AWS KMS の ABAC - AWS Key Management Service
1 ene 2025 — ... CloudFormation を使用して暗号化された Amazon EBSボリュームを作成する ... user/Alice",. "accessKeyId": "EXAMPLE KEY ID",. "accountId": "111122223333 ...
AWS Key Management Service
AWS Key Management Service
AWS Key Management Service:
Copyright © Amazon Web Services, Inc. and/or its affiliates. All rights reserved.
Amazon Amazon Amazon Amazon Amazon Amazon
AWS Key Management Service
Table of Contents
AWS Key Management Service ..................................................................................................... 1 .......................................................................................................................................... 2 (CMK) ............................................................................................ 3 ........................................................................................................................ 5 .................................................................................................................. 7 Aliases ............................................................................................................................ 11 .......................................................................................................... 12 ....................................................................................................... 12 (KeyId) ............................................................................................................ 13 ................................................................................................................. 15 ................................................................................................. 15 .......................................................................................................................... 16 ................................................................................................................. 16 .......................................................................................................... 17 .......................................................................................................... 17 .................................................................................................................... 20 Grant .............................................................................................................................. 20 CMK ............................................................................................................ 20 ........................................................................................... 20
.......................................................................................................................................... 21 ............................................................................................................................... 21 CMK ................................................................................... 22 CMK .............................................................................................................. 22 CMK .......................................................................................................... 25 ............................................................................................................................... 28 CMK .............................................................................................. 28 API CMK .............................................................................................. 37 ID ARN ............................................................................................... 42 ARN ......................................................................... 43 CMK CMK ........................................................................................ 46 ............................................................................................................................... 48 ......................................................................................................................... 49 AWS KMS .................................................................................................. 50 CMK .................................................................................. 50 API CMK ............................................................. 52 .................................................................................................... 53 CMK ................................................................ 56 ............................................................................................................... 58 CMK ................................................................................ 59 CMK AWS KMSAPI) .............................................................................. 59 ................................................................................................... 60 ......................................................... 60 () ......................................................................... 61 (AWS KMSAPI) .................................................................... 61 ...................................................................................................................... 62 .......................................................................................................... 63 .............................................................................................................. 65 ............................................................................... 71 ........................................................................................... 73 CMK ............................................................. 77 AWS CloudTrail .......................................................................... 79
.............................................................................................................. 81 Authentication ........................................................................................................................... 81 ............................................................................................................... 82
iii
AWS Key Management Service
.................................................................................................................. 82 AWS KMS ........................................................................... 83 AWS KMS CMK ................................................................................... 83 ........................................................................................ 84 .............................................................................................. 85
.................................................................................................................. 85 .......................................................................................................... 85 ................................................................................................. 86 .............................................................................................................. 94 .......................................................................................................... 97 ......................................................................................................... 100 ...................................................................................... 102
IAM ................................................................................................................ 104 IAM ........................................................................................................ 104 IAM ................................................................................... 105 IAM CMK ................................................................. 107 AWS KMS ............................................................. 109 AWS ....................................................................... 109 ......................................................................................... 110
ABAC AWS KMS ....................................................................................................... 114 ABAC AWS KMS ............................................................................................ 114 ? .................................................................................................... 116 ABAC AWS KMS ................................................................... 117
CMK .......................................................................... 120 1: .............................. 121 2: IAM ........................................................ 123 CMK .......................................................................... 124 CMK AWS ........................................................................... 125 CMK ....................................................................................... 126
AWS KMS API ............................................................................... 126 ................................................................................................................. 157
AWS ................................................................................................. 158 AWS KMS ........................................................................................................ 159 AWS KMSAWSNitro ............................................................................... 196 ............................................................................................................................. 199 ............................................................................................................... 199 CMK CMK ................................................................................. 200 ..................................................................................................................... 200 ..................................................................................................................... 203 .................................................................................................................. 207 ........................................................................................ 210 AWS KMS ................... 211 AWS KMS .................... 211 ....................................................................................................................... 212 ................................................................................................... 212 IAM ........................................................................................................ 214 ..................................................................................................................... 215 ............................................................................. 216 .................................................................................................................................. 224 ............................................................................................................................. 224 ............................................................................................................... 224 ......................................................................................... 226 Identity and access management ............................................................................................... 226 ........................................................................................................... 227 .............................................................................................................. 228 ........................................................ 228 .................................................................................................................. 228
iv
AWS Key Management Service
........................................................................................... 229 ............................................................................................................ 230
........................................................................................... 230 ............................................................................................................. 231
CMK CMK ............................................................................................ 232 ............................................................................................. 232 ......................................................................................... 232
CMK ............................................................................................................... 233 ............................................................................................................ 234 ............................................................................................................... 235
CMK ......................................................................................................... 240 CMK CMK ............................................................................................... 241 ...................................................................................................... 244 ................................................................ 245 ................................................................................................. 246 Concepts ............................................................................................................................... 249
................................................................................................ 249 ........................................................................................................................... 249 ...................................................................................................... 249 Replicate ........................................................................................................................ 250 ..................................................................................................................... 250 ....................................................................................................................... 251 ................................................................................... 251 .............................................................. 252 AWS KMS ..................................................... 255 .............................................................................................. 256 ...................................................................................................... 256 ......................................................................................................... 259 .............................................................................................. 262 ....................................................................... 262 API ................................................................................ 264 .............................................................................................. 266 ............................................................................................. 266 ......................................................................................................... 269 ......................................................................................... 270 ...................................................................... 270 CMK .............................................................................................................................. 271 ............................... 271 ..................................... 272 ..................................................................................................... 273 ........................................................... 274 ............................................................................................. 274 ......................................................................................... 277 ......................................................................................................................... 283 ........................................................................................... 284 ................................................................ 285 () .............................................................. 285 (AWS KMSAPI) .......................................................... 285 ..................................................................................................... 286 : CMK .................................................................................................................. 288 CMK ........................................................................................................... 288 .................................................................................................................... 288 ....................................................................................... 294 ................................................................................................................. 294 .................................................................................................................. 294 ..................................................................................................................... 295
v
AWS Key Management Service
AWS CloudTrail ................................................................................................... 296 CloudTrail .................................................................................... 296 AWS KMS ............................................................................... 297 AWS KMS ............................................................................................ 297
CloudWatch ............................................................................................... 333 ............................................................................................. 333 ............................................................................................................... 334 AWS KMS ........................................................................................................ 336
AWS KMS API ...................................................................................................... 338 ................................................................................................................. 338 ............................................................................................................................. 339 ......................................................................................... 339 ............................................................................................................ 341 ......................................................................................... 344 ID ARN .............................................................................................. 346 ...................................................................................... 348 ...................................................................................... 349 .................................................................................................................... 351 ............................................................................................................ 352 ...................................................................................................... 354 ............................................................................................................ 358 ............................................................................................................ 360 ........................................................................................................ 362 ......................................................................................................... 362 ......................................................................................................... 364 .................................................. 367 ................................................................................................................. 370 ................................................................................................ 370 ......................................................................................................... 372 ......................................................................................................... 374 ............................................................................................................................. 379 ..................................................................................................................... 379 ..................................................................................................................... 382 ..................................................................................................................... 386 ............................................................................................................... 388
CloudFormation AWS KMS ................................................................................ 391 AWS KMSAWS CloudFormation .............................................................. 391 AWS CloudFormation .............................................................................................. 392
................................................................................................... 393 .................................................................................................................... 393 CMK ................................................................................................................. 394 CMK .................................................................................................. 394 CMK AWS ..................................................... 395 ..................................................................................... 395 AWS Management Console .................................................................................... 396 AWS CLI ............................................................................................................. 396 AWS SDK for Java ............................................................................................... 397 .............................. 398 AWS Management Console .................................................................................... 398 AWS CLI ............................................................................................................. 398 Amazon CloudWatch ......................................................................................... 399 CloudWatch ............................................................................................. 400 CloudWatch ....................................................................................... 400 CMK ............................................................................................. 402 CMK ............................................. 402 AWS CloudTrail ................................................... 402
