AWS CloudTrail 如何使用 AWS KMS - AWS Key Management Service
了解何时使用您的 KMS 密钥

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

AWS CloudTrail 如何使用 AWS KMS

您可以使用 AWS CloudTrail 来记录 AWS 账户 的 AWS API 调用和其他活动,以及将已记录的信息保存到您选择的 Amazon Simple Storage Service (Amazon S3) 存储桶中的日志文件。默认情况下,使用具有 Amazon S3 托管加密密钥的服务器端加密 (SSE-S3) 对 CloudTrail 放入 S3 存储桶的日志文件进行加密。但是,您可以选择改为使用具有 KMS 密钥的服务器端加密 (SSE-KMS)。要了解如何使用 AWS KMS 加密您的 CloudTrail 日志文件,请参阅《AWS CloudTrail 用户指南》中的使用 AWS KMS keys (SSE-KMS) 加密 CloudTrail 日志文件

重要

AWS CloudTrail 和 Amazon S3 仅支持对称 AWS KMS keys。不能使用非对称 KMS 密钥来加密您的 CloudTrail 日志。要获取确定 KMS 密钥是对称还是非对称的帮助,请参阅 识别不同的密钥类型

当 CloudTrail 读取或写入使用 SSE-KMS 密钥加密的日志文件时,您无需支付密钥使用费。但是,当您访问使用 SSE-KMS 密钥加密的 CloudTrail 日志文件时,您需要支付密钥使用费。有关 AWS KMS 定价的信息,请参阅 AWS Key Management Service 定价。有关 CloudTrail 定价的信息,请参阅 AWS CloudTrail 用户指南中的 AWS CloudTrail 定价管理成本

了解何时使用您的 KMS 密钥

“使用 Amazon S3 上的 AWS KMS 构建加密 CloudTrail 日志文件”功能,称为“使用 AWS KMS key 的服务器端加密 (SSE-KMS)”。要了解 SSE-KMS 的详情,请参阅《Amazon Simple Storage Service 用户指南》中的通过具有 KMS 密钥的服务器端加密(SSE-KMS)保护数据

当您将 AWS CloudTrail 配置为使用 SSE-KMS 加密您的日志文件时,CloudTrail 和 Amazon S3 会在您借助这些服务执行特定操作时使用 AWS KMS keys。以下部分说明了这些服务将何时以及如何使用您的 KMS 密钥,并提供了您可以用于验证此说明的其他信息。

您可以将 CloudTrail 配置为使用 AWS KMS key 加密日志文件

当您更新您的 CloudTrail 配置以使用您的 KMS 密钥时,CloudTrail 会发送一个 GenerateDataKey 请求到 AWS KMS 以验证该 KMS 密钥是否存在以及 CloudTrail 是否有权使用该 KMS 密钥进行加密。CloudTrail 不使用生成的数据密钥。

GenerateDataKey 请求包括加密上下文的以下信息:

GenerateDataKey 请求会在您的 CloudTrail 日志中生成一个与以下示例类似的条目。当您看到与此类似的日志条目时,便可以确定 CloudTrail ( Red circle with number 1 inside, indicating a numerical step or priority. ) 调用了特定跟踪 ( Red circle with number 2 inside, likely representing a step or item in a sequence. ) 的 AWS KMS ( Red circle with number 3 inside, indicating a step or sequence number. ) GenerateDataKey 操作 ( Red circle with number 4 inside, likely representing a notification or count indicator. )。AWS KMS 使用特定 KMS 密钥 ( Red circle with white number 3 inside, indicating a step or sequence number. ) 创建了数据密钥。

