本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。 # 管理 Amazon ECS Fargate 暫時性儲存的 AWS KMS 金鑰 建立或匯入您的 AWS KMS 金鑰以加密 Fargate 暫時性儲存之後,您可以像管理任何其他 AWS KMS 金鑰一樣進行管理。 **自動輪換 AWS KMS 金鑰** 您可以啟用自動金鑰輪換功能,也可以手動輪換金鑰。自動金鑰輪換會每年為您輪換金鑰,方法是為金鑰產生新的密碼編譯材料。 AWS KMS 也會儲存密碼編譯材料的所有先前版本,因此您可以解密使用先前金鑰版本的任何資料。在您刪除金鑰 AWS KMS 之前, 不會刪除任何輪換的資料。 自動金鑰輪換是選用功能,可以隨時啟用或停用。 **停用或撤銷 AWS KMS 金鑰** 如果您在 中停用客戶受管金鑰 AWS KMS,對執行中的任務沒有任何影響,而且它們會在其生命週期中繼續運作。如果新任務使用已停用或已撤銷的金鑰,任務會因無法存取金鑰而失敗。您應該設定 CloudWatch 警示或類似警示,確保不再需要已停用的金鑰來解密已加密的資料。 **刪除 AWS KMS 金鑰** 刪除金鑰應一律是最後手段,且僅在確定不再需要刪除的金鑰時才應執行該動作。嘗試使用已刪除金鑰的新任務將會失敗,因為他們無法存取它。 AWS KMS 建議停用金鑰,而不是將其刪除。若確有必要刪除某個金鑰,建議先停用金鑰並設定 CloudWatch 警示,確保該金鑰不再被使用。如果您刪除金鑰, AWS KMS 至少提供七天以改變主意。 **稽核 AWS KMS 金鑰存取** 您可以使用 CloudTrail 日誌來稽核對 AWS KMS 金鑰的存取。您可以檢查 AWS KMS 操作 `CreateGrant`、 `GenerateDataKeyWithoutPlaintext`和 `Decrypt`。這些操作也會在 CloudTrail 記錄中顯示作為 `EncryptionContext` 組成部分的 `aws:ecs:clusterAccount` 與 `aws:ecs:clusterName`。 以下是 `GenerateDataKeyWithoutPlaintext`、`GenerateDataKeyWithoutPlaintext (DryRun)`、`CreateGrant`、`CreateGrant (DryRun)` 與 `RetireGrant` 的 CloudTrail 事件範例 (將{{紅色}}值取代為實際參數)。 ------ #### [ GenerateDataKeyWithoutPlaintext ] ``` { "eventVersion": "1.08", "userIdentity": { "type": "AWSService", "invokedBy": "ec2-frontend-api.amazonaws.com" }, "eventTime": "2024-04-23T18:08:13Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKeyWithoutPlaintext", "awsRegion": "{{us-west-2}}", "sourceIPAddress": "ec2-frontend-api.amazonaws.com", "userAgent": "ec2-frontend-api.amazonaws.com", "requestParameters": { "numberOfBytes": 64, "keyId": "arn:aws:kms:{{us-west-2}}:{{account-id}}:key/{{a1b2c3d4-5678-90ab-cdef-EXAMPLE11111}}", "encryptionContext": { "aws:ecs:clusterAccount": "{{account-id}}", "aws:ebs:id": "{{vol-xxxxxxx}}", "aws:ecs:clusterName": "{{cluster-name}}" } }, "responseElements": null, "requestID": "{{a1b2c3d4-5678-90ab-cdef-EXAMPLE22222}}", "eventID": "{{a1b2c3d4-5678-90ab-cdef-EXAMPLE33333}}", "readOnly": true, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:{{us-west-2}}:{{account-id}}:key/{{a1b2c3d4-5678-90ab-cdef-EXAMPLE11111}}" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "{{account-id}}", "sharedEventID": "{{a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa}}", "eventCategory": "Management" } ``` ------ #### [ GenerateDataKeyWithoutPlaintext (DryRun) ] ``` { "eventVersion": "1.08", "userIdentity": { "type": "AWSService", "invokedBy": "fargate.amazonaws.com" }, "eventTime": "2024-04-23T18:08:11Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKeyWithoutPlaintext", "awsRegion": "{{us-west-2}}", "sourceIPAddress": "fargate.amazonaws.com", "userAgent": "fargate.amazonaws.com", "errorCode": "DryRunOperationException", "errorMessage": "The request would have succeeded, but the DryRun option is set.", "requestParameters": { "keyId": "arn:aws:kms:{{us-west-2}}:{{account-id}}:key/{{a1b2c3d4-5678-90ab-cdef-EXAMPLE11111}}", "dryRun": true, "numberOfBytes": 64, "encryptionContext": { "aws:ecs:clusterAccount": "{{account-id}}", "aws:ecs:clusterName": "{{cluster-name}}" } }, "responseElements": null, "requestID": "{{a1b2c3d4-5678-90ab-cdef-EXAMPLE22222}}", "eventID": "{{a1b2c3d4-5678-90ab-cdef-EXAMPLE33333}}", "readOnly": true, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:{{us-west-2}}:{{account-id}}:key/{{a1b2c3d4-5678-90ab-cdef-EXAMPLE11111}}" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "{{account-id}}", "sharedEventID": "{{a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa}}", "eventCategory": "Management" } ``` ------ #### [ CreateGrant ] ``` { "eventVersion": "1.08", "userIdentity": { "type": "AWSService", "invokedBy": "ec2-frontend-api.amazonaws.com" }, "eventTime": "2024-04-23T18:08:13Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateGrant", "awsRegion": "{{us-west-2}}", "sourceIPAddress": "ec2-frontend-api.amazonaws.com", "userAgent": "ec2-frontend-api.amazonaws.com", "requestParameters": { "keyId": "arn:aws:kms:{{us-west-2}}:{{account-id}}:key/{{a1b2c3d4-5678-90ab-cdef-EXAMPLE11111}}", "granteePrincipal": "fargate.