSet": {
"items": [
{
"groupId": "sg-98b6e0f2",
"groupName": "launch-wizard-2"
}
]
},
"networkInterfaceSet": {
},
"ebsOptimized": false
}
]
}
},
"requestID": "41c4b4f7-8bce-4773-bf0e-5ae3bb5cbce2",
"eventID": "cd75a605-2fee-4fda-b847-9c3d330ebaae",
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
},
{
"eventVersion": "1.02",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2014-11-05T21:35:35Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"constraints": {
"encryptionContextSubset": {
"aws:ebs:id": "vol-f67bafb2"
}
},
"granteePrincipal": "111122223333:aws:ec2-infrastructure:i-81e2f56c",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
"responseElements": {
"grantId": "abcde1237f76e4ba7987489ac329fbfba6ad343d6f7075dbd1ef191f0120514a"
},
"requestID": "41c4b4f7-8bce-4773-bf0e-5ae3bb5cbce2",
"eventID": "c1ad79e3-0d3f-402a-b119-d5c31d7c6a6c",
"readOnly": false,
"resources": [
{
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"accountId": "111122223333"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
},
{
"eventVersion": "1.02",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2014-11-05T21:35:32Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKeyWithoutPlaintext",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"encryptionContext": {
"aws:ebs:id": "vol-f67bafb2"
},
"numberOfBytes": 64,
"keyId": "alias/aws/ebs"
},
"responseElements": null,
"requestID": "create-111122223333-758247346-1415223332",
"eventID": "ac3cab10-ce93-4953-9d62-0b6e5cba651d",
"readOnly": true,
"resources": [
{
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"accountId": "111122223333"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
},
{
"eventVersion": "1.02",
"userIdentity": {
"type": "AssumedRole",
"principalId": "111122223333:aws:ec2-infrastructure:i-81e2f56c",
"arn": "arn:aws:sts::111122223333:assumed-role/aws:ec2-infrastructure/i-81e2f56c",
"accountId": "111122223333",
"accessKeyId": "",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2014-11-05T21:35:38Z"
},
"sessionIssuer": {
"type": "Role",
"principalId": "111122223333:aws:ec2-infrastructure",
"arn": "arn:aws:iam::111122223333:role/aws:ec2-infrastructure",
"accountId": "111122223333",
"userName": "aws:ec2-infrastructure"
}
}
},
"eventTime": "2014-11-05T21:35:47Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"requestParameters": {
"encryptionContext": {
"aws:ebs:id": "vol-f67bafb2"
}
},
"responseElements": null,
"requestID": "b4b27883-6533-11e4-b4d9-751f1761e9e5",
"eventID": "edb65380-0a3e-4123-bbc8-3d1b7cff49b0",
"readOnly": true,
"resources": [
{
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"accountId": "111122223333"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
]
}