本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# 資料加密
<a name="data-encryption"></a>

使用 AWS HealthImaging，您可以為雲端中的靜態資料新增一層安全性，提供可擴展且有效率的加密功能。其中包含：
+ 大多數 AWS 服務都提供靜態資料加密功能
+ 靈活的金鑰管理選項，包括 AWS Key Management Service您可以選擇是否要 AWS 管理加密金鑰，還是完全控制自己的金鑰。
+ AWS 擁有的 AWS KMS 加密金鑰
+ 使用 Amazon SQS 的伺服器端加密 (SSE) 傳輸敏感資料的加密訊息佇列

此外， AWS 為您提供 APIs，以將加密和資料保護與您開發或部署在 AWS 環境中的任何服務整合。

## 建立客戶受管金鑰
<a name="creating-co-cmk"></a>

您可以使用 AWS 管理主控台 或 AWS KMS APIs 來建立對稱客戶受管金鑰。如需詳細資訊，請參閱《 *AWS Key Management Service 開發人員指南*》中的[建立對稱加密 KMS 金鑰](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-symmetric-cmk)。

金鑰政策會控制客戶受管金鑰的存取權限。每個客戶受管金鑰都必須只有一個金鑰政策，其中包含決定誰可以使用金鑰及其使用方式的陳述式。在建立客戶受管金鑰時，可以指定金鑰政策。如需詳細資訊，請參閱《AWS Key Management Service 開發人員指南》**中的[管理客戶受管金鑰的存取](https://docs.aws.amazon.com/kms/latest/developerguide/control-access-overview.html#managing-access)。

若要將客戶受管金鑰與 HealthImaging 資源搭配使用，必須在金鑰政策中允許 [kms:CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) 操作。這會將授予新增至客戶受管金鑰，以控制對指定 KMS 金鑰的存取，讓使用者存取 HealthImaging 所需的[授予操作](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)。如需詳細資訊，請參閱《 *AWS Key Management Service 開發人員指南*[》中的在 中授予 AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html)。

若要將客戶受管 KMS 金鑰與 HealthImaging 資源搭配使用，必須在金鑰政策中允許下列 API 操作：
+ `kms:DescribeKey` 提供驗證金鑰所需的客戶受管金鑰詳細資訊。這是所有 操作的必要項目。
+ `kms:GenerateDataKey` 提供存取權，以加密所有寫入操作的靜態資源。
+ `kms:Decrypt` 可讓您存取加密資源的讀取或搜尋操作。
+ `kms:ReEncrypt*` 提供重新加密資源的存取權。

以下是政策陳述式範例，允許使用者在 HealthImaging 中建立資料存放區並與其互動，該存放區由該金鑰加密：

```
{
    "Sid": "Allow access to create data stores and perform CRUD and search in HealthImaging",
    "Effect": "Allow",
    "Principal": {
        "Service": [
            "medical-imaging.amazonaws.com"
        ]
    },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey",
        "kms:GenerateDataKeyWithoutPlaintext"
    ],
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "kms:EncryptionContext:kms-arn": "arn:aws:kms:us-east-1:123456789012:key/bec71d48-3462-4cdd-9514-77a7226e001f",
            "kms:EncryptionContext:aws:medical-imaging:datastoreId": "datastoreId"
        }
    }
}
```

## 使用客戶受管 KMS 金鑰所需的 IAM 許可
<a name="required-iam-cmk"></a>

 使用客戶受管 KMS 金鑰建立啟用 AWS KMS 加密的資料存放區時，建立 HealthImaging 資料存放區的使用者或角色需要金鑰政策和 IAM 政策的許可。

 如需金鑰政策的詳細資訊，請參閱[《 開發人員指南》中的啟用 IAM 政策](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam)。 *AWS Key Management Service *