............................................................................................................. 405
vi
AWS Key Management Service
..................................................................................... 406 ............................................................................... 407 .............................................................................................. 408 ........................................................................................... 408 CMK .................................................................. 409
CMK () ................................... 409 CMK (AWS KMSAPI) ................... 409 1: CMK ..................................................................... 410 CMK () ........................................................... 410 CMK (AWS KMSAPI) ....................................................... 412 2: .................................................. 412 .................................................. 414 (AWS KMSAPI) .................................... 415 3: ................................................................................... 416 : OpenSSL ...................................................................... 416 4: ................................................................................... 417 () .......................................................................... 417 (AWS KMSAPI) ...................................................................... 418 .............................................................................................................. 418 AWS KMS AWS ................... 419 () ............................................................................................ 419 (AWS KMSAPI) ........................................................................................ 420 ................................................................................................................ 421 ........................................................................................................... 423 AWS KMS ......................................................................................... 423 AWS CloudHSM ............................................................................................. 424 kmsuser Crypto User ...................................................................................................... 424 CMK ........................................................................................... 425 ......................................................................... 425 ........................................................ 426 AWS KMSAWS CloudHSM Amazon EC2 .................... 426 ........................................................................................................ 428 ......................................................................................................... 428 () ....................................................................... 430 (API) ................................................................................. 430 ........................................................................................................ 431 ................................................................................................ 432 ......................................................................................... 433 ................................................................................ 436 ................................................................................................ 440 CMK ........................................................................................ 442 CMK ................................................................................ 442 CMK ................................................................................ 447 CMK ................................................................................ 448 CMK .......................................................................................... 449 CMK ........................................................... 453 ............................................................................ 453 CMK ................................................................................... 453 CMK .......................................................................................... 454 ......................................................................................................... 454 ...................................................................................... 456 kmsuser ................................................................................. 456 ............................................................................. 457 CMK ..................................................................... 458 kmsuser ..................................................................................... 459 VPC .............................................................................................................. 462 AWS KMS VPC ....................................................................... 462
vii
AWS Key Management Service
AWS KMS VPC ............................................................................... 462 VPC ................................................................................................... 463 VPC .................................................................................... 463
VPC ............................................................................... 464 VPC ........................................................................ 464 VPC .................................................................................. 465 VPC .................................................................................. 466 VPC ............................................................. 466 VPC ................................................................................................ 468 TLS .................................................................................................. 470 TLS ......................................................................................................... 471 ................................................................................................................................ 471 ................................................................................................................................ 472 ............................................................................................................................. 473 .......................................................................................................................... 473 AWS AWS KMS .................................................................................... 475 AWS CloudTrail ...................................................................................................................... 475 CMK .................................................................................. 476 CMK ........................................................................................... 480 Amazon DynamoDB ................................................................................................................ 480 DynamoDB ............................................................................... 481 CMK ................................................................................................. 481 CMK .......................................................................................................... 483 DynamoDB ........................................................................................ 486 DynamoDB AWS KMS ............................................................ 487 Amazon Elastic Block Store (Amazon EBS) ................................................................................ 490 Amazon EBS ....................................................................................................... 491 CMK ................................................................................................. 491 Amazon EBS ..................................................................................... 492 Amazon EBS ................................................................................................. 492 AWS CloudFormation Amazon EBS .................. 493 Amazon Elastic Transcoder ...................................................................................................... 493 ...................................................................................................... 493 ......................................................................................................... 494 ...................................................................................................... 495 HLS ..................................................................................................... 496 Elastic ...................................................................... 496 Amazon EMR ......................................................................................................................... 497 EMR (EMRFS) ....................................................... 497 ........................................... 499 ......................................................................................................... 500 AWSNitro ..................................................................................................................... 501 Recipient ........................................................................................................................ 501 RecipientInfo .................................................................................................................. 501 CiphertextForRecipient ..................................................................................................... 502 AWS KMSAWSNitro ..................................................................... 502 Amazon Redshift ..................................................................................................................... 503 Amazon Redshift .................................................................................................. 503 ......................................................................................................... 504 Amazon Relational Database Service (Amazon RDS) ................................................................... 504 Amazon RDS ..................................................................................... 505 AWS Secrets Manager ............................................................................................................. 505 Amazon Simple Email Service (Amazon SES) ............................................................................. 506 Amazon SES AWS KMS ............................................................... 506 Amazon SES ..................................................................................... 507 Amazon SES AWS KMS (CMK) ........................ 507 E ...................................................................................... 508
viii
AWS Key Management Service
Amazon Simple Storage Service (Amazon S3) ............................................................................ 508 : SSE-KMS ............................................................................... 509 Amazon S3 .............................................................................. 510 ......................................................................................................... 510
AWS Systems Manager .................................................................................. 510 Secure String ................................................................................. 511 Secure String ................................................................. 513 ........................................... 516 ............................................................................. 517 CMK ............................................... 519
Amazon WorkMail ................................................................................................................... 519 Amazon ............................................................................................ 520 Amazon ......................................................................................... 520 CMK .......................................................................................................... 523 Amazon WorkMail ............................................................................... 524 Amazon WorkMail AWS KMS ......................................................................... 525
WorkSpaces ........................................................................................................................... 526 WorkSpaces AWS KMS ................................................................ 527 WorkSpaces ...................................................................................... 528 CMK WorkSpaces ................ 528
Quotas ........................................................................................................................................... 530 .................................................................................................................... 530 (CMK): 10,000 ............................................................................. 531 CMK : 50 ........................................................................................... 531 CMK : 50,000 ............................................................................................... 531 : 32 KB ......................................................................... 531 .............................................................................................................. 532 AWS KMSAPI .................................................. 532 ................................................................................................ 536 ................................................................................ 536 API ................................................................... 537 ............................................................................................. 537 ......................................................................................... 537 ThrottlingAWS KMS .................................................................................................. 538 AWS KMS ........................................................................ 538 ................................................................................... 539 Service Quotas API ............................................................................................... 539
............................................................................................................................ 541 ............................................................................................................................. 541 ............................................................................................................................. 542
................................................................................................................................................... dxlvi
ix
AWS Key Management Service
AWS Key Management Service
AWS Key Management Service(AWS KMS) (CMK) AWS KMSCMK (HSM) FIPS 140-2
AWS KMS AWS AWS KMS AWS CloudTrail CMK
AWS KMS (CMK)
· (p. 21), (p. 48), (p. 28) CMK CMK (p. 231) · CMK (p. 85),IAM (p. 104),
(p. 199)AWS KMS (p. 114)(ABAC) (p. 157) · (p. 62)CMK (p. 77)CMK · CMK (p. 49) (p. 56)CMK · CMK (p. 58) · CMK (p. 283) · CMK (p. 393)
CMK (p. 12)AWS KMS API (p. 338)
· CMK CMK · CMK · ·
AWS KMS
· CMK (p. 405) · CMK (p. 421)AWS
CloudHSM · ConnectAWS KMSVPC (p. 462) · TLS (p. 470) AWS KMS
AWS KMS AWS KMS AWS AWS AWS AWS KMS
AWS KMSAWS CloudTrail Amazon S3 CloudTrail CMK
1
AWS Key Management Service
AWS AWS KMS
- AWS AWS KMSAWS Key Management ServiceAWS KMS AWS thatAWS KMS
AWS KMS
AWS AWS KMS AWS KMS AWS Key Management Service
(SLA)
AWS Key Management Service
· AWS KMS AWS KMS (p. 2) · AWS KMSAPI AWS Key Management ServiceAPI
AWS KMS API (p. 338) · AWS KMSCMK AWS Key Management ServiceAWS KMS · AWS KMSAWS Key Management Service
AWS KMS ()AWSSDK
· AWS Command Line Interface · AWS SDK for .NET · AWS SDK for C++ · AWS SDK for Go · AWS SDK for Java · AWS SDK for JavaScript · AWS SDK for PHP · AWS SDK for Python (Boto3) · AWS SDK for Ruby
AWS Key Management Service
AWS Key Management Service (AWS KMS)
· (CMK) (p. 3) · (p. 5) · (p. 7) · Aliases (p. 11) · (p. 12) · (p. 12)
2
AWS Key Management Service (CMK)
· (KeyId) (p. 13) · (p. 15) · (p. 15) · (p. 16) · (p. 16) · (p. 17) · (p. 17) · (p. 20) · Grant (p. 20) · CMK (p. 20) · (p. 20)
(CMK)
A(CMK) AWS KMSCMK AWS KMS CMK CMK
CMK CMK AWS KMS CMK AWS Management ConsoleAWS KMSAPI (p. 12) CMK AWS KMS API (p. 5)AWS KMS AWS KMS
AWS KMS CMK CMK (p. 393) (p. 405)CMK CMK AWS CloudHSM AWS KMS (p. 421)
AWS KMSCMK (p. 244) AWS AWS
CMK CMK ID
CMK (p. 21)CMK AWS Key Management ServiceAPI
AWS KMS CMKAWS CMKAWS CMK 3 CMK
CMK
CMK CMK
AWS (p. 283)
CMK (p. 4)
365 (1 )
AWS CMK (p. 4)
1095 (3 )
AWS CMK (p. 5)
3
AWS Key Management Service (CMK)
CMK AWS CMK KeyManager DescribeKey CMK KeyManager Customer AWS CMK KeyManager AWS
AWS KMS AWS (p. 475)CMK AWS AWS CMK AWS CMK AWS CMK AWS AWS CMK AWS CMK CMK CMK AWS
CMK
CMKCMK AWS CMK IAM (p. 81), (p. 58) (p. 283), (p. 49), CMK (p. 351) CMK (p. 393)
CMK AWS Management ConsoleforAWS KMS CMK Desc ribeKey CMK DescribeKey KeyManager CUSTOMER
CMK AWS CloudTrail AWS KMS AWS (p. 475) CMK
CMK AWS KMS (p. 530) AWS Key Management Service Quotas (p. 530)
AWS CMK
AWS CMK CMK AWSAWS KMSAWSAWS CMK AWSCMK CMK
AWS CMK (p. 28) (p. 97), (p. 296)AWS CloudTrail CMK AWS CMK
AWS CMK AWSAWS Management ConsoleforAWS KMS AWS CMK aws/service-name aws/ redshift AWS CMK DescribeKey AWS CMK DescribeKey KeyManager AWS
AWS CMK AWS AWS CMK CMK CMK CMK AWS Key Management Service Quotas (p. 530)
4
AWS Key Management Service
AWS CMK
AWS CMK CMK AWS AWS AWS CMK AWS AWS AWS CMK AWS CMK AWS CMK CMK AWS KMS (p. 530) - (p. 283)AWS CMK AWSCMK CMK AWS (AWS CMK
AWS KMS (p. 3)(CMK) AWS KMS AWS KMS
GenerateDataKey.AWS KMS CMK CMK
5
AWS Key Management Service
AWS KMS GenerateDataKeyWithoutPlaintext AWS KMS
AWS KMS AWS KMSOpenSSL AWS Encryption SDK
6
AWS Key Management Service
Decrypt AWS KMS CMK Decrypt
AWS KMS OpenSSL AWS KMS AWS KMS CMK AWS KMS AWS KMS
7
AWS Key Management Service
AWS KMS · RSA : RSA_2048RSA_3072 RSA_4096 · ECC_NIST_P256ECC_NIST_P384ECC_NIST_P521
ECC_SECG_P256K1 RSA ECC_SECG_P256K1 AWS KMS ECC RSA AWS KMS AWS KMS
GenerateDataKeyPair GenerateDataKeyPairwithout CMK GenerateDataKeyPair GenerateDataKeyPairWithoutPlaintext Dec rypt GenerateDataKeyPair GenerateDataKeyWithoutPlaintext
8
AWS Key Management Service
9
AWS Key Management Service
Decrypt AWS KMS CMK OpenSSL dgst )
10
AWS Key Management Service Aliases
Aliases
CMK CMK 1234abcd-12ab-34cd-56ef-1234567890ab
11
AWS Key Management Service
AWS Management Console CMK CMK AWS KMS (p. 12) 1 CMK AWS
CMK AWS KMS (ABAC) ABAC AWS KMS (p. 114)
AWS KMS CMK CMK
:
· (p. 62) ·
(KeyId) (p. 13) · CMK ARN
(p. 43) ·
(p. 351)
AAWS KMS FIPS 140-2 3 (HSM) AWS CloudHSM
AWS KMS (CMK)AWS KMS256 AES (Advanced Encryption Standard) AWS CloudHSMHSM CMK HSM
(p. 421)
AWS KMS CMK API CMK AWS KMS CMK AWS KMS
CMK AWS SDKAWS Command Line Interface (AWS CLI) AWS Tools for PowerShell AWS KMS AWS KMS API (p. 338)
AWS KMS CMK (p. 16)
GenerateDataKey
CMK
CMK ENCRYPT_DECRYPT ENCRYPT_DECRYPT ENCRYPT_DECRYPT
12
AWS Key Management Service (KeyId)
GenerateDataKeyPair GenerateDataKeyPairWithoutPlaintext GenerateDataKeyWithoutPlaintext GenerateRandom
ReEncrypt Sign
CMK
CMK
[1]
ENCRYPT_DECRYPT
[1]
ENCRYPT_DECRYPT
ENCRYPT_DECRYPT
CMK
ENCRYPT_DECRYPT
SIGN_VERIFY
SIGN_VERIFY
[1] GenerateDataKeyPairWithoutPlaintext GenerateDataKeyPair CMK
the section called "AWS KMS API " (p. 126)
AWS KMS AWS KMS 1 the section called "" (p. 536)
(KeyId)
AWS KMS (CMK) CMK CMK AWS KMSAPI IAM
AWS KMS CMK AWS KMS CMK ARN ID AWS KMS ARN AWS Management Console AWS KMS API
AWS KMS (p. 28)CMK ARN ID ID ID ARN (p. 42) ARN (p. 43)
AWS KMS API CMK KeyId (TargetKeyId DestinationKeyId ) ID AWS Key Management ServiceAPI
Note
AWS KMSAPIAPI
AWS KMS
13
AWS Key Management Service (KeyId)
ARN ARN CMK Amazon (ARN) CMK ARN AWS IDCMK ARN the section called " ID ARN " (p. 42) ARN
arn:<partition>:kms:<region>:<account-id>:key/<key-id>
CMK ARN
arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
- ID ARN (p. 244)mrk-prefix. CMK ARN
arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab
ID ID CMK CMK ID the section called " ID ARN " (p. 42) CMK ID
1234abcd-12ab-34cd-56ef-1234567890ab
ID (p. 244)mrk-prefix. CMK ID
mrk-1234abcd12ab34cd56ef1234567890ab
ARN ARN AWS KMS Amazon (ARN) CMK ARN AWS ARN CMK CMK ARN CMK CMK ARN ARN (p. 43) ARN
arn:<partition>:kms:<region>:<account-id>:alias/<alias-name>
ExampleAlias ARN
arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias
256 CMK AWS KMS API alias/ CMK
14
AWS Key Management Service
ARN (p. 43)
alias/<alias-name>
alias/ExampleAlias
aws/ AWS CMK (p. 4) AWSAmazon Simple Storage Service (Amazon S3) CMK
alias/aws/s3
EclipseAWS KMS ID (p. 13) (p. 85)- (p. 15) AWS KMS AWS CloudHSM (p. 421), (p. 405)AWS KMS (p. 283)
CMK (p. 244)
CMK CMK CMK CMK DescribeKeyOrigin () CMK CMK AWS KMSconsole. (p. 28)
CMK
KMS ()
API : AWS_KMS AWS KMS CMK CMK
AWS KMS (p. 21)
API : EXTERNAL
15
AWS Key Management Service
CMK (p. 405)External CMK CMK CMK AWS KMS (p. 406)
CMK 1: CMK (p. 410) (CloudHSM)
API : AWS_CLOUDHSM
AWS KMS CMK (p. 421)
CMK CMK (p. 442)
CMK CMK CMK CMK CMK
CMK CMK (p. 21) CMK (p. 393)
(p. 235)CMK DescribeKeyCMK AWS KMSconsole. (p. 28)
Note
EclipseAWS KMSAPICMK CustomerMasterKeySpec (KeySpec) (KeyPairSpec) (WrappingKeySpec)
CMK km:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeySpec CMK AWS KMS RSA_4096 CMK
[Key usage ()] CMK CMK CMK
CMK (ECC) CMK RSA CMK CMK (p. 21) CMK (p. 393)
16
AWS Key Management Service
(p. 234)CMK DescribeKeyCMK AWS KMSconsole. (p. 28)
CMK km:CustomerMasterKeyUsage (p. 164) kms:CustomerMasterKeyUsage CMK API CMK SIGN_VERIFY CMK
1
1
AWS KMS AWS KMS (p. 3) (CMK) AWS KMS FIPS AWS KMS CMK AWS KMS
·
·
( ) raw raw ·
AWS KMS (p. 12)CMK AWS KMS (AAD)
CMK (p. 232) AWS KMS
17
AWS Key Management Service
()
AWS CloudTrail (p. 296)
AWS KMS
"encryptionContext": { "department": "10103.0"
}
(_) (-) (/\) (:)
Amazon Elastic Block Store(Amazon EBS)CreateSnapshotAmazon EBS ID
"encryptionContext": { "aws:ebs:id": "vol-abcde12345abc1234"
}
(CMK) (p. 199) (p. 157)
AWS Key Management Service AWS
IAM (CMK)
-kms:EncryptionContext: (p. 168)kms:EncryptionContextKeys (p. 168)
RoleForExampleApp CMK Decrypt. kms:EncryptionContext:context-key AppName:ExampleApp
{
18
AWS Key Management Service
"Effect": "Allow", "Principal": {
"AWS": "arn:aws:iam::111122223333:role/RoleForExampleApp" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": {
"StringEquals": { "kms:EncryptionContext:AppName": "ExampleApp"
} } }
AWS KMS (p. 157)
(p. 199) AWS KMS2 EncryptionContextEqualsEncryptionContextSubset (p. 17)
EncryptionContextEqualsGenerateDataKey .
