AWS Lambda 中的静态数据加密
Lambda 始终使用 AWS 拥有的密钥或 AWS 托管式密钥为以下资源提供静态加密:
-
环境变量
-
您上载到 Lambda 的文件,包括部署包和层归档
-
事件源映射筛选条件对象
您可以选择将 Lambda 配置为使用客户自主管理型密钥来加密您的环境变量、.zip 部署包和筛选条件对象。
默认情况下,Amazon CloudWatch Logs 和 AWS X-Ray 也会对数据进行加密,并可配置为使用客户托管密钥。有关详细信息,请参阅 Encrypt log data in CloudWatch Logs 和 Data protection in AWS X-Ray。
为 Lambda 监控您的加密密钥
将 AWS KMS 客户自主管理型密钥与 Lambda 一起使用时,您可以使用 AWS CloudTrail。以下示例是 Lambda 进行的 Decrypt、DescribeKey 和 GenerateDataKey 调用的 CloudTrail 事件,用于访问由您的客户自主管理型密钥加密的数据。
- Decrypt
-
如果您使用 AWS KMS 客户自主管理型密钥对筛选条件对象进行加密,那么当您尝试以纯文本形式访问该对象时(例如,通过
ListEventSourceMappings调用),Lambda 会代表您发送Decrypt请求。以下示例事件记录了Decrypt操作:{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "AROA123456789EXAMPLE:example", "arn": "arn:aws:sts::123456789012:assumed-role/role-name/example", "accountId": "123456789012", "accessKeyId": "ASIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROA123456789EXAMPLE", "arn": "arn:aws:iam::123456789012:role/role-name", "accountId": "123456789012", "userName": "role-name" }, "attributes": { "creationDate": "2024-05-30T00:45:23Z", "mfaAuthenticated": "false" } }, "invokedBy": "lambda.amazonaws.com" }, "eventTime": "2024-05-30T01:05:46Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "eu-west-1", "sourceIPAddress": "lambda.amazonaws.com", "userAgent": "lambda.amazonaws.com", "requestParameters": { "keyId": "arn:aws:kms:eu-west-1:123456789012:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "encryptionContext": { "aws-crypto-public-key": "ABCD+7876787678+CDEFGHIJKL/888666888999888555444111555222888333111==", "aws:lambda:EventSourceArn": "arn:aws:sqs:eu-west-1:123456789012:sample-source", "aws:lambda:FunctionArn": "arn:aws:lambda:eu-west-1:123456789012:function:sample-function" }, "encryptionAlgorithm": "SYMMETRIC_DEFAULT" }, "responseElements": null, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb", "readOnly": true, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:eu-west-1:123456789012:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management", "sessionCredentialFromConsole": "true" } - DescribeKey
-
如果您使用 AWS KMS 客户自主管理型密钥对筛选条件对象进行加密,那么当您尝试访问该对象时(例如,通过
GetEventSourceMapping调用),Lambda 会代表您发送DescribeKey请求。以下示例事件记录了DescribeKey操作:{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "AROA123456789EXAMPLE:example", "arn": "arn:aws:sts::123456789012:assumed-role/role-name/example", "accountId": "123456789012", "accessKeyId": "ASIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROA123456789EXAMPLE", "arn": "arn:aws:iam::123456789012:role/role-name", "accountId": "123456789012", "userName": "role-name" }, "attributes": { "creationDate": "2024-05-30T00:45:23Z", "mfaAuthenticated": "false" } } }, "eventTime": "2024-05-30T01:09:40Z", "eventSource": "kms.amazonaws.com", "eventName": "DescribeKey", "awsRegion": "eu-west-1", "sourceIPAddress": "54.240.197.238", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36", "requestParameters": { "keyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "responseElements": null, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb", "readOnly": true, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:eu-west-1:123456789012:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_256_GCM_SHA384", "clientProvidedHostHeader": "kms.eu-west-1.amazonaws.com" }, "sessionCredentialFromConsole": "true" } - GenerateDataKey
-
使用 AWS KMS 客户自主管理型密钥在
CreateEventSourceMapping或UpdateEventSourceMapping调用中加密筛选条件对象时,Lambda 会代表您发送GenerateDataKey请求,要求生成用于加密筛选条件的数据密钥(信封加密)。以下示例事件记录GenerateDataKey操作:{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "AROA123456789EXAMPLE:example", "arn": "arn:aws:sts::123456789012:assumed-role/role-name/example", "accountId": "123456789012", "accessKeyId": "ASIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROA123456789EXAMPLE", "arn": "arn:aws:iam::123456789012:role/role-name", "accountId": "123456789012", "userName": "role-name" }, "attributes": { "creationDate": "2024-05-30T00:06:07Z", "mfaAuthenticated": "false" } }, "invokedBy": "lambda.amazonaws.com" }, "eventTime": "2024-05-30T01:04:18Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKey", "awsRegion": "eu-west-1", "sourceIPAddress": "lambda.amazonaws.com", "userAgent": "lambda.amazonaws.com", "requestParameters": { "numberOfBytes": 32, "keyId": "arn:aws:kms:eu-west-1:123456789012:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "encryptionContext": { "aws-crypto-public-key": "ABCD+7876787678+CDEFGHIJKL/888666888999888555444111555222888333111==", "aws:lambda:EventSourceArn": "arn:aws:sqs:eu-west-1:123456789012:sample-source", "aws:lambda:FunctionArn": "arn:aws:lambda:eu-west-1:123456789012:function:sample-function" }, }, "responseElements": null, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb", "readOnly": true, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:eu-west-1:123456789012:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management" }
数据保护
身份和访问权限管理