建立儲存庫的 IAM 使用者、IAM 角色或 AWS 帳戶必須具有以下政策的許可，以及 AWS HealthImaging 的必要許可。

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:CreateGrant",
        "kms:GenerateDataKey",
        "kms:RetireGrant",
        "kms:Decrypt",
        "kms:ReEncrypt*"
      ],
      "Resource": "arn:aws:kms:us-east-1:123456789012:key/bec71d48-3462-4cdd-9514-77a7226e001f"
    }
  ]
}
```

------

### HealthImaging 如何在 中使用授予 AWS KMS
<a name="grants-kms"></a>

HealthImaging 需要[授予](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html)才能使用客戶受管 KMS 金鑰。當您建立使用客戶受管 KMS 金鑰加密的資料存放區時，HealthImaging 會透過傳送 [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) 請求至 來代表您建立授予 AWS KMS。中的授予 AWS KMS 用於授予 HealthImaging 存取客戶帳戶中 KMS 金鑰的權限。

HealthImaging 代表您建立的授予不應被撤銷或淘汰。如果您撤銷或淘汰授予 HealthImaging 許可以使用帳戶中的 AWS KMS 金鑰的授予，HealthImaging 無法存取此資料、加密推送到資料存放區的新映像資源，或在提取時解密這些資源。當您撤銷或淘汰 HealthImaging 的授予時，變更會立即發生。若要撤銷存取權，您應該刪除資料存放區，而不是撤銷授予。刪除資料存放區時，HealthImaging 會代表您淘汰授予。

### 監控 HealthImaging 的加密金鑰
<a name="monitoring-kms"></a>

您可以使用 CloudTrail 來追蹤 HealthImaging 在使用客戶受管 KMS 金鑰時代表您傳送給 AWS KMS 的請求。CloudTrail 日誌中的日誌項目會顯示在 `medical-imaging.amazonaws.com` `userAgent` 欄位中，以清楚區分 HealthImaging 提出的請求。

下列範例是 `CreateGrant`、`Decrypt`、 `GenerateDataKey`和 的 CloudTrail 事件`DescribeKey`，用於監控 HealthImaging 呼叫 AWS KMS 的操作，以存取客戶受管金鑰加密的資料。

以下說明如何使用 `CreateGrant` 來允許 HealthImaging 存取客戶提供的 KMS 金鑰，讓 HealthImaging 能夠使用該 KMS 金鑰來加密所有靜態客戶資料。

使用者不需要建立自己的授予。HealthImaging 會傳送`CreateGrant`請求至 ，以代表您建立授予 AWS KMS。中的授予 AWS KMS 用於授予 HealthImaging 存取客戶帳戶中 AWS KMS 金鑰的權限。

```
{
            "KeyId": "arn:aws:kms:us-east-1:147997158357:key/8e1c34df-5fd2-49fa-8986-4618c9829a8c",
            "GrantId": "44e88bc45b769499ce5ec4abd5ecb27eeb3b178a4782452aae65fe885ee5ba20",
            "Name": "MedicalImagingGrantForQIDO_ebff634a-2d16-4046-9238-e3dc4ab54d29",
            "CreationDate": "2025-04-17T20:12:49+00:00",
            "GranteePrincipal": "AWS Internal",
            "RetiringPrincipal": "medical-imaging.us-east-1.amazonaws.com",
            "IssuingAccount": "medical-imaging.us-east-1.amazonaws.com",
            "Operations": [
                "Decrypt",
                "Encrypt",
                "GenerateDataKey",
                "GenerateDataKeyWithoutPlaintext",
                "ReEncryptFrom",
                "ReEncryptTo",
                "CreateGrant",
                "RetireGrant",
                "DescribeKey"
            ]
        },
        {
            "KeyId": "arn:aws:kms:us-east-1:147997158357:key/8e1c34df-5fd2-49fa-8986-4618c9829a8c",
            "GrantId": "9e5fd5ba7812daf75be4a86efb2b1920d6c0c9c0b19781549556bf2ff98953a1",
            "Name": "2025-04-17T20:12:38",
            "CreationDate": "2025-04-17T20:12:38+00:00",
            "GranteePrincipal": "medical-imaging.us-east-1.amazonaws.com",
            "RetiringPrincipal": "medical-imaging.us-east-1.amazonaws.com",
            "IssuingAccount": "AWS Internal",
            "Operations": [
                "Decrypt",
                "Encrypt",
                "GenerateDataKey",
                "GenerateDataKeyWithoutPlaintext",
                "ReEncryptFrom",
                "ReEncryptTo",
                "CreateGrant",
                "RetireGrant",
                "DescribeKey"
            ]
        },
        {
            "KeyId": "arn:aws:kms:us-east-1:147997158357:key/8e1c34df-5fd2-49fa-8986-4618c9829a8c",
            "GrantId": "ab4a9b919f6ca8eb2bd08ee72475658ee76cfc639f721c9caaa3a148941bcd16",
            "Name": "9d060e5b5d4144a895e9b24901088ca5",
            "CreationDate": "2025-04-17T20:12:39+00:00",
            "GranteePrincipal": "AWS Internal",
            "RetiringPrincipal": "medical-imaging.us-east-1.amazonaws.com",
            "IssuingAccount": "medical-imaging.us-east-1.amazonaws.com",
            "Operations": [
                "Decrypt",
                "Encrypt",
                "GenerateDataKey",
                "GenerateDataKeyWithoutPlaintext",
                "ReEncryptFrom",
                "ReEncryptTo",
                "DescribeKey"
            ],
            "Constraints": {
                "EncryptionContextSubset": {
                    "kms-arn": "arn:aws:kms:us-east-1:147997158357:key/8e1c34df-5fd2-49fa-8986-4618c9829a8c"
                }
            }
        }
```

下列範例示範如何使用 `GenerateDataKey` 來確保使用者在儲存資料之前擁有加密資料的必要許可。

