使用 Amazon SageMaker 地理空间功能的 AWS KMS 权限 - Amazon SageMaker
使用 Amazon SageMaker 地理空间托管密钥进行服务器端加密(默认)使用客户托管密KMS钥进行服务器端加密(可选) SageMaker 地理空间功能如何使用补助金 AWS KMS创建客户托管密钥监控您的加密密钥以获取 SageMaker 地理空间功能

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用 Amazon SageMaker 地理空间功能的 AWS KMS 权限

您可以使用 SageMaker 地理空间功能加密来保护静态数据。默认情况下,它使用服务器端加密和 Amazon SageMaker 地理空间拥有的密钥。 SageMaker 地理空间功能还支持使用客户托管KMS密钥进行服务器端加密的选项。

使用 Amazon SageMaker 地理空间托管密钥进行服务器端加密(默认)

SageMaker 地理空间功能可加密您的所有数据,包括地球观测任务 (EOJ) 和矢量丰富作业 () 的计算结果,以及您的所有服务元数据。VEJ SageMaker 地理空间功能中没有未加密存储的数据。它使用默认 AWS 拥有的密钥来加密您的所有数据。

使用客户托管密KMS钥进行服务器端加密(可选)

SageMaker 地理空间功能支持使用由您创建、拥有和管理的对称客户托管密钥,在现有 AWS 自有加密的基础上添加第二层加密。由于您可以完全控制这层加密,因此可以执行以下任务:

  • 制定和维护关键策略

  • 制定和维护IAM政策及补助金

  • 启用和禁用密钥策略

  • 轮换加密材料

  • 添加标签

  • 创建密钥别名

  • 安排密钥删除

有关更多信息,请参阅《AWS Key Management Service 开发人员指南》中的客户托管密钥

SageMaker 地理空间功能如何使用补助金 AWS KMS

SageMaker 地理空间功能需要获得授权才能使用您的客户托管密钥。当您创建EOJ或使用客户托管密钥VEJ加密时, SageMaker 地理空间功能会通过向发送CreateGrant请求来 AWS KMS代表您创建授权。中的授权 AWS KMS 用于授予 SageMaker 地理空间功能访问客户账户中KMS密钥的权限。您可以随时撤销授予访问权限,或删除服务对客户托管密钥的访问权限。否则, SageMaker 地理空间功能将无法访问由客户托管密钥加密的任何数据,这会影响依赖该数据的操作。

创建客户托管密钥

您可以使用管理控制台创建对称客户托管密钥,或者。 AWS AWS KMS APIs

创建对称的客户托管密钥

按照《 AWS Key Management Service 开发人员指南》中创建对称加密KMS密钥的步骤进行操作。

密钥策略

密钥策略控制对客户托管密钥的访问。每个客户托管式密钥必须只有一个密钥政策,其中包含确定谁可以使用密钥以及如何使用密钥的声明。创建客户托管式密钥时,可以指定密钥政策。有关更多信息,请参阅《AWS Key Management Service 开发人员指南》中的确定 AWS KMS 密钥访问权限

要将客户托管密钥与 SageMaker 地理空间功能资源一起使用,密钥策略中必须允许以下API操作。这些操作的主体应是您在 SageMaker 地理空间功能请求中提供的执行角色。 SageMaker 地理空间功能承担请求中提供的执行角色来执行这些KMS操作。

  • kms:CreateGrant

  • kms:GenerateDataKey

  • kms:Decrypt

  • kms:GenerateDataKeyWithoutPlaintext

以下是您可以为 SageMaker 地理空间功能添加的策略声明示例:

CreateGrant

"Statement" : [ 
    {
      "Sid" : "Allow access to Amazon SageMaker geospatial capabilities",
      "Effect" : "Allow",
      "Principal" : {
        "AWS" : "<Customer provided Execution Role ARN>"
      },
      "Action" : [ 
          "kms:CreateGrant",
           "kms:Decrypt",
           "kms:GenerateDataKey",
           "kms:GenerateDataKeyWithoutPlaintext"
      ],
      "Resource" : "*",
    },
 ]

有关在策略中指定权限的更多信息,请参阅《AWS Key Management Service 开发人员指南》中的 AWS KMS 权限。有关问题排查的更多信息,请参阅《AWS Key Management Service 开发人员指南》中的密钥访问问题排查

如果您的密钥策略没有您的账户 root 作为密钥管理员,则需要为执行角色添加相同的KMS权限ARN。以下是您可以添加到执行角色的示例策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "kms:CreateGrant",
                "kms:Decrypt",
                "kms:GenerateDataKey",
                "kms:GenerateDataKeyWithoutPlaintext"
            ],
            "Resource": [
              "<KMS key Arn>"
            ],
            "Effect": "Allow"
        }
    ]
}