{{us-west-2}}.amazonaws.com", "operations": [ "Decrypt" ], "constraints": { "encryptionContextSubset": { "aws:ecs:clusterAccount": "{{account-id}}", "aws:ebs:id": "vol-xxxx", "aws:ecs:clusterName": "{{cluster-name}}" } }, "retiringPrincipal": "ec2.{{us-west-2}}.amazonaws.com" }, "responseElements": { "grantId": "{{e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855}}", "keyId": "arn:aws:kms:{{us-west-2}}:{{account-id}}:key/{{a1b2c3d4-5678-90ab-cdef-EXAMPLE11111}}" }, "requestID": "{{a1b2c3d4-5678-90ab-cdef-EXAMPLE22222}}", "eventID": "{{a1b2c3d4-5678-90ab-cdef-EXAMPLE33333}}", "readOnly": false, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:{{us-west-2}}:{{account-id}}:key/{{a1b2c3d4-5678-90ab-cdef-EXAMPLE11111}}" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "{{account-id}}", "sharedEventID": "{{a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa}}", "eventCategory": "Management" } ``` ------ #### [ CreateGrant (DryRun) ] ``` { "eventVersion": "1.08", "userIdentity": { "type": "AWSService", "invokedBy": "fargate.amazonaws.com" }, "eventTime": "2024-04-23T18:08:11Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateGrant", "awsRegion": "{{us-west-2}}", "sourceIPAddress": "fargate.amazonaws.com", "userAgent": "fargate.amazonaws.com", "errorCode": "DryRunOperationException", "errorMessage": "The request would have succeeded, but the DryRun option is set.", "requestParameters": { "keyId": "arn:aws:kms:{{us-west-2}}:{{account-id}}:key/{{a1b2c3d4-5678-90ab-cdef-EXAMPLE11111}}", "granteePrincipal": "fargate.{{us-west-2}}.amazonaws.com", "dryRun": true, "operations": [ "Decrypt" ], "constraints": { "encryptionContextSubset": { "aws:ecs:clusterAccount": "{{account-id}}", "aws:ecs:clusterName": "{{cluster-name}}" } } }, "responseElements": null, "requestID": "{{a1b2c3d4-5678-90ab-cdef-EXAMPLE22222}}", "eventID": "{{a1b2c3d4-5678-90ab-cdef-EXAMPLE33333}}", "readOnly": false, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:{{us-west-2}}:{{account-id}}:key/{{a1b2c3d4-5678-90ab-cdef-EXAMPLE11111}}" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "{{account-id}}", "sharedEventID": "{{a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa}}", "eventCategory": "Management" } ``` ------ #### [ RetireGrant ] ``` { "eventVersion": "1.08", "userIdentity": { "type": "AWSService", "invokedBy": "AWS Internal" }, "eventTime": "2024-04-20T18:37:38Z", "eventSource": "kms.amazonaws.com", "eventName": "RetireGrant", "awsRegion": "{{us-west-2}}", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": null, "responseElements": { "keyId": "arn:aws:kms:{{us-west-2}}:{{account-id}}:key/{{a1b2c3d4-5678-90ab-cdef-EXAMPLE11111}}" }, "additionalEventData": { "grantId": "{{e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855}}" }, "requestID": "{{a1b2c3d4-5678-90ab-cdef-EXAMPLE22222}}", "eventID": "{{a1b2c3d4-5678-90ab-cdef-EXAMPLE33333}}", "readOnly": false, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:{{us-west-2}}:{{account-id}}:key/{{a1b2c3d4-5678-90ab-cdef-EXAMPLE11111}}" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "{{account-id}}", "sharedEventID": "{{a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa}}", "eventCategory": "Management" } ``` ------