$ aws kms create-grant \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --grantee-principal arn:aws:iam::111122223333:user/exampleUser \ --retiring-principal arn:aws:iam::111122223333:role/adminRole \ --operations GenerateDataKey \ --constraints EncryptionContextEquals={Purpose=Test}
EncryptionContextEquals
$ aws kms generate-data-key \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --key-spec AES_256 \ --encryption-context Purpose=Test
(p. 204) the section called "" (p. 199)
AWS KMS AWS CloudTrail CMK CMK
Important
Decrypt ReEncrypt
19
AWS Key Management Service
( )
CMK CMK CMK AWS CMK AWS KMS (p. 85)
Grant
AgrantAWSAWS KMS (CMK) (p. 12)CMK (DescribeKey)CMK (p. 85)IAM (p. 104) IAM
(p. 199)
CMK
AWS CloudTrailCloudTrail AWS API AWS AWS SDK AWS KMS API AWS AWS KMS CMK ID IP AWS CloudTrail (p. 296)AWS CloudTrail
AES (Advanced Encryption Standard) 1 (KMI) AWS KMS KMI AWS KMS (p. 3) AWS KMSAWS Key Management Service
20
AWS Key Management Service
AWS KMS (p. 3) (CMK) CMK CMK
AWS Key Management Service (AWS KMS) AWS Management Console AWS KMSAWS KMSAPI AWS KMSAPI AWSSDK,AWS Command Line InterfaceAWS Tools for PowerShell
· (p. 21) · (p. 28) · (p. 48) · (p. 49) · (p. 58) · (p. 60) · (p. 62)
(p. 231)(CMK) AWS Management Console CreateKey. CMK CMK CMK
CMK AWS CMK AWSAWS KMS CMK CMK CMK CMK (p. 233)
AWS KMS CMK () -CreateKey CMK AWS KMS (p. 62)
:
· ( (p. 15) ) CMK (p. 410)
· (p. 256)
· CMK ( (p. 15) (CloudHSM)) CMK (p. 442)
· CMK CMK CMK (p. 46)
· CMK ID (p. 14) ARN (p. 14) ID ARN (p. 42)
21
AWS Key Management Service CMK
· CMK Quotas (p. 530)
· CMK (p. 22) · CMK (p. 22) · CMK (p. 25)
CMK
API CMK IAM (p. 157) IAM CMK (p. 111)
Note
CMK ABAC AWS KMS (p. 114)
· KMS: · kms: CMK CMK · KMS: CMK · iam:CreateServiceLinkedRole CMK
(p. 251)
-KMS: CMK -kms:CreateKey CMK CMK
CMK
CMK (p. 232) AWS Management Console AWS KMS API
CMK
AWS Management Console (CMK)
1. AWS Management Console AWS Key Management Service (AWS KMS) (https://console.aws.amazon.com/kms)
2. AWS 3. [Customer managed keys ()] 4. [] 5. CMK [] []
AWS KMS CMK CMK (p. 25) 6. [Next] 7. []alias (p. 11)CMK aws/ -aws/ Amazon Web Services AWS CMK
22
AWS Key Management Service CMK
Note
CMK ABAC AWS KMS (p. 114) CMK (p. 77)
CMK CMK
AWS Management Console CMK CreateKey 8. () CMK
(p. 288)Pending DeletionPending Replica Deletion CMK (p. 48)()AWS Management ConsoleUpdateKeyDescription. 9. [Next] 10. () CMK [Add tag]
Note
CMK CMK ABAC AWS KMS (p. 114) CMK (p. 56)
AWS AWS CMK CMK (p. 49) ABAC AWS KMS (p. 114) 11. [Next] 12. CMK IAM
Note
IAM IAM CMK 13. IAM CMK 14. [Next] 15. (p. 12) CMK IAM
Note
- AWS (root ) IAM CMK 16. () AWS CMK AWS [Add AWS [] AWS
Note
CMK IAM
23
AWS Key Management Service CMK
CMK (p. 120) 17. [] 18. 19. [Finish] CMK
CMK (AWS KMSAPI)
CreateKey (CMK) AWS Command Line Interface (AWS CLI)
Policy (PutKeyPolicy) (p. 405) CMK (p. 421) CMK Origin
-CreateKeyCreateAlias CMK
CreateKey AWS KMS CMK
$ aws kms create-key {
"KeyMetadata": { "Origin": "AWS_KMS", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "Description": "", "KeyManager": "CUSTOMER", "Enabled": true, "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "KeyUsage": "ENCRYPT_DECRYPT", "KeyState": "Enabled", "CreationDate": 1502910355.475, "Arn": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "AWSAccountId": "111122223333", "MultiRegion": false "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ],
} }
CMK (p. 86)thatCreateKey CMK
GetKeyPolicy CreateKey AWS CMK AWS Identity and Access Management(IAM) IAM CMK AWS KMS (p. 81)
$ aws kms get-key-policy --key-id 1234abcd-12ab-34cd-56ef-1234567890ab --policy-name default --output text
{
24
AWS Key Management Service CMK
"Version" : "2012-10-17", "Id" : "key-default-1", "Statement" : [ {
"Sid" : "Enable IAM policies", "Effect" : "Allow", "Principal" : {
"AWS" : "arn:aws:iam::111122223333:root" }, "Action" : "kms:*", "Resource" : "*" } ] }
CMK
CMK (p. 232) AWS Management Console AWS KMS API CMK AWS KMS AWS KMS (p. 60)
CMK AWS CMK (p. 22)AWS CMK CMK CMK CMK (p. 233)
CMK
AWS Management Console (CMK) CMK
1. AWS Management Console AWS Key Management Service (AWS KMS) (https://console.aws.amazon.com/kms)
2. AWS 3. [Customer managed keys ()] 4. [] 5. CMK [] []
AWS KMS CMK CMK (p. 22) 6. CMK [Key usage ()] [ ] CMK [Key usage ()] []
(p. 234) 7. CMK []
(p. 235) 8. [Next] 9. []alias (p. 62)CMK aws/ -aws/
Amazon Web Services AWS CMK
alias CMK AWS KMSAPI CMK
25
AWS Key Management Service CMK
AWS Management Console CMK CreateKeyCreateAlias CMK (p. 62) 10. () CMK
(p. 288)Pending DeletionPending Replica Deletion CMK (p. 48)()AWS Management ConsoleUpdateKeyDescription. 11. () CMK [Add tag]
AWS AWS CMK CMK (p. 49) ABAC AWS KMS (p. 114) 12. [Next] 13. CMK IAM
Note
IAM IAM CMK 14. IAM CMK 15. [Next] 16. (p. 12) CMK IAM
Note
- AWS (root ) IAM CMK 17. () AWS CMK AWS [Add AWS [] AWS
Note
CMK IAM CMK (p. 120) 18. [] 19. 20. [Finish] CMK
CMK (AWS KMSAPI)
CreateKey (CMK) AWS Command Line Interface (AWS CLI)
26
AWS Key Management Service CMK
CMK CustomerMasterKeySpec ENCRYPT_DECRYPT SIGN_VERIFY KeyUsage CMK
-CreateKeyCreateAlias CMK
CreateKey 4096 RSA CMK
$ aws kms create-key --customer-master-key-spec RSA_4096 --key-usage ENCRYPT_DECRYPT {
"KeyMetadata": { "KeyState": "Enabled", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "CustomerMasterKeySpec": "RSA_4096", "KeyManager": "CUSTOMER", "Description": "", "KeyUsage": "ENCRYPT_DECRYPT", "Arn": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1569973196.214, "MultiRegion": false, "EncryptionAlgorithms": [ "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256" ], "AWSAccountId": "111122223333", "Origin": "AWS_KMS", "Enabled": true
} }
ECDSA CMK
$ aws kms create-key --customer-master-key-spec ECC_NIST_P521 --key-usage SIGN_VERIFY {
"KeyMetadata": { "KeyState": "Enabled", "KeyId": "0987dcba-09fe-87dc-65ba-ab0987654321", "CreationDate": 1570824817.837, "Origin": "AWS_KMS", "SigningAlgorithms": [ "ECDSA_SHA_512" ], "Arn": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-
ab0987654321", "AWSAccountId": "111122223333", "CustomerMasterKeySpec": "ECC_NIST_P521", "KeyManager": "CUSTOMER", "Description": "", "Enabled": true, "MultiRegion": false, "KeyUsage": "SIGN_VERIFY"
} }
27
AWS Key Management Service
AWS Management Console AWS Key Management Service (AWS KMS) API (CMK) CMK AWS CMK
· CMK (p. 28) · API CMK (p. 37) · ID ARN (p. 42) · ARN (p. 43) · CMK CMK (p. 46)
CMK
AWS Management Console CMK CMK
· (p. 28) · (p. 28) · CMK (p. 29) · CMK (p. 32) · CMK (p. 36)
-AWS KMS (CMK) CMK AWS CMK
1. AWS Management ConsoleAWS Key Management Service(AWS KMS) https://console.aws.amazon.com/kms
2. AWSRegion () [Region ()]
3. [Customer managed keys ()] AWSAWSCMK (p. 3) Tip
AWS CMK (p. 4) . AWS KMS CMK [] (p. 421)
AWS KMS (CMK)
28
AWS Key Management Service CMK
ID , , CMK 1. AWS Management ConsoleAWS Key Management Service(AWS KMS)
https://console.aws.amazon.com/kms 2. AWS
3.
[Customer managed keys ()] AWSAWSCMK (p. 3) 4. CMK ID CMK (+n) []
CMK
CMK Note
- (p. 36) AWS AWS KMS CMK Sort CMK CMK []AWS ID [] , ID, 1 ID CMK
CMK []
29
AWS Key Management Service CMK
CMK CMK · []AWS ID · [] ID CMK aws/e[] aws/e[] EnterReturn
CMK [] : CMK CMK CMK CMK (p. 46)
CMK [] : - CMK CMK (p. 262)
30
AWS Key Management Service CMK
CMK CMK CMK ID CMK ListResourceTagsCMK ListResourceTags: CMK (p. 41)
ID CMK testtest CMK test
31
AWS Key Management Service CMK
CMK
CMK CMK CMK CMK AWSCMK ID CMK CMK CMK CMK CMK CMK
32
AWS Key Management Service CMK
CMK CMK AWS KMSAPI. (p. 62) -CMK AWS ARN CMK Amazon (ARN) CMK AWS KMS API CMK CMK [] CMK
33
AWS Key Management Service CMK
CloudHSM ID
[]
CMK AWS CloudHSM ID CMK AWS KMS (p. 421)
CloudHSM ID AWS CloudHSMconsole. ID
[]
CMK (p. 421) IDCMK AWS KMS
ID AWS KMSconsole.