监控您的加密密钥以获取 SageMaker 地理空间功能

当您将 AWS KMS 客户托管密钥与您的 SageMaker 地理空间功能资源结合使用时,您可以使用 AWS CloudTrail 或 Amazon CloudWatch Logs 来跟踪 SageMaker 地理空间发送到的请求。 AWS KMS

选择下表中的一个选项卡,查看用于监控 SageMaker 地理空间功能为访问由客户托管密钥加密的数据而调用的KMS操作 AWS CloudTrail 的事件示例。

CreateGrant
{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROAIGDTESTANDEXAMPLE:SageMaker-Geospatial-StartEOJ-KMSAccess",
        "arn": "arn:aws:sts::111122223333:assumed-role/SageMakerGeospatialCustomerRole/SageMaker-Geospatial-StartEOJ-KMSAccess",
        "accountId": "111122223333",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AKIAIOSFODNN7EXAMPLE3",
                "arn": "arn:aws:sts::111122223333:assumed-role/SageMakerGeospatialCustomerRole",
                "accountId": "111122223333",
                "userName": "SageMakerGeospatialCustomerRole"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2023-03-17T18:02:06Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "arn:aws:iam::111122223333:root"
    },
    "eventTime": "2023-03-17T18:02:06Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "CreateGrant",
    "awsRegion": "us-west-2",
    "sourceIPAddress": "172.12.34.56",
    "userAgent": "ExampleDesktop/1.0 (V1; OS)",
    "requestParameters": {
        "retiringPrincipal": "sagemaker-geospatial.us-west-2.amazonaws.com",
        "keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
        "operations": [
            "Decrypt"
        ],
        "granteePrincipal": "sagemaker-geospatial.us-west-2.amazonaws.com"
    },
    "responseElements": {
        "grantId": "0ab0ac0d0b000f00ea00cc0a0e00fc00bce000c000f0000000c0bc0a0000aaafSAMPLE",
        "keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
    },
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": false,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "eventCategory": "Management"
}
GenerateDataKey
{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AWSService",
        "invokedBy": "sagemaker-geospatial.amazonaws.com"
    },
    "eventTime": "2023-03-24T00:29:45Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "GenerateDataKey",
    "awsRegion": "us-west-2",
    "sourceIPAddress": "sagemaker-geospatial.amazonaws.com",
    "userAgent": "sagemaker-geospatial.amazonaws.com",
    "requestParameters": {
        "encryptionContext": {
            "aws:s3:arn": "arn:aws:s3:::axis-earth-observation-job-378778860802/111122223333/napy9eintp64/output/consolidated/32PPR/2022-01-04T09:58:03Z/S2B_32PPR_20220104_0_L2A_msavi.tif"
        },
        "keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
        "keySpec": "AES_256"
    },
    "responseElements": null,
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": true,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "eventCategory": "Management"
}
Decrypt
{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AWSService",
        "invokedBy": "sagemaker-geospatial.amazonaws.com"
    },
    "eventTime": "2023-03-28T22:04:24Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "Decrypt",
    "awsRegion": "us-west-2",
    "sourceIPAddress": "sagemaker-geospatial.amazonaws.com",
    "userAgent": "sagemaker-geospatial.amazonaws.com",
    "requestParameters": {
        "encryptionAlgorithm": "SYMMETRIC_DEFAULT",
        "encryptionContext": {
            "aws:s3:arn": "arn:aws:s3:::axis-earth-observation-job-378778860802/111122223333/napy9eintp64/output/consolidated/32PPR/2022-01-04T09:58:03Z/S2B_32PPR_20220104_0_L2A_msavi.tif"
        },
    },
    "responseElements": null,
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": true,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "eventCategory": "Management"
}
GenerateDataKeyWithoutPlainText
{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROAIGDTESTANDEXAMPLE:SageMaker-Geospatial-StartEOJ-KMSAccess",
        "arn": "arn:aws:sts::111122223333:assumed-role/SageMakerGeospatialCustomerRole/SageMaker-Geospatial-StartEOJ-KMSAccess",
        "accountId": "111122223333",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AKIAIOSFODNN7EXAMPLE3",
                "arn": "arn:aws:sts::111122223333:assumed-role/SageMakerGeospatialCustomerRole",
                "accountId": "111122223333",
                "userName": "SageMakerGeospatialCustomerRole"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2023-03-17T18:02:06Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "arn:aws:iam::111122223333:root"
    },
    "eventTime": "2023-03-28T22:09:16Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "GenerateDataKeyWithoutPlaintext",
    "awsRegion": "us-west-2",
    "sourceIPAddress": "172.12.34.56",
    "userAgent": "ExampleDesktop/1.0 (V1; OS)",
    "requestParameters": {
        "keySpec": "AES_256",
        "keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
    },
    "responseElements": null,
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": true,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "eventCategory": "Management"
}