注意

您可能需要滚动到右侧以查看以下示例日志条目中的某些标注。

{
  "eventVersion": "1.02",
  "userIdentity": {
    "type": "IAMUser",
    "principalId": "AIDACKCEVSQ6C2EXAMPLE",
    "arn": "arn:aws:iam::086441151436:user/AWSCloudTrail",Red circle with number 1 inside, indicating a numerical step or priority.
    "accountId": "086441151436",
    "accessKeyId": "AKIAI44QH8DHBEXAMPLE",
    "userName": "AWSCloudTrail",
    "sessionContext": {"attributes": {
      "mfaAuthenticated": "false",
      "creationDate": "2015-11-11T21:15:33Z"
    }},
    "invokedBy": "internal.amazonaws.com"
  },
  "eventTime": "2015-11-11T21:15:33Z",
  "eventSource": "kms.amazonaws.com",Red circle with number 2 inside, likely representing a step or item in a sequence.
  "eventName": "GenerateDataKey",Red circle with number 3 inside, indicating a step or sequence number.
  "awsRegion": "us-west-2",
  "sourceIPAddress": "internal.amazonaws.com",
  "userAgent": "internal.amazonaws.com",
  "requestParameters": {
    "keyId": "arn:aws:kms:us-west-2:111122223333:alias/ExampleAliasForCloudTrailKMS key",
    "encryptionContext": {
      "aws:cloudtrail:arn": "arn:aws:cloudtrail:us-west-2:111122223333:trail/Default",Red circle with number 4 inside, likely representing a notification or count indicator.
      "aws:s3:arn": "arn:aws:s3:::example-bucket-for-CT-logs/AWSLogs/111122223333/"
    },
    "keySpec": "AES_256"
  },
  "responseElements": null,
  "requestID": "581f1f11-88b9-11e5-9c9c-595a1fb59ac0",
  "eventID": "3cdb2457-c035-4890-93b6-181832b9e766",
  "readOnly": true,
  "resources": [{
    "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",Red circle with white number 3 inside, indicating a step or sequence number.
    "accountId": "111122223333"
  }],
  "eventType": "AwsServiceEvent",
  "recipientAccountId": "111122223333"
}

CloudTrail 将日志文件放入您的 S3 存储桶中

每次 CloudTrail 将日志文件放入 S3 存储桶中时,Amazon S3 会代表 CloudTrail 将 GenerateDataKey 请求发送到 AWS KMS。为了响应该请求,AWS KMS 会生成一个唯一的数据密钥,然后将该数据密钥的两个副本发送给 Amazon S3,一个为明文,另一个则使用指定的 KMS 密钥进行了加密。Amazon S3 使用明文数据密钥为 CloudTrail 日志文件加密,并在使用后尽快从内存中删除该明文数据密钥。Amazon S3 将加密的数据密钥与加密的 日志文件一起存储为元数据。CloudTrail

GenerateDataKey 请求包括加密上下文的以下信息:

每个 GenerateDataKey 请求会在您的 CloudTrail 日志中生成一个与以下示例类似的条目。当您看到与此类似的日志条目时,便可以确定 CloudTrail ( Red circle with number 1 inside, indicating a numerical step or priority. ) 调用了特定跟踪 ( Red circle with number 2 inside, likely representing a step or item in a sequence. ) 的 AWS KMS ( Red circle with number 3 inside, indicating a step or sequence number. ) GenerateDataKey 操作 ( Red circle with number 4 inside, likely representing a notification or count indicator. ) 来保护特定日志文件 ( Red circle with white number 3 inside, indicating a step or sequence number. )。AWS KMS 使用指定的 KMS 密钥 ( Red circle with white letter B inside, representing a logo or icon. ) 创建了数据密钥,该数据密钥在同一日志条目中显示了两次。

注意

您可能需要滚动到右侧以查看以下示例日志条目中的某些标注。

{
  "eventVersion": "1.02",
  "userIdentity": {
    "type": "AssumedRole",
    "principalId": "AROACKCEVSQ6C2EXAMPLE:i-34755b85",
    "arn": "arn:aws:sts::086441151436:assumed-role/AWSCloudTrail/i-34755b85",Red circle with number 1 inside, indicating a numerical step or priority.
    "accountId": "086441151436",
    "accessKeyId": "AKIAI44QH8DHBEXAMPLE",
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2015-11-11T20:45:25Z"
      },
      "sessionIssuer": {
        "type": "Role",
        "principalId": "AROACKCEVSQ6C2EXAMPLE",
        "arn": "arn:aws:iam::086441151436:role/AWSCloudTrail",
        "accountId": "086441151436",
        "userName": "AWSCloudTrail"
      }
    },
    "invokedBy": "internal.amazonaws.com"
  },
  "eventTime": "2015-11-11T21:15:58Z",
  "eventSource": "kms.amazonaws.com",Red circle with number 2 inside, likely representing a step or item in a sequence.
  "eventName": "GenerateDataKey",Red circle with number 3 inside, indicating a step or sequence number.
  "awsRegion": "us-west-2",
  "sourceIPAddress": "internal.amazonaws.com",
  "userAgent": "internal.amazonaws.com",
  "requestParameters": {
    "encryptionContext": {
      "aws:cloudtrail:arn": "arn:aws:cloudtrail:us-west-2:111122223333:trail/Default",Red circle with number 4 inside, likely representing a notification or count indicator.
      "aws:s3:arn": "arn:aws:s3:::example-bucket-for-CT-logs/AWSLogs/111122223333/CloudTrail/us-west-2/2015/11/11/111122223333_CloudTrail_us-west-2_20151111T2115Z_7JREEBimdK8d2nC9.json.gz"Red circle with white number 3 inside, indicating a step or sequence number.
    },
    "keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",Red circle with white letter B inside, representing a logo or icon.
    "keySpec": "AES_256"
  },
  "responseElements": null,
  "requestID": "66f3f74a-88b9-11e5-b7fb-63d925c72ffe",
  "eventID": "7738554f-92ab-4e27-83e3-03354b1aa898",
  "readOnly": true,
  "resources": [{
    "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",Red circle with white letter B inside, representing a logo or icon.
    "accountId": "111122223333"
  }],
  "eventType": "AwsServiceEvent",
  "recipientAccountId": "111122223333"
}