[]
CMK (p. 421)CMK AWS KMS
CMK () CMK [General Configuration ()] []
[]
AWS KMS CMK [ ] [] [Key usage ()] [] AWS KMS SYMMETRIC_DEFAULT (p. 236) RSA (p. 237)
[]
CMK (p. 405) CMK [] [External] CMK
[]
IAM (p. 104) (p. 199) CMK CMK 1 CMK [] [] the section called "" (p. 85)
[]
(p. 283)
CMK (p. 4) [ ] AWS CMK (p. 4) 3
34
AWS Key Management Service CMK
[]
CMK AWS KMS CMK (SYMMETRIC_DEFAULT) RSA CMK (p. 16)
[]
CMK [] []
[]
CMK [] [] CMK (p. 16) Origin
[]
CMK AWSAWS KMS, for (p. 405), CloudHSM CMK (p. 421)
[]
CMK (p. 249) (p. 266)
[]
CMK (p. 60)
[]
CMK CMK (p. 249) (p. 249)
[]
CMK (p. 244) CMK
(p. 259)
[]
CMK (p. 249)
[]
35
AWS Key Management Service CMK
AWS KMS CMK [ ] [] [Key usage ()] [] AWS KMS RSA (p. 238) (p. 239)
CMK CMK (p. 12)[Enabled ( )] CMK CMK : CMK (p. 288)
CMK CMK [] []
AWS AWS CMK CMK (p. 49) ABAC AWS KMS (p. 114)
CMK
AWS AWS Management Console (CMK) []
CMK
1. [AWS managed keys (AWS )] [Customer managed keys (
)] ( ) 2. [Preferences ()] [Confirm ()]
[] CMK
CMK CMK (p. 32)
CMK
CMK CMK
AWS
AWS, ID,
CMKAWS KMS , ID,, []
36
AWS Key Management Service API CMK
CMK ,, CMK CMK
CMK (p. 405) Origin () CMK AWS KMS [] CMK
CMK (p. 421) ID ID CMK CMK
[CMK (p. 244) ID CMK () (p. 249) (p. 249)
API CMK
AWS Key Management Service(AWS KMS) API CMK CMK AWS Command Line Interface (AWS CLI)
· ListKeys: CMK ID ARN (p. 37) · DescribeKey: CMK (p. 38) · GetKeyPolicy: CMK (p. 39) · ListAliases: CMK ARN (p. 39) · ListResourceTags: CMK (p. 41)
ListKeys: CMK ID ARN
ListKeys CMK ID Amazon ARN
ListKeys CMK ID ARN CMK ID ARN (p. 346)
$ aws kms list-keys
{ "Keys": [ { "KeyArn": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
37
AWS Key Management Service API CMK
}, {
"KeyArn": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65baab0987654321",
"KeyId": "0987dcba-09fe-87dc-65ba-ab0987654321" }, {
"KeyArn": "arn:aws:kms:useast-2:111122223333:key/1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d",
"KeyId": "1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d" } }
DescribeKey: CMK
DescribeKey CMK CMK ID (p. 14) ARN (p. 14) (p. 14) ARN (p. 14)
DescribeKey CMK (p. 16) (p. 288) (p. 15) (p. 344)
$ aws kms describe-key --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
{ "KeyMetadata": { "Origin": "AWS_KMS", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "Description": "", "KeyManager": "CUSTOMER", "Enabled": true, "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "KeyUsage": "ENCRYPT_DECRYPT", "KeyState": "Enabled", "CreationDate": 1499988169.234, "MultiRegion": false, "Arn": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "AWSAccountId": "111122223333", "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ]
} }
CMK DescribeKey CMK AWS KMS
$ aws kms describe-key --key-id 0987dcba-09fe-87dc-65ba-ab0987654321
{ "KeyMetadata": { "KeyId": "0987dcba-09fe-87dc-65ba-ab0987654321", "Origin": "AWS_KMS", "Arn": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-
ab0987654321", "KeyState": "Enabled", "KeyUsage": "SIGN_VERIFY", "CreationDate": 1569973196.214,
38
AWS Key Management Service API CMK
"Description": "", "CustomerMasterKeySpec": "ECC_NIST_P521", "AWSAccountId": "111122223333", "Enabled": true, "MultiRegion": false, "KeyManager": "CUSTOMER", "SigningAlgorithms": [
"ECDSA_SHA_512" ] } }
AWS ( ID AWS ) DescribeKey AWS KMS AWS CMK (p. 3) KeyId Arn
GetKeyPolicy: CMK
GetKeyPolicy CMK CMK ID ARN default ( --output text )
(p. 372)
$ aws kms get-key-policy --key-id 1234abcd-12ab-34cd-56ef-1234567890ab --policy-name default
{ "Version" : "2012-10-17", "Id" : "key-default-1", "Statement" : [ { "Sid" : "Enable IAM policies", "Effect" : "Allow", "Principal" : { "AWS" : "arn:aws:iam::111122223333:root" }, "Action" : "kms:*", "Resource" : "*" } ]
}
ListAliases: CMK ARN
ListAliases TargetKeyId CMK ID ()
ListAliases CMK (p. 3) AWS AWS CMK (p. 3) AWS aws/ dynamodb aws/<service-name>
TargetKeyId ( aws/ redshift )AWS CMK
(p. 354)
$ aws kms list-aliases
39
AWS Key Management Service API CMK
{ "Aliases": [ { "AliasName": "alias/access-key", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/access-key", "TargetKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321", "CreationDate": 1516435200.399, "LastUpdatedDate": 1516435200.399 }, { "AliasName": "alias/ECC-P521-Sign", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/ECC-P521-Sign", "TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1693622000.704, "LastUpdatedDate": 1693622000.704 }, { "AliasName": "alias/ImportedKey", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/ImportedKey", "TargetKeyId": "1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d", "CreationDate": 1493622000.704, "LastUpdatedDate": 1521097200.235 }, { "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/financeKey", "TargetKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321", "AliasName": "alias/financeKey", "CreationDate": 1604958290.014, "LastUpdatedDate": 1604958290.014 }, { "AliasName": "alias/aws/dynamodb", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/aws/dynamodb", "TargetKeyId": "0987ab65-43cd-21ef-09ab-87654321cdef", "CreationDate": 1521097200.454, "LastUpdatedDate": 1521097200.454 }, { "AliasName": "alias/aws/ebs", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/aws/ebs", "TargetKeyId": "abcd1234-09fe-ef90-09fe-ab0987654321", "CreationDate": 1466518990.200, "LastUpdatedDate": 1466518990.200 } ]
}
CMK KeyId ID (p. 14) ARN (p. 14) (p. 14) ARN (p. 14)
CMK (p. 4) AWS CMK (p. 4)
$ aws kms list-aliases --key-id arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
{ "Aliases": [ { "AliasName": "alias/access-key", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/access-key", "TargetKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321",
40
AWS Key Management Service API CMK
"CreationDate": 1516435200.399, "LastUpdatedDate": 1516435200.399 }, { "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/financeKey", "TargetKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321", "AliasName": "alias/financeKey", "CreationDate": 1604958290.014, "LastUpdatedDate": 1604958290.014 }, ] }
AWSmanaged CMK
$ aws kms list-aliases --query 'Aliases[?starts_with(AliasName, `alias/aws/`)]'
ListResourceTags: CMK
-ListResourceTags CMK API 1 CMK CMK CMK API1 CMK
ListResourceTags AWS KMSCMK AWS CMK (p. 4)
CMK ListResourceTags. KeyId ID (p. 14) ARN (p. 14) ARN ARN
$ aws kms list-resource-tags --key-id arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
{ "Tags": [
{ "TagKey": "Department", "TagValue": "IT"
}, {
"TagKey": "Purpose", "TagValue": "Test" } ], "Truncated": false }
ListResourceTags CMK
Bash ListKeysListResourceTags CMK Project CMK ID ID
41
AWS Key Management Service ID ARN
TARGET_TAG_KEY='Project'
for key in $(aws kms list-keys --query 'Keys[*].KeyId' --output text); do key_tags=$(aws kms list-resource-tags --key-id "$key" --query "Tags[?TagKey==\`
$TARGET_TAG_KEY\`]") if [ "$key_tags" != "[]" ]; then echo "Key: $key" echo "$key_tags" fi
done
Key: 0987dcba-09fe-87dc-65ba-ab0987654321 [
{ "TagKey": "Project", "TagValue": "Gamma"
} ] Key: 1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d [
{ "TagKey": "Project", "TagValue": "Alpha"
} ] Key: 0987ab65-43cd-21ef-09ab-87654321cdef [
{ "TagKey": "Project", "TagValue": "Alpha"
} ]
ID ARN
AWS KMS CMK ID (p. 14) Amazon ( ARN (p. 14)) (p. 12) (p. 14) ARN (p. 14)
AWS KMS CMK (KeyId) (p. 13) ARN ARN (p. 43)
ID ARN ()
1. AWS KMShttps://console.aws.amazon.com/kms 2. AWS
3.
[Customer managed keys ()] AWSAWS 4. CMK ID (p. 14) CMK
[ ID] [ ID] the section called "CMK " (p. 36) CMK CMK ID
42
AWS Key Management Service ARN
5. CMK Amazon (ARN) ID ARN (p. 14) [General configuration]
ID ARN (AWS KMSAPI)
(CMK) ID (p. 14) ARN (p. 14) ListKeys ID ARN (p. 346) ID ARN (p. 37) ListKeys CMK ID ARN
$ aws kms list-keys {
"Keys": [ { "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyArn": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, { "KeyId": "0987dcba-09fe-87dc-65ba-ab0987654321", "KeyArn": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-
ab0987654321" }
] }
ARN
AWS KMS (p. 3)(CMK) (p. 14) ARN (p. 14)()AWS KMSAWS KMSAPI. AWS KMS CMK (KeyId) (p. 13) ID ARN ID ARN (p. 42)
· ARN () (p. 44) · ARN (AWS KMSAPI) (p. 43)
43
AWS Key Management Service ARN
ARN ()
-AWS KMSCMK 1. AWS KMShttps://console.aws.amazon.com/kms 2. AWS
3.
[Customer managed keys ()] AWSAWS 4. - CMK CMK (-) [] ID CMK (+n) CMK 2 1 master-keytest CMK ARN · (+n).
CMK · CMK ID CMK
5. -CMK ARN CMK
44
AWS Key Management Service ARN
ARN (AWS KMSAPI)
(CMK) (p. 14) ARN (p. 14) ListAliases (p. 354) ARN (p. 39) ARN CMK KeyId ID CMK 1234abcd-12ab-34cd-56ef-1234567890ab
$ aws kms list-aliases --key-id 1234abcd-12ab-34cd-56ef-1234567890ab {
"Aliases": [ { "AliasName": "alias/test-key", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/test-key", "TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1593622000.191, "LastUpdatedDate": 1593622000.191 }, { "AliasName": "alias/project-key", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/project-key", "TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab" "CreationDate": 1516435200.399, "LastUpdatedDate": 1516435200.399 }
] }
45
AWS Key Management Service CMK CMK
CMK CMK
CMK (p. 231) (p. 16) AWS KMS AWS KMS API CMK CMK CMK CMK CMK (p. 28)
· CMK (p. 46) · [] (p. 47) · AWS KMS API (p. 47)
CMK
AWS KMS [Key Type ()] CMK CMK AWS CMK CMK CMK 1. AWS KMShttps://console.aws.amazon.com/kms 2. AWS
3.
[Customer managed keys ()] AWSAWS 4. [Key type ()] CMK (p. 29). CMK [Key type ()] [Key type ()] [Confirm ()] [Key spec ( )] [Key usage ()]
46
AWS Key Management Service CMK CMK
[]
AWS KMS CMK CMK CMK CMK CMK CMK 1. AWS KMShttps://console.aws.amazon.com/kms 2. AWS
3.
[Customer managed keys ()] AWSAWS 4. CMK ID 5. [ ] [ ] [ ] [ Key Type, ] CMK [Key Usage ()] CMK CMK CMK CMK
RSA CMK
AWS KMS API
CMK DescribeKey CustomerMasterKeySpec CMK (p. 16) CMK CustomerMasterKeySpec SYMMETRIC_DEFAULT CMK
47
AWS Key Management Service
DescribeKey CMK CustomerMasterKeySpec SYMMETRIC_DEFAULT
{ "KeyMetadata": { "AWSAccountId": "111122223333", "KeyId": "0987dcba-09fe-87dc-65ba-ab0987654321", "Arn": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", "CreationDate": 1496966810.831, "Enabled": true, "Description": "", "KeyState": "Enabled", "Origin": "AWS_KMS", "KeyManager": "CUSTOMER", "MultiRegion": false, "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "KeyUsage": "ENCRYPT_DECRYPT", "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ] }
}
RSA CMK DescribeKey CustomerMasterKeySpec RSA_2048 (p. 236)KeyUsage SIGN_VERIFY SigningAlgorithms CMK
{ "KeyMetadata": { "AWSAccountId": "111122223333", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1571767572.317, "Enabled": false, "Description": "", "KeyState": "Disabled", "Origin": "AWS_KMS", "MultiRegion": false, "KeyManager": "CUSTOMER", "CustomerMasterKeySpec": "RSA_2048", "KeyUsage": "SIGN_VERIFY", "SigningAlgorithms": [ "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512" ] }
}
CMK AWS KMSAWS KMSAPI.
48
AWS Key Management Service
CMK UpdateKeyDesc (p. 32) ription
CMK [ Edit]
(p. 85)] CMK (p. 32) PutKeyPolicy.
(p. 100)
(p. 49)] CMK (p. 32) TagResourceUntagResource.
(p. 49)
CMK AWS AWS KMSconsole. EnableKe y DisableKey
(p. 58)
CMK (p. 32) EnableKeyRotationDisableKeyRotation.
(p. 283)
(p. 70)
EclipseAWS KMS CMK (p. 3)()CMK (p. 21), CMK (p. 52) (p. 288) (p. 12),AWS CMK (p. 3),AWS CMK (p. 5) CMK AWS
(p. 21) (p. 48) AWS()Amazon Web Services
· AWS KMS (p. 50) · CMK (p. 50) · API CMK (p. 52) · (p. 53)
49
AWS Key Management Service AWS KMS
· CMK (p. 56)
AWS KMS
ATag (AWS )AWS , (null) AWS 50
EclipseAWS KMS CMK (p. 3)()CMK (p. 21), CMK (p. 52) (p. 288) (p. 12),AWS CMK (p. 3),AWS CMK (p. 5) CMK AWS
Alpha CMK Amazon S3 "Project"="Alpha"
TagKey = "Project" TagValue = "Alpha"
AWS()Amazon Web Services
· AWS AWS AWS KMS (p. 3)(CMK) Amazon Elastic Block Store (Amazon EBS) AWS Secrets Manager CMK
· AWS AWS AWS AWS KMS
()AWS Billing and Cost Management ()AWS Billing and Cost Management · AWS CMK AWS KMS (p. 114)(ABAC) CMK (p. 56) AWSAWS ()IAM
AWS KMSAWS CloudTrail TagResource (p. 323),UntagResource (p. 323), ListResourceTags.
CMK
CMK CMK (p. 21)()AWS KMSconsole. CMK CMK
50
AWS Key Management Service CMK
(p. 53)
CMK
CMK kms:TagResource CMK CMK CMK
1. AWS Management ConsoleAWS Key Management Service(AWS KMS) https://console.aws.amazon.com/kms
2. AWS
3. [Customer managed keys ()] ( AWS CMK)
4. 5. 6. [
CMK [ 7. CMK
CMK
CMK CMK CMK IAM CMK
1. AWS Management ConsoleAWS Key Management Service(AWS KMS) https://console.aws.amazon.com/kms
2. AWS
3. [Customer managed keys ()] ( AWS CMK)
4. CMK CMK (p. 29)
5. CMK 6. [Key actions][Add or edit tags] 7. CMK [Tags ()]
· [ () ()
NULL · [] ] · [Edit ()] [Save ()]
· [Edit ()] [Remove ()]
[Save ()] 8. []
51
AWS Key Management Service API CMK
API CMK
AWS Key Management Service (AWS KMS) API CMK AWS Command Line Interface (AWS CLI) AWS CMK
CMK (p. 53)
· CreateKey: CMK (p. 52) · TagResource: CMK (p. 52) · ListResourceTags: CMK (p. 53) · UntagResource: CMK (p. 53)
CreateKey: CMK
CMK Tags CreateKey.