```
{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "EXAMPLEUSER",
        "arn": "arn:aws:sts::111122223333:assumed-role/Sampleuser01",
        "accountId": "111122223333",
        "accessKeyId": "EXAMPLEKEYID",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "EXAMPLEROLE",
                "arn": "arn:aws:iam::111122223333:role/Sampleuser01",
                "accountId": "111122223333",
                "userName": "Sampleuser01"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2021-06-30T21:17:06Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "medical-imaging.amazonaws.com"
    },
    "eventTime": "2021-06-30T21:17:37Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "GenerateDataKey",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "medical-imaging.amazonaws.com",
    "userAgent": "medical-imaging.amazonaws.com",
    "requestParameters": {
        "keySpec": "AES_256",
        "keyId": "arn:aws:kms:us-east-1:111122223333:key/EXAMPLE_KEY_ARN"
    },
    "responseElements": null,
    "requestID": "EXAMPLE_ID_01",
    "eventID": "EXAMPLE_ID_02",
    "readOnly": true,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-1:111122223333:key/EXAMPLE_KEY_ARN"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "eventCategory": "Management"
}
```

下列範例顯示 HealthImaging 如何呼叫 `Decrypt`操作，以使用儲存的加密資料金鑰來存取加密的資料。

```
{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "EXAMPLEUSER",
        "arn": "arn:aws:sts::111122223333:assumed-role/Sampleuser01",
        "accountId": "111122223333",
        "accessKeyId": "EXAMPLEKEYID",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "EXAMPLEROLE",
                "arn": "arn:aws:iam::111122223333:role/Sampleuser01",
                "accountId": "111122223333",
                "userName": "Sampleuser01"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2021-06-30T21:17:06Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "medical-imaging.amazonaws.com"
    },
    "eventTime": "2021-06-30T21:21:59Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "Decrypt",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "medical-imaging.amazonaws.com",
    "userAgent": "medical-imaging.amazonaws.com",
    "requestParameters": {
        "encryptionAlgorithm": "SYMMETRIC_DEFAULT",
        "keyId": "arn:aws:kms:us-east-1:111122223333:key/EXAMPLE_KEY_ARN"
    },
    "responseElements": null,
    "requestID": "EXAMPLE_ID_01",
    "eventID": "EXAMPLE_ID_02",
    "readOnly": true,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-1:111122223333:key/EXAMPLE_KEY_ARN"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "eventCategory": "Management"
}
```

下列範例顯示 HealthImaging 如何使用 `DescribeKey`操作來驗證 AWS KMS 客戶擁有的 AWS KMS 金鑰是否處於可用狀態，並在使用者無法運作時進行疑難排解。

```
{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "EXAMPLEUSER",
        "arn": "arn:aws:sts::111122223333:assumed-role/Sampleuser01",
        "accountId": "111122223333",
        "accessKeyId": "EXAMPLEKEYID",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "EXAMPLEROLE",
                "arn": "arn:aws:iam::111122223333:role/Sampleuser01",
                "accountId": "111122223333",
                "userName": "Sampleuser01"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2021-07-01T18:36:14Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "medical-imaging.amazonaws.com"
    },
    "eventTime": "2021-07-01T18:36:36Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "DescribeKey",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "medical-imaging.amazonaws.com",
    "userAgent": "medical-imaging.amazonaws.com",
    "requestParameters": {
        "keyId": "arn:aws:kms:us-east-1:111122223333:key/EXAMPLE_KEY_ARN"
    },
    "responseElements": null,
    "requestID": "EXAMPLE_ID_01",
    "eventID": "EXAMPLE_ID_02",
    "readOnly": true,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-1:111122223333:key/EXAMPLE_KEY_ARN"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "eventCategory": "Management"
}
```

### 進一步了解
<a name="more-info-kms"></a>

下列資源提供有關靜態資料加密的詳細資訊，位於《 *AWS Key Management Service 開發人員指南*》中的 。
+ [AWS KMS 概念](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html)
+ [的安全最佳實務 AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/best-practices.html)