从 S3 存储桶中获得加密的日志文件

每次当您从您的 S3 存储桶中获得加密的 CloudTrail 日志文件时,Amazon S3 会代表您将 Decrypt 请求发送到 AWS KMS 以将日志文件的加密数据密钥解密。为了响应该请求,AWS KMS 使用您的 KMS 密钥将数据密钥解密,然后将明文数据密钥发送到 Amazon S3。Amazon S3 使用明文数据密钥为 CloudTrail 日志文件解密,并在使用后尽快从内存中删除该明文数据密钥。

Decrypt 请求包括加密上下文的以下信息:

每个 Decrypt 请求会在您的 CloudTrail 日志中生成一个与以下示例类似的条目。当您看到与此类似的日志条目时,便可以确定您的 AWS 账户中的某个 IAM 用户( Red circle with number 1 inside, indicating a numerical step or priority. )调用了特定跟踪( Red circle with number 2 inside, likely representing a step or item in a sequence. )和特定日志文件( Red circle with number 3 inside, indicating a step or sequence number. )的 AWS KMS( Red circle with number 4 inside, likely representing a notification or count indicator. Decrypt 操作( Red circle with white number 3 inside, indicating a step or sequence number. )。AWS KMS 使用特定 KMS 密钥( Red circle with white letter B inside, representing a logo or icon. )解密了数据密钥。

注意

您可能需要滚动到右侧以查看以下示例日志条目中的某些标注。

{
  "eventVersion": "1.02",
  "userIdentity": {
    "type": "IAMUser",
    "principalId": "AIDACKCEVSQ6C2EXAMPLE",
    "arn": "arn:aws:iam::111122223333:role/cloudtrail-admin",Red circle with number 1 inside, indicating a numerical step or priority.
    "accountId": "111122223333",
    "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
    "userName": "cloudtrail-admin",
    "sessionContext": {"attributes": {
      "mfaAuthenticated": "false",
      "creationDate": "2015-11-11T20:48:04Z"
    }},
    "invokedBy": "signin.amazonaws.com"
  },
  "eventTime": "2015-11-11T21:20:52Z",
  "eventSource": "kms.amazonaws.com",Red circle with number 2 inside, likely representing a step or item in a sequence.
  "eventName": "Decrypt",Red circle with number 3 inside, indicating a step or sequence number.
  "awsRegion": "us-west-2",
  "sourceIPAddress": "internal.amazonaws.com",
  "userAgent": "internal.amazonaws.com",
  "requestParameters": {
    "encryptionContext": {
      "aws:cloudtrail:arn": "arn:aws:cloudtrail:us-west-2:111122223333:trail/Default",Red circle with number 4 inside, likely representing a notification or count indicator.
      "aws:s3:arn": "arn:aws:s3:::example-bucket-for-CT-logs/AWSLogs/111122223333/CloudTrail/us-west-2/2015/11/11/111122223333_CloudTrail_us-west-2_20151111T2115Z_7JREEBimdK8d2nC9.json.gz"Red circle with white number 3 inside, indicating a step or sequence number.
    }
  },
  "responseElements": null,
  "requestID": "16a0590a-88ba-11e5-b406-436f15c3ac01",
  "eventID": "9525bee7-5145-42b0-bed5-ab7196a16daa",
  "readOnly": true,
  "resources": [{
    "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",Red circle with white letter B inside, representing a logo or icon.
    "accountId": "111122223333"
  }],
  "eventType": "AwsApiCall",
  "recipientAccountId": "111122223333"
}