CMK kms:TagResource IAM CMK (p. 53)
TagsCreateKey CMK NULL
AWS CLI Project:Alpha CMK
$ aws kms create-key --tags TagKey=Project,TagValue=Alpha
CMK KeyMetadata KeyMetadata ListResourceTags (p. 53)
TagResource: CMK
TagResource 1 CMK AWS
CMK NULL
CMK Purpose Department
$ aws kms tag-resource \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --tags TagKey=Purpose,TagValue=Pretest TagKey=Department,TagValue=Finance
CMK ListResourceTags
52
AWS Key Management Service
TagResource
Purpose Pretest Test
$ aws kms tag-resource \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --tags TagKey=Purpose,TagValue=Test
ListResourceTags: CMK
ListResourceTags CMK KeyId CMK AWS
CMK
$ aws kms list-resource-tags --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
"Truncated": false, "Tags": [
{ "TagKey": "Project", "TagValue": "Alpha"
}, {
"TagKey": "Purpose", "TagValue": "Test" }, { "TagKey": "Department", "TagValue": "Finance" } ] }
UntagResource: CMK
UntagResource CMK CMK AWS
UntagResource CMK ListResourceTags
CMK Purpose
$ aws kms untag-resource --key-id 1234abcd-12ab-34cd-56ef-1234567890ab --tag-keys Purpose
AWS KMS API (p. 85)IAM VPC (p. 463) (p. 87)-AWS (p. 109) CMK
53
AWS Key Management Service
AWSEclipseAWS KMS (TagResourceUntagResource
Note
CMK ABAC AWS KMS (p. 114) CMK (p. 56)
()IAM
KMS:
CMK IAM CMK KMS:
CMK KMS:
CMK
IAM CMK
{ "Version": "2012-10-17", "Id": "key-policy-example", "Statement": [ { "Sid": "Enable IAM policies", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:root"}, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow all tagging permissions", "Effect": "Allow", "Principal": {"AWS": [ "arn:aws:iam::111122223333:user/LeadAdmin", "arn:aws:iam::111122223333:user/SupportLead" ]}, "Action": [ "kms:TagResource", "kms:ListResourceTags", "kms:UntagResource" ], "Resource": "*" }, { "Sid": "Allow roles to view tags", "Effect": "Allow",
54
AWS Key Management Service
"Principal": {"AWS": [ "arn:aws:iam::111122223333:role/Administrator", "arn:aws:iam::111122223333:role/Developer"
]}, "Action": "kms:ListResourceTags", "Resource": "*" } ] }
CMK IAM CMK IAM CMK
IAM CMK CMK CreateKey CMK
{ "Version": "2012-10-17", "Statement": [ { "Sid": "IAMPolicyCreateKeys", "Effect": "Allow", "Action": "kms:CreateKey", "Resource": "*" }, { "Sid": "IAMPolicyTags", "Effect": "Allow", "Action": [ "kms:TagResource", "kms:UntagResource", "kms:ListResourceTags" ], "Resource": "arn:aws:kms:*:111122223333:key/*" } ]
}
(p. 157) kms:TagResourcekms:UntagResource aws:RequestTag/tag-key kms:KeyOrigin CMK (p. 405)
· aws:RequestTag · AWS: ResourceTag/tag-key(IAM ) · aws:TagKeys · kms:CallerAccount (p. 162) · kms:CustomerMasterKeySpec (p. 163) · kms:CustomerMasterKeyUsage (p. 164) · kms:KeyOrigin (p. 181) · kms:ViaService (p. 191)
55
AWS Key Management Service CMK
CMK aws:RequestTag/tag-keyaws:TagKeys
IAM (TagResource) UntagResourceProject
TagResourceUntagResource ForAllValuesForAnyValueaws:TagKeys-ForAnyValue 1 1 -ForAllValues 1 -ForAllValuestrue TagResource UntagResource ()IAM
{ "Version": "2012-10-17", "Statement": [ { "Sid": "IAMPolicyCreateKey", "Effect": "Allow", "Action": "kms:CreateKey", "Resource": "*" }, { "Sid": "IAMPolicyViewAllTags", "Effect": "Allow", "Action": "kms:ListResourceTags", "Resource": "arn:aws:kms:*:111122223333:key/*" }, { "Sid": "IAMPolicyManageTags", "Effect": "Allow", "Action": [ "kms:TagResource", "kms:UntagResource" ], "Resource": "arn:aws:kms:*:111122223333:key/*", "Condition": { "ForAllValues:StringEquals": {"aws:TagKeys": "Project"} } } ]
}
CMK
AWS KMSCMK (CMK) CMK IAM IAM CMK CMK
AWS KMS (p. 114)(ABAC) AWS ABAC AWS?AWS ()IAM ABAC ABAC AWS KMS (p. 117)
Note
CMK 5 API
56
AWS Key Management Service CMK
AWS KMSAWS: ResourceTag/tag-key CMK CMK CMK CMK CMK
EclipseAWS KMSaws:ResourceTag/tag-key IAM CMK 1 CMK aws:ResourceTag/tag-key CreateKey,ListKeys, ListAliases
CMK
· IAM CMK CMK CMK
· kms:TagResourcekms:UntagResource CMK CMK CMK CMK CMK
aws:RequestTag/tag-keyaws:TagKeys (p. 55)CMK · AWS (p. 88)includeskms:TagResourcekms:UntagResource CMK IAM CMK AWS (p. 109) CMK · AWS CloudTrail (p. 296)CloudWatch (p. 294) CMK ·
IAM GenerateDataKeyWithoutPlaintextDecrypt CMK "Project"="Alpha" Alpha
{ "Version": "2012-10-17", "Statement": [ { "Sid": "IAMPolicyWithResourceTag", "Effect": "Allow", "Action": [ "kms:GenerateDataKeyWithoutPlaintext", "kms:Decrypt" ],
57
AWS Key Management Service
"Resource": "arn:aws:kms:ap-southeast-1:111122223333:key/*", "Condition": {
"StringEquals": { "aws:ResourceTag/Project": "Alpha"
} } } ] }
IAM CMK AWS KMSCMK "Type"="Reserved" no"Type"
{ "Version": "2012-10-17", "Statement": [ { "Sid": "IAMAllowCryptographicOperations", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:GenerateDataKey*", "kms:Decrypt", "kms:ReEncrypt*" ], "Resource": "arn:aws:kms:*:111122223333:key/*" }, { "Sid": "IAMDenyOnTag", "Effect": "Deny", "Action": "kms:*", "Resource": "arn:aws:kms:*:111122223333:key/*", "Condition": { "StringEquals": { "aws:ResourceTag/Type": "Reserved" } } }, { "Sid": "IAMDenyNoTag", "Effect": "Deny", "Action": "kms:*", "Resource": "arn:aws:kms:*:111122223333:key/*", "Condition": { "Null": { "aws:ResourceTag/Type": "true" } } } ]
}
(p. 3) (CMK) AWS CMK
CMK CMK AWS CMK AWS KMS
58
AWS Key Management Service CMK
(p. 475)
CMK (p. 393)
Note
AWS KMS CMK (p. 284)
· CMK (p. 59) · CMK AWS KMSAPI) (p. 59)
CMK
AWS KMS/ CMK (p. 4)
1. AWS Management ConsoleAWS Key Management Service(AWS KMS) https://console.aws.amazon.com/kms
2. AWS
3. [Customer managed keys ()] 4. CMK 5. CMK [Key actions][Enable] CMK [Key
actions][Disable]
CMK AWS KMSAPI)
EnableKey AWS KMS (CMK) AWS Command Line Interface (AWS CLI) key-id
DescribeKey
$ aws kms enable-key --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
DisableKey CMK key-id
$ aws kms disable-key --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
DescribeKey Enabled
$ aws kms describe-key --key-id 1234abcd-12ab-34cd-56ef-1234567890ab {
"KeyMetadata": { "Origin": "AWS_KMS", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "Description": "", "KeyManager": "CUSTOMER", "MultiRegion": false,
59
AWS Key Management Service
"Enabled": false, "KeyState": "Disabled", "KeyUsage": "ENCRYPT_DECRYPT", "CreationDate": 1502910355.475, "Arn": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "AWSAccountId": "111122223333", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT" ] } }
AWS Management Console AWS KMS API CMK CMK kms:GetPublicKey
CMK AWS KMS
AWS KMS AWS KMS
AWS KMS CMK AWS KMS AWS KMS (p. 60)
· (p. 60) · () (p. 61) · (AWS KMSAPI) (p. 61)
CMK AWS KMS AWS KMS CMK AWS KMS AWS KMS
(p. 85)IAM (p. 104) CMK AWS KMS AWSAWS KMSCMK
AWS KMSEncrypt CMK KeyUsageSIGN_VERIFYAWS KMS
60
AWS Key Management Service ()
AWS KMS CMK KeyUsageSIGN_VERIFY
AWS KMSAWS KMS CMK AWS KMS AWS KMS CMK
AWS KMS CMK AWS KMS CMK CMK CMK CMK AWS KMS CMK AWS KMS
AWS KMS AWS CloudTrail AWS KMS
()
AWS Management Console CMK AWS CMK AWS AWS KMSAPI.
1. AWS Management ConsoleAWS Key Management Service(AWS KMS) https://console.aws.amazon.com/kms
2. AWS []
3. [Customer managed keys ()] 4. CMK ID 5. [ ] ,,
fields AWS KMS 6. [] 7. [] []
(AWS KMSAPI)
GetPublicKey CMK AWS KMS
AWS Command Line Interface(AWS CLI)
CMK ID (p. 14) ARN (p. 14) (p. 14) ARN (p. 14) alias/ CMK AWS ARN ARN
61
AWS Key Management Service
CMK CMK kms:GetPublicKey
$ aws kms get-public-key --key-id alias/example_RSA_3072
{ "CustomerMasterKeySpec": "RSA_3072", "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "KeyUsage": "ENCRYPT_DECRYPT", "EncryptionAlgorithms": [ "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256" ], "PublicKey": "MIIBojANBgkqhkiG..."
}
(p. 3) (CMK) test-key CMK 1234abcd-12ab-34cd-56ef-1234567890ab
CMK AWS KMSDescribeKey (p. 12)EncryptGenerateDataKey
AWS CMK (p. 4) CMK aws/<service-name> AWSAmazon DynamoDB CMKaws/ dynamodb
CMK AWS KMS (p. 114)(ABAC) CMK (p. 77)
CMK CMK CMK CMK
AWS CMK CMK (p. 71)
AWS KMS API API (CreateAlias) ARN (ListAlias) CMK (UpdateAlias) (DeleteAlias) the section called " " (p. 351)
· CMK (KeyId) (p. 13)
· CMK ARN (p. 43)
62
AWS Key Management Service
· API Quotas (p. 530)
· (p. 351)
· (p. 63) · (p. 65) · (p. 71) · (p. 73) · CMK (p. 77) · AWS CloudTrail (p. 79)
AWS KMS
AWS
CMK CMK CMK CMK CMK CMK CMK
IAM CMK 2
AWS KMS ARN · ARN (p. 14) Amazon ARN
# Alias ARN arn:aws:kms:us-west-2:111122223333:alias/<alias-name>
· (p. 14)AWS KMSAPI alias/AWS KMSconsole.
# Alias name alias/<alias-name>
1 CMK
CMK
CMK (p. 4) AWS AWS CMK (p. 4)
ListAliases test-key 1 CMK TargetKeyId
{
63
AWS Key Management Service
"AliasName": "alias/test-key", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/test-key", "TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1593622000.191, "LastUpdatedDate": 1593622000.191 }
CMK
project-key test-key CMK
{ "AliasName": "alias/test-key", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/test-key", "TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1593622000.191, "LastUpdatedDate": 1593622000.191
}, {
"AliasName": "alias/project-key", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/project-key", "TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1516435200.399, "LastUpdatedDate": 1516435200.399 }
1 test-key
() finance-key () finance-key CMK alias/ finance-key, CMK (p. 71) CMK
UpdateAlias CMK finance-key 1234abcd-12ab-34cd-56ef-1234567890ab CMK 0987dcba-09fe-87dc-65ba-ab0987654321 CMK
CMK CMK () (p. 16) (_DECRYPT SIGN_VERIFY) CMK
CMK AWS KMS CreateKey CMK UpdateAlias CMK DeleteAlias CMK CMK
64
AWS Key Management Service
AWS
AWSAWS CMK (p. 4) alias/aws/<service-name>, alias/aws/s3
AWS CMK AWS CMK CMK
(p. 14) ARN (p. 14) CMK (p. 12),DescribeKey, GetPublicKey(CMK AWSaccount (p. 120) ARN (p. 14) ARN CMK AWS KMS. (p. 13)For EachAWS KMSAPI KeyIdAWS Key Management ServiceAPI
ARN IAM CMK (p. 107) CMK KMS: (p. 186)KMS: (p. 187) ABAC AWS KMS (p. 114)
CMK
· (p. 65) · (p. 66) · (p. 70) · (p. 71)
AWS KMS AWS KMS API
1 256 (/) (_) (-) CMK (p. 4) alias/aws/-alias/aws/ AWS CMK (p. 4)
CMK CMK CMK
CMK (p. 21)()AWS KMS CMK CMK CMK
1. AWS Management Console AWS Key Management Service (AWS KMS) (https://console.aws.amazon.com/kms)
2. AWS 3. [Customer managed keys ()]
AWS CMKAWS CMK
65
AWS Key Management Service
4. CMK ID CMK []
CMK 1 ((+n)CMK 5. [][]
Note
alias/prefix. alias/ ExampleAliasalias/alias/ExampleAlias
(AWS KMSAPI)
CreateAlias CMK CreateKey CMK
CreateAlias CMK CreateAlias CMK
AWS KMS API alias/ (alias/ExampleAlias ) ListAliases
-TargetKeyId CMK (p. 4) AWS CMK ID (p. 14) ARN (p. 14)
example-key CMK AWS Command Line Interface (AWS CLI) (p. 351)
$ aws kms create-alias \ --alias-name alias/example-key \ --target-key-id 1234abcd-12ab-34cd-56ef-1234567890ab
CreateAlias ListAliases (AWS KMSAPI) (p. 68)
CMK AWS KMSconsole. CMK AWS KMS ListAliases. -DescribeKey
-AWSAWS KMS CMK (p. 29) CMK
AWS KMS [] CMK
66
AWS Key Management Service
CMK 1 (+n)CMK []
- CMK ARN AWS [] (p. 65) (p. 71) CMK ARN [] · (+n).
CMK · CMK ID (CMK )[[]
CMK
67
AWS Key Management Service
AWSCMKAWS. AWS CMK aws/<service-name> AWSAmazon DynamoDB CMKaws/dynamodb
(AWS KMSAPI)
ListAliases ARN AWS CMK CMK AWS CMK aws/<service-name>aws/dynamodb TargetKeyId AWS CMK
$ aws kms list-aliases {
"Aliases": [ { "AliasName": "alias/access-key", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/access-key", "TargetKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321", "CreationDate": 1516435200.399, "LastUpdatedDate": 1516435200.399 }, { "AliasName": "alias/ECC-P521-Sign", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/ECC-P521-Sign", "TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1693622000.704, "LastUpdatedDate": 1693622000.704 }, { "AliasName": "alias/ImportedKey", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/ImportedKey", "TargetKeyId": "1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d", "CreationDate": 1493622000.704, "LastUpdatedDate": 1521097200.235 }, {
68
AWS Key Management Service
"AliasName": "alias/finance-project", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/finance-project", "TargetKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321", "CreationDate": 1604958290.014, "LastUpdatedDate": 1604958290.014 }, { "AliasName": "alias/aws/dynamodb", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/aws/dynamodb", "TargetKeyId": "0987ab65-43cd-21ef-09ab-87654321cdef", "CreationDate": 1521097200.454, "LastUpdatedDate": 1521097200.454 }, { "AliasName": "alias/aws/ebs", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/aws/ebs", "TargetKeyId": "abcd1234-09fe-ef90-09fe-ab0987654321", "CreationDate": 1466518990.200, "LastUpdatedDate": 1466518990.200 } ] }
CMK ListAliases KeyId KeyId CMK ID (p. 14) ARN (p. 14)
0987dcba-09fe-87dc-65ba-ab0987654321 CMK
$ aws kms list-aliases --key-id 0987dcba-09fe-87dc-65ba-ab0987654321 {
"Aliases": [ { "AliasName": "alias/access-key", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/access-key", "TargetKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321", "CreationDate": "2018-01-20T15:23:10.194000-07:00", "LastUpdatedDate": "2018-01-20T15:23:10.194000-07:00" }, { "AliasName": "alias/finance-project", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/finance-project", "TargetKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321", "CreationDate": 1604958290.014, "LastUpdatedDate": 1604958290.014 }
] }
KeyId
AWS CLIAWS CMK
$ aws kms list-aliases --query 'Aliases[?starts_with(AliasName, `alias/aws/`)]'
access-key
$ aws kms list-aliases --query 'Aliases[?AliasName==`alias/access-key`]' [
69
AWS Key Management Service
{ "AliasName": "alias/access-key", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/access-key", "TargetKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321", "CreationDate": "2018-01-20T15:23:10.194000-07:00", "LastUpdatedDate": "2018-01-20T15:23:10.194000-07:00"
} ]
CMK test-key 1 CMK UpdateAlias CMK CMK (p. 283) 1 1 CMK CMK CMK
AWS KMS UpdateAlias CMK
CMK CMK ENCRYPT_DECRYPT SIGN_VERIFY
ListAliases test-key CMK 1234abcd-12ab-34cd-56ef-1234567890ab
$ aws kms list-aliases --key-id 1234abcd-12ab-34cd-56ef-1234567890ab {
"Aliases": [ { "AliasName": "alias/test-key", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/test-key", "TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1593622000.191, "LastUpdatedDate": 1593622000.191 }
] }
UpdateAlias test-key CMK CMK 0987dcba-09fe-87dc-65ba-ab0987654321 CMK () CMK
$ aws kms update-alias --alias-name 'alias/test-key' --target-key-id 0987dcba-09fe-87dc-65ba-ab0987654321
CMK ListAliases AWS CLI --query test-key -TargetKeyIdLastUpdatedDate
$ aws kms list-aliases --query 'Aliases[?AliasName==`alias/test-key`]' [
{ "AliasName": "alias/test-key", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/test-key", "TargetKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321", "CreationDate": 1593622000.191,
70
AWS Key Management Service
"LastUpdatedDate": 1604958290.154 } ]
AWS KMSDeleteAlias. CMK CMK CMK
CMK CMK
AWS KMSCMK CMK
1. AWS Management Console AWS Key Management Service (AWS KMS) (https://console.aws.amazon.com/kms)
2. AWS 3. [Customer managed keys ()]
AWS CMKAWS CMK 4. CMK ID CMK
[]
CMK 1 ((+n)CMK 5. [] [Delete]
(AWS KMSAPI)
DeleteAlias 1 alias/prefix.
test-key
$ aws kms delete-alias --alias-name alias/test-key
ListAliases --queryAWS CLItest-key ListAliases test-key --output text
$ aws kms list-aliases --query 'Aliases[?AliasName==`alias/test-key`]' []
CMK -KeyId AWS KMS (p. 12),DescribeKey, GetPublicKey
71
AWS Key Management Service
ARN CMK AWS ARN ARN
GenerateDataKey (alias/finance) CMK KeyId
$ aws kms generate-data-key --key-id alias/finance --key-spec AES_256
If you have CMK AWS (p. 120)for (p. 12),DescribeKey, GetPublicKeyCMK ARN ARN ARN CMK CMK ARN ARN (p. 43)
GenerateDataKey CMK -ExampleAlias CMK
$ aws kms generate-data-key --key-id arn:aws:kms:us-west-2:444455556666:alias/ExampleAlias --key-spec AES_256
1 AWS RSA CMK (p. 232)
· us-west-2 arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
· eu-central-1 arn:aws:kms:eucentral-1:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321
· ap-southeast-1 arn:aws:kms:apsoutheast-1:111122223333:key/1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d
switch CMK
aws --region us-west-2 kms create-alias \ --alias-name alias/new-app \ --key-id arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
aws --region eu-central-1 kms create-alias \ --alias-name alias/new-app \ --key-id arn:aws:kms:eu-central-1:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321
aws --region ap-southeast-1 kms create-alias \ --alias-name alias/new-app \ --key-id arn:aws:kms:ap-
southeast-1:111122223333:key/1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d
CMK Sign
aws kms sign --key-id alias/new-app \ --message $message \ --message-type RAW \
72
AWS Key Management Service
--signing-algorithm RSASSA_PSS_SHA_384
CMK
(p. 73)
AWS AWS Encryption SDK
CMK CMK (p. 85),IAM (p. 104) (p. 199)
Note
CMK ABAC AWS KMS (p. 114) CMK (p. 77)
AWS KMS AWS KMS API (p. 126)
kms:
CMK
· kms:CreateAlias IAM
Resource ARN test* Resource"*" kms:Create*
{ "Sid": "IAMPolicyForAnAlias", "Effect": "Allow", "Action": [ "kms:CreateAlias", "kms:UpdateAlias", "kms:DeleteAlias" ], "Resource": "arn:aws:kms:us-west-2:111122223333:alias/test-key"
}
· kms:CreateAlias CMK IAM
73
AWS Key Management Service
{ "Sid": "Key policy for 1234abcd-12ab-34cd-56ef-1234567890ab", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:user/KMSAdminUser"}, "Action": [ "kms:CreateAlias", "kms:DescribeKey" ], "Resource": "*"
}
CMK kms:CustomerMasterKeySpec (p. 163) CMK kms:CreateAliasAWS KMS (p. 126)
kms:ListAliases
IAM kms:ListAliases CMK "*" (p. 106)
IAM CMK
{ "Sid": "ListPermissions", "Effect": "Allow", "Action": [ "kms:ListKeys", "kms:ListAliases" ], "Resource": "*"
} }
KMS:
CMK 3 1 1 CMK 1 CMK
test-key ID 1234abcd-12ab-34cd-56ef-1234567890ab CMK ID 0987dcba-09fe-87dc-65ba-ab0987654321 CMK
· kms:UpdateAlias IAM IAM ARN "test*"Resource"*"
{ "Sid": "IAMPolicyForAnAlias", "Effect": "Allow", "Action": [ "kms:UpdateAlias", "kms:ListAliases",
74
AWS Key Management Service
"kms:ListKeys" ], "Resource": "arn:aws:kms:us-west-2:111122223333:alias/test-key" }
· kms:UpdateAlias CMK IAM
{ "Sid": "Key policy for 1234abcd-12ab-34cd-56ef-1234567890ab", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:user/KMSAdminUser"}, "Action": [ "kms:UpdateAlias", "kms:DescribeKey" ], "Resource": "*"
}
· kms:UpdateAlias CMK IAM
{ "Sid": "Key policy for 0987dcba-09fe-87dc-65ba-ab0987654321", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:user/KMSAdminUser"}, "Action": [ "kms:UpdateAlias", "kms:DescribeKey" ], "Resource": "*"
}
CMK UpdateAlias. KMS: (p. 187) CMK kms:UpdateAliasAWS KMS (p. 126)
KMS:
CMK
CMK
· kms:DeleteAlias IAM
IAM Resource ARN "test*"Resource"*"
{ "Sid": "IAMPolicyForAnAlias", "Effect": "Allow",
75
AWS Key Management Service
"Action": [ "kms:CreateAlias", "kms:UpdateAlias", "kms:DeleteAlias"
], "Resource": "arn:aws:kms:us-west-2:111122223333:alias/test-key" }
· kms:DeleteAlias CMK IAM
{ "Sid": "Key policy for 1234abcd-12ab-34cd-56ef-1234567890ab", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/KMSAdminUser" }, "Action": [ "kms:CreateAlias", "kms:UpdateAlias", "kms:DeleteAlias", "kms:DescribeKey" ], "Resource": "*"
}
CMK IAM CMK kms:CustomerMasterKeyUsage (p. 164) CMK
CMK AWS KMS (p. 126)
{ "Sid": "IAMPolicyCMKPermissions", "Effect": "Allow", "Resource": "arn:aws:kms:us-west-2:111122223333:key/*", "Action": [ "kms:CreateAlias", "kms:UpdateAlias", "kms:DeleteAlias" ], "Condition": { "StringEquals": { "kms:CustomerMasterKeyUsage": "ENCRYPT_DECRYPT" } }
}
Resource IAM AWS (Restricted
{ "Sid": "IAMPolicyForAnAliasAllow",
76
AWS Key Management Service CMK
"Effect": "Allow", "Action": [
"kms:CreateAlias", "kms:UpdateAlias", "kms:DeleteAlias" ], "Resource": "arn:aws:kms:us-west-2:111122223333:alias/*" }, { "Sid": "IAMPolicyForAnAliasDeny", "Effect": "Deny", "Action": [ "kms:CreateAlias", "kms:UpdateAlias", "kms:DeleteAlias" ], "Resource": "arn:aws:kms:us-west-2:111122223333:alias/Restricted*" }
CMK
AWS KMSCMK (CMK) KMS: (p. 186) KMS: (p. 187)AWS KMS (p. 114)(ABAC)
-kms:RequestAlias CMK -kms:ResourceAliasesCMK CMK
CMK resource resource CMK
Note
CMK 5 API
CMK
· (p. 105)IAM CMK CMK CMK
· kms:CreateAlias,kms:UpdateAlias, kms:DeleteAlias CMK CMK CMK CMK
· AWS CMK
(p. 88)includeskms:CreateAlias,kms:DeleteAlias, kms:UpdateAlias IAM AWS AWS CMK
77
AWS Key Management Service CMK
· AWS CloudTrail (p. 79)CloudWatch (p. 333)CMK ListAliases
·
-kms:RequestAlias -kms:ResourceAliasesCMK
KMS:
CMK CMK KMS: (p. 186) (p. 85) IAM CMK (p. 12),DescribeKey, GetPublicKey CreateAliasDeleteAlias
(p. 14) ARN (p. 14)
CMK alpha CMK
{ "Sid": "Key policy using a request alias condition", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/alpha-developer" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*", "Condition": { "StringLike": { "kms:RequestAlias": "alias/*alpha*" } }
}
ID (p. 14) ARN (p. 14) CMK
$ aws kms describe-key --key-id "arn:aws:kms:us-west-2:111122223333:alias/project-alpha"
KMS:
CMK CMK -KMS: (p. 187) (alias/test*IAM
78
AWS Key Management Service AWS CloudTrail
CMK AWS KMSCMK
IAM CMK 2 AWS restricted
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AliasBasedIAMPolicy", "Effect": "Allow", "Action": [ "kms:EnableKeyRotation", "kms:DisableKeyRotation", "kms:GetKeyRotationStatus" ], "Resource": [ "arn:aws:kms:*:111122223333:key/*", "arn:aws:kms:*:444455556666:key/*" ], "Condition": { "ForAnyValue:StringLike": { "kms:ResourceAliases": "alias/restricted*" } } } ]
}
-kms:ResourceAliases
$ aws kms enable-key-rotation --key-id "alias/restricted-project"
CMK restricted
$ aws kms enable-key-rotation --key-id "1234abcd-12ab-34cd-56ef-1234567890ab"
AWS CloudTrail
(CMK) AWS KMSAPI . CMK ARN AWS CloudTrail requestParameters ARN resources AWSAWS CMK
GenerateDataKey project-key CMK
$ aws kms generate-data-key --key-id alias/project-key --key-spec AES_256
CloudTrail CMK ARN
{
79
AWS Key Management Service AWS CloudTrail
"eventVersion": "1.05", "userIdentity": {
"type": "IAMUser", "principalId": "ABCDE", "arn": "arn:aws:iam::111122223333:role/ProjectDev", "accountId": "111122223333", "accessKeyId": "FFHIJ", "userName": "example-dev" }, "eventTime": "2020-06-29T23:36:41Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKey", "awsRegion": "us-west-2", "sourceIPAddress": "205.205.123.000", "userAgent": "aws-cli/1.18.89 Python/3.6.10 Linux/4.9.217-0.1.ac.205.84.332.metal1.x86_64 botocore/1.17.12", "requestParameters": { "keyId": "alias/project-key", "keySpec": "AES_256" }, "responseElements": null, "requestID": "d93f57f5-d4c5-4bab-8139-5a1f7824a363", "eventID": "d63001e2-dbc6-4aae-90cb-e5370aca7125", "readOnly": true, "resources": [ {
"accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
AWS KMSCloudTrailAWS CloudTrail AWS KMS API (p. 296)
80
AWS Key Management Service Authentication
AWS KMS
AWS KMS AWS AWS KMS (CMK) AWS AWS Identity and Access Management(IAM) AWS KMS
Topics
· Authentication (p. 81) · (p. 82)
Authentication
AWS
· AWS -- AWS E AWS AWS Important
IAM AWS IAM IAM IAM IAM · IAM --IAM AWS (CMK ) IAM AWS Management ConsoleAWS AWS Support AWS
AWS AWSSDKAWS Command Line Interface, AWS Tools for PowerShellSDK API AWS API AWS KMS 4 API AWS API 4 ()AWS · IAM IAM 1 IAM ID IAM IAM AWS IAM · IAM AWS Directory
Service
81
AWS Key Management Service
ID IAM IAM · -- IAM AWS AWS : AWSIAM ()IAM · AWS-- IAM AWS Amazon Redshift S3 S3 Amazon Redshift IAM AWS · EC2 -- EC2 AWSAPI IAM EC2 IAM EC2 IAM Amazon EC2
AWS KMS AWS KMS API CMK CMK CMK (p. 12)
AWS KMS
· (p. 82) · (p. 85) · IAM (p. 104) · AWS KMS API (p. 126) · (p. 157) · (p. 199) · (p. 210) · (p. 212)
AWS KMSAmazon Virtual Private CloudAmazon VPC VPC AWS KMSVPC VPC AWS CMK VPC (p. 463)
AWS KMS
EVYAWS AWS IAM ID () (AWS KMS)
82
AWS Key Management Service AWS KMS
Note
() ()IAM
· AWS KMS (p. 83) · AWS KMS CMK (p. 83) · (p. 84) · (p. 85)
AWS KMS
AWS KMS (p. 3) (CMK) AWS KMS (p. 351)CMK CMK AWS KMS CMK
CMK Amazon ARN AWS KMS AWS kms · (CMK)
ARN :
arn:AWS partition name:AWS service name: AWS : AWS ID:key/CMK key ID
ARN :
arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab ·
ARN :
arn:AWS partition name:AWS service name: AWS : AWS ID:alias/alias name
ARN :
arn:aws:kms:us-west-2:111122223333:alias/example-alias
AWS KMS AWS KMS API AWS Management Console AWS KMS API CMK (KeyId) (p. 13)AWS KMS AWS Key Management ServiceAPI
AWS KMS CMK
AWS KMS CMK IAM IAM
83
AWS Key Management Service
AWS KMS (CMK) CMK
CMK
· -- CMK CMK 1 ()
· IAM -- IAM CMK IAM IAM ID
· -- CMK CMK
AWSIAM IAM IAM AWS KMS CMK IAM IAM CMK CMK
(p. 85)
IAM IAM (p. 104)
(p. 199)
AWS KMS API API AWS KMS AWS KMS API (p. 126)
· -- IAM Amazon ARN AWS KMS (p. 83) "*" ( CMK ) CMK
· -- API kms:Encrypt AWS KMS
· --
· -- IAM AWS IDIAM () AWS ()IAM IAM AWS IAM
84
AWS Key Management Service
(p. 85)IAM (p. 104)
API
AWS AWS KMS (p. 157)
(ABAC) AWS KMS (CMK) ABAC AWS KMS (p. 114)
AWS KMS
AWS KMS (CMK) CMK 1 CMK IAM (p. 104) (p. 199)CMK CMK AWS KMS CMK (p. 83)
Topics
· (p. 85) · (p. 86) · (p. 94)
JSON IAM IAM JSON
(CMK) 1 CMK IAM IAM CMK
JSON (JavaScript Object Notation)32 KB (p. 531)(32,768 )AWS KMSAWS KMSAPI (CreateKeyPutKeyPolicy
AWS JSON
{ "Version": "2012-10-17", "Statement": [{ "Sid": "statement identifier", "Effect": "effect", "Principal": "principal",
85
AWS Key Management Service
"Action": "action", "Resource": "resource", "Condition": {"condition operator": {"condition context key": "context key value"}} }] }
(p. 86) (p. 100)JSON IAM IAM JSON
Version 2012-10-17 () 1 6
· Sid Sid
· -- Allow Deny CMK CMK CMK
· -- () ID AWS ()IAM IAM AWSIAM
AWS CMK () AWS ()AWS
Note
(*) AWS CMK AWS CMK IAM · -- API kms:Encrypt AWS KMS AWS KMS API (p. 126) · Resource --Resource "*", CMK "*" CMK · Condition AWS API (p. 157)
AWS ()AWSIAM ()IAM
CMK
CMK AWS KMSAPI(AWSSDK,AWS Command Line InterfaceAWS Tools for PowerShell) -- CMK
86
AWS Key Management Service
AWS KMS AWS CMK IAM CMK AWS IAM (p. 87)
AWS Management Console CMK
CMK AWS Management Console (p. 21)IAM IAM AWS CMK
· AWS IAM (p. 87) · CMK (p. 88) · CMK (p. 90)
· CMK (p. 92) · AWS CMK (p. 93)
AWS IAM
AWS CMK () 2
1. CMK .
AWS root CMK CMK 1. CMK 1 IAM Alice CMK
CMK 2. IAM Alice
CMK contactAWS SupportCMK CMK CMK AWS 2. IAM CMK
CMK IAM CMK CMK CMK IAM
IAM CMK AWS CMK AWS KMS CMK (p. 83)
AWS CMK IAM CMK
87
AWS Key Management Service
{ "Sid": "Enable IAM policies", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": "kms:*", "Resource": "*"
}
CMK
IAM CMK (p. 12) CMK
Warning AWS KMS CMK ABAC AWS KMS (p. 114) CMK IAM CMK
Principal
88
AWS Key Management Service
{ "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": {"AWS": [ "arn:aws:iam::111122223333:user/KMSAdminUser", "arn:aws:iam::111122223333:role/KMSAdminRole" ]}, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*"
}
· KMS: Create* -- CMK (p. 199)
· KMS: describe* -- CMK AWS Management Console
· KMS: Enable* -- CMK CMK CMK (p. 283)
· KMS: list* -- CMK AWS Management Console CMK
· KMS: PUT* -- CMK
· KMS: Update* -- CMK CMK
· KMS: revoke* -- CMK (p. 199)
· KMS: disable* -- CMK CMK CMK (p. 283)
· KMS: get* -- CMK CMK CMK (p. 232) (p. 405) CMK CMK (p. 232) CMK (p. 60)
· KMS: Delete* -- CMK (p. 405) CMK CMK (p. 393)
· KMS: ImportKeyMaterial -- CMK CMK (p. 410)
89
AWS Key Management Service
Note
· KMS: TagResource -- CMK · KMS: UntagResource -- CMK · KMS: -- CMK (p. 393) · KMS: CancelKeyDeletion -- CMK
2 (kms:ScheduleKeyDeletion kms:CancelKeyDeletion) CMK (p. 21)CMK [Allow key administrators to delete this key] CMK (p. 48)
(*) AWS KMS API CreateDescribeEnableListPutUpdateRevokeDisableGet Delete API
Note
(p. 102)
CMK
CMK IAM IAM AWS
2 · CMK (p. 92) -- CMK
(p. 12) CMK · CMK AWS (p. 93)-- 2 AWS
AWS KMSCMK Amazon Simple Storage Service (p. 508)Amazon DynamoDB (p. 480)
IAM IAM AWS CMK AWS CMK CMK (p. 120)
90
AWS Key Management Service
2 Principal CMK
{ "Sid": "Allow use of the key", "Effect": "Allow", "Principal": {"AWS": [ "arn:aws:iam::111122223333:user/CMKUser", "arn:aws:iam::111122223333:role/CMKRole", "arn:aws:iam::444455556666:root" ]}, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*"
}, {
"Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": {"AWS": [
"arn:aws:iam::111122223333:user/CMKUser", "arn:aws:iam::111122223333:role/CMKRole", "arn:aws:iam::444455556666:root" ]}, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": {"Bool": {"kms:GrantIsForAWSResource": true}} }
91
AWS Key Management Service
CMK
CMK (p. 12) CMK DescribeKey AWS KMS AWS KMS API CMK
AWS KMS API CMK CMK CMK
CMK
CMK
{ "Sid": "Allow use of the key", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:user/CMKUser"}, "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:GenerateDataKey*", "kms:ReEncrypt*" ], "Resource": "*"
}
CMK
[] CMK
{ "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/CMKUser" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:DescribeKey", "kms:GetPublicKey" ], "Resource": "*"
}
CMK
[] CMK
{
92
AWS Key Management Service
"Sid": "Allow use of the key", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:user/CMKUser"}, "Action": [
"kms:DescribeKey", "kms:GetPublicKey", "kms:Sign", "kms:Verify" ], "Resource": "*" }
· KMS: Encrypt -- CMK · KMS: Decrypt -- CMK · KMS: DescribeKey -- CMK
CMK AWS KMS · KMS: GenerateDataKey* --
* API GenerateDataKey,GenerateDataKeyWithoutPlaintext,GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext · KMS: GetPublicKe y -- CMK AWS KMS DecryptAWS KMS · KMS: Reencrypt* -- CMK CMK ReEncrypt CMK CMK CMK kms:ReEncryptFrom CMK kms:ReEncryptTo CMK kms:ReEncrypt* * · KMS: sign -- CMK · KMS: verif y -- CMK
AWS CMK
AWS KMS AWS (p. 475) CMK
CMK (p. 199) AWS CMK
{ "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:user/CMKUser"}, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ],
93
AWS Key Management Service
"Resource": "*", "Condition": {"Bool": {"kms:GrantIsForAWSResource": true}} }
CMK
· CMK Amazon Elastic Amazon EBS Amazon Elastic Amazon EC2 EBS EC2 CMK Amazon EC2 Amazon Elastic Block Store (Amazon EBS) AWS KMS (p. 490)
· CMK Amazon Redshift CMK Amazon Redshift Amazon Redshift AWS KMS (p. 503)
· CMK AWS AWS KMS (p. 475) ()
kms:GrantIsForAWSResource (p. 179) AWS AWS CMK kms:ViaService (p. 191)
CMK AWS KMS AWS
CMK (p. 86) 1
· AWS () 111122223333 CMK IAM CMK
· IAM KMSAdminUser IAM KMSAdminRole CMK · IAM CMKUserIAM CMKRole AWS CMK
444455556666
{ "Version": "2012-10-17", "Id": "key-consolepolicy-2", "Statement": [ { "Sid": "Enable IAM policies", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:root"}, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow access for Key Administrators", "Effect": "Allow",
94
AWS Key Management Service
"Principal": {"AWS": [ "arn:aws:iam::111122223333:user/KMSAdminUser", "arn:aws:iam::111122223333:role/KMSAdminRole"
]}, "Action": [
"kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": {"AWS": [ "arn:aws:iam::111122223333:user/CMKUser", "arn:aws:iam::111122223333:role/CMKRole", "arn:aws:iam::444455556666:root" ]}, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": {"AWS": [ "arn:aws:iam::111122223333:user/CMKUser", "arn:aws:iam::111122223333:role/CMKRole", "arn:aws:iam::444455556666:root" ]}, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": {"Bool": {"kms:GrantIsForAWSResource": "true"}} } ] }
95
AWS Key Management Service
96
AWS Key Management Service
AWS KMS CMK (p. 4)AWS CMK (p. 4)[] ()AWS Management ConsoleGetKeyPolicyAWS KMSAPI. CMK AWS AWS KMS AWS KMS (p. 85) CMK the section called " " (p. 212)
· () (p. 97) · (AWS KMSAPI) (p. 99)
()
AWS CMK (p. 4) CMK (p. 4)] [] AWS Management Console AWS Management Console CMK kms:ListAliaseskms:DescribeKey kms:GetKeyPolicy 1. AWS Management Console AWS Key Management Service (AWS KMS)
(https://console.aws.amazon.com/kms) 2. AWS 3.
AWS [AWS ] [Customer managed keys ()] 4. CMK CMK ID 5. [] [ ] CMK (p. 86)
97
AWS Key Management Service
CMK AWS Management Console ,, [ ] (p. 86)
98
AWS Key Management Service
(AWS KMSAPI)
AWS CMK (p. 4) CMK (p. 4)() AWS ()GetKeyPolicyAWS KMSAPI. AWS Command Line Interface(AWS CLI) AWSSDK
99
AWS Key Management Service
default PolicyName JSON
ID ID
$ aws kms get-key-policy --key-id 1234abcd-12ab-34cd-56ef-1234567890ab --policy-name default --output text
(p. 86)
{ "Version" : "2012-10-17", "Id" : "key-consolepolicy-3", "Statement" : [ { "Sid" : "Enable IAM policies", "Effect" : "Allow", "Principal" : { "AWS" : "arn:aws:iam::111122223333:root" }, "Action" : "kms:*", "Resource" : "*" } ]
}
(CMK) AWS ()AWS Management Console PutKeyPolicy. CMK AWS
· AWS CMK (p. 4) CMK (p. 4) CMK AWS CMK AWS CMK AWS CMK (p. 5)
· IAM IAM AWS () (p. 85)
· IAM IAM IAM CMK (p. 102)
· AWS IAM IAM CMK (p. 120)
· 32 KB (32,768 )
· (p. 101) · IAM CMK (p. 102)
100
AWS Key Management Service
3
· AWS Management Console (p. 101) · AWS Management Console (p. 101) · AWS KMS API (p. 101)
AWS Management Console
AWS Management Console (p. 101)AWS KMS API (p. 101)
1. CMK ( ) (p. 97)AWS
2.
· (p. 88) CMK (p. 393) [Key administrators ()] CMK (p. 283)CMK
· (p. 90) AWS CMK [] (p. 12) CMK
AWS Management Console
1. CMK ( ) (p. 97)AWS
2. [Key Policy ()] [Switch to policy view ()]
3. []
AWS KMS API
PutKeyPolicyCMK AWS API CMK AWS
1. GetKeyPolic y (p. 372)
2.
101
AWS Key Management Service
3. PutKeyPolic y CMK (p. 374)
CMK CMK GetKeyPolicy ()AWS CLI
IAM CMK
IAM IAM CMK
· IAM
· IAM CMK (p. 87) CMK IAM IAM IAM IAM
AWS KMS IAM (p. 216)
AWS Management Console (CMK) (p. 21)IAM IAM AWS CMK CMK (p. 86) CMK AWS KMS
CMK CMK CMK CMK
Note
CMK PutKeyPol icy
(p. 103)
AWS Management Console
1. AWS Management Console AWS Key Management Service (AWS KMS) (https://console.aws.amazon.com/kms)
102
AWS Key Management Service
2. AWS 3. [Customer managed keys ()] 4. CMK ID 5. [ Key Policy]
A newer version of the default key policy is available. ( ) Preview and upgrade to the new key policy. ( )
[Key Policy ()]
A newer version of the default key policy is available. ( ) Preview and upgrade to the new key policy. ( )
1. [Preview and upgrade to the new key policy ( )]
2. (p. 103) [Upgrade key policy]
(p. 86) AWS KMS
CMK
kms:TagResource kms:UntagResource
CMK AWS KMS (p. 49) kms:ScheduleKeyDeletion kms:CancelKeyDeletion
CMK AWS KMS CMK (p. 393)
Note
kms:ScheduleKeyDeletion kms:CancelKeyDeletion CMK (p. 21)
103
AWS Key Management Service IAM
CMK [Allow key administrators to delete this key] CMK CMK
IAM AWS KMS
IAM (p. 85), (p. 199), VPC (p. 463) (CMK) AWS KMS
Note
IAM CMK CMK IAM IAM (p. 87) IAM AWS KMS. IAM IAM
CMK IAM IAM CMK CMK IAM IAM (p. 87)
IAM AWS KMS. IAM CMK AWSIAM CMK Create, Key
AWS KMSAmazon Virtual Private CloudAmazon VPC VPC AWS KMSVPC VPC AWS CMK VPC (p. 463)
JSON IAM IAM JSON
· IAM (p. 104) · IAM (p. 105) · IAM CMK (p. 107) · AWS KMS (p. 109) · AWS (p. 109) · (p. 110)
IAM
IAM
· -- IAM AWS KMS.
104
AWS Key Management Service IAM
· -- IAM IAM ID EC2 IAM IAM ()IAM
IAM AWS KMS IAM ID CMK
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "kms:ListKeys", "kms:ListAliases" ], "Resource": "*" }
}
IAM Principal IAM IAM IAM
AWS KMS API AWS KMS API (p. 126)
IAM
AWS KMSCMKAWS AWS KMSCMK AWS CMK (p. 85), IAM (p. 199), VPC (p. 463)
CMK IAM IAM CMK
CMK CMK IAM 1 CMK AWS KMS: PutKeyPolicy KMS: ScheduleKeyDel etion CreateKey
(KMS: CreateKey) CMK CMK (p. 157) kms:CustomerMasterKeySpec CMK IAM CMK
ARN (p. 14) CMK Resource CMK Resource CMK
105
AWS Key Management Service IAM
"Resource": [ "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321"
]
CMK Resource CMK AWS arn:aws:kms:region:account:key/* (*) CMK AWS arn:aws:kms:*:account:key/*
ID (p. 14), (p. 14), ARN (p. 14) CMK ResourceIAM ARN CMK IAM (p. 73) IAM :*
(*) Resource CMK IAM Resource ("Resource": "*") CMK AWS CMK AWS (p. 120) CMK
CMK AWS CMK IAM AWS kms:Decrypt CMK CMK"Resource": "*" kms:Decrypt IAM IAM CMK CloudTrail
API "Resource": "*" CMK AWS · DescribeKey · GetKeyRotationStatus · (p. 12)
(EncryptDecryptGenerateDataKeyGenerateDataKeyPairGenerateDataKeyWithoutPlaintextGenerateDa · CreateGrant, ListGrants, ListGrantsListRibleGrant, sRetireGrant, RevokeGrant :*
IAM Resource "Resource": "*" · KMS: · KMS: · kms:ListAliases · KMS: · KMS: KMS: ConnectCustomKeyStore
Note
(KMS: CreateAlias, KMS: UpdateAlias, KMS: DeleteAlias) CMK IAM "Resource": "*" CMK Resource
106
AWS Key Management Service IAM CMK
CMK (p. 73)
CMK IAM AWS KMSAWS Key Management Service IAM AWSIAM ()IAM
IAM CMK
IAM CMK CMK Resource
· IAM CMK ARN (p. 14) ID (p. 14), (p. 14), ARN (p. 14)IAM CMK
:"Resource": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
CMK KMS: (p. 186)KMS: (p. 187) ABAC AWS KMS (p. 114)
ARN CreateAlias,UpdateAlias, DeleteAlias (p. 73) · CMK ARN ID *
CMK "Resource": "arn:aws:kms:us-west-2:111122223333:key/*" CMK "Resource": "arn:aws:kms:*:111122223333:key/*" · CMK "*" CMK CreateKey,GenerateRandom,ListAliases, ListKeys
(p. 105) CMK CMK
IAM DescribeKey,GenerateDataKey,Decrypt CMK Resource ARN CMK CMK
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": [ "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
107
AWS Key Management Service IAM CMK
"arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321" ] } }
CMK CMK AWS ID * 2 CMK
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:GenerateDataKey", "kms:GenerateDataKeyPair" ], "Resource": [ "arn:aws:kms:*:111122223333:key/*", "arn:aws:kms:*:444455556666:key/*" ] }
}
Resource ("*") CMK CMK for Deny AWS KMS CMK CMKthe section called "AWS KMS API " (p. 126)
Deny CMK Resource CMK
{ "Version": "2012-10-17", "Statement": { "Effect": "Deny", "Action": [ "kms:CreateKey", "kms:PutKeyPolicy", "kms:CreateGrant", "kms:ScheduleKeyDeletion" ], "Resource": "*" }
}
CMK CMK
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "kms:CreateKey", "kms:ListKeys",
108
AWS Key Management Service AWS KMS
"kms:ListAliases", "kms:ListResourceTags" ], "Resource": "*" } }
AWS KMS
AWS KMS AWS KMS AWS AWS KMS IAM IAM AWS KMS IAM
AWS KMS CMK AWS KMSconsole (p. 110)
AWS KMS CMK AWSKeyManagementServicePowerUser
AWS KMS API AWSSDK,AWS Command Line InterfaceAWS Tools for PowerShellAPI AWS KMS API (p. 126)
AWS
AWS IAM CMK CMK CMK IAM ID
Note
CMK KMS: Describe Key CMK AWS IAM (p. 105) CMK ABAC AWS KMS (p. 114)
AWSKeyManagementServicePowerUser
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:CreateAlias", "kms:CreateKey", "kms:DeleteAlias", "kms:Describe*", "kms:GenerateRandom", "kms:Get*",
109
AWS Key Management Service
"kms:List*", "kms:TagResource", "kms:UntagResource", "iam:ListGroups", "iam:ListRoles", "iam:ListUsers" ], "Resource": "*" } ] }
· CMK CMK
· CMK (p. 62) (p. 49) · ARN
(p. 283) CMK · IAM · CMK
CMK
AWSKeyManagementServicePowerUser IAM
AWS KMS Important
CMK AWS KMS API (p. 126)
JSON IAM IAM JSON
· CMK AWS KMSconsole (p. 110) · CMK (p. 111) · CMK AWS (p. 112) · CMK AWS (p. 113) · CMK (p. 113) · CMK (p. 113)
CMK AWS KMSconsole
IAM AWS KMSconsole. CMK AWS CMK
CMK AWSKMS: kms:ListAliasesCMK CMK
110
AWS Key Management Service
( KMS: DescribeKey, ) iam:ListUsers iam:ListRoles [ ] CMK KMS: describecustomKeyStor es
CMK CMK
2 -Resource CMK AWS AWS KMS CMK AWS AWS KMS IAM "Resource": "*" CMK
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ReadOnlyAccessForAllCMKsInAccount", "Effect": "Allow", "Action": [ "kms:GetPublicKey", "kms:GetKeyRotationStatus", "kms:GetKeyPolicy", "kms:DescribeKey", "kms:ListKeyPolicies", "kms:ListResourceTags" ], "Resource": "arn:aws:kms:*:111122223333:key/*" }, { "Sid": "ReadOnlyAccessForOperationsWithNoCMK", "Effect": "Allow", "Action": [ "kms:ListKeys", "kms:ListAliases", "iam:ListRoles", "iam:ListUsers" ], "Resource": "*" } ]
}
CMK
IAM CMK CreateKey AWS KMS (CMK ) Resource *
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "kms:CreateKey", "Resource": "*" }
}
111
AWS Key Management Service
· KMS: PutKeyPolic y -- kms:CreateKey CMK CreateKey CMK KMS: PutKeyPol icy BypassPolicyLockoutSafetyCheck CreateKey, CreateKey IAM CMK kms:PutKeyPolicy CMK
· KMS: TagResource -- CreateKey CMK CreateKey IAM KMS: TagResource CMK CreateKey kms:TagResource CMK
· kms: -- CMK AWS KMSkms: CMK CreateKey 2 CreateAliasIAM IAM CMK (p. 73)
kms:CreateKey IAM kms:TagResource CMK AWS kms:CreateAlias IAM
IAM kms:PutKeyPolicy 1 CMK (p. 105)
{ "Version": "2012-10-17", "Statement": [ { "Sid": "IAMPermissionsForParticularCMKs", "Effect": "Allow", "Action": "kms:TagResource", "Resource": "arn:aws:kms:*:111122223333:key/*" }, { "Sid": "IAMPermissionsForParticularAliases", "Effect": "Allow", "Action": "kms:CreateAlias", "Resource": "arn:aws:kms:*:111122223333:alias/*" }, { "Sid": "IAMPermissionsForAllCMKs", "Effect": "Allow", "Action": [ "kms:CreateKey", "kms:ListKeys", "kms:ListAliases" ], "Resource": "*" } ]
}
CMK AWS
IAM AWS 111122222222222222222222222
{
112
AWS Key Management Service
"Version": "2012-10-17", "Statement": {
"Effect": "Allow", "Action": [
"kms:Encrypt", "kms:Decrypt" ], "Resource": "arn:aws:kms:*:111122223333:key/*" } }
CMK AWS
IAM AWS () 1111222222222222222222223333
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt" ], "Resource": [ "arn:aws:kms:us-west-2:111122223333:key/*" ] }
}
CMK
IAM Resource 2 CMK IAM CMK CMK ARN (p. 14)
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt" ], "Resource": [ "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321" ] }
}
CMK
IAM IAM CMK
113
AWS Key Management Service ABAC AWS KMS
(p. 216)
{ "Version": "2012-10-17", "Statement": { "Effect": "Deny", "Action": [ "kms:DisableKey", "kms:ScheduleKeyDeletion" ], "Resource": "*" }
}
ABAC AWS KMS
(ABAC) AWS KMSCMK (CMK) ABAC ABAC AWS KMS CMK
ABAC CMK
Notes
ABAC AWS KMS CMK CMK CMK 5 API CMK CMK Resource Resource CMK
· .AWS KMS ABAC CMK (p. 77) CMK (p. 56)
· AWS ABAC AWS?AWS()IAM
ABAC AWS KMS
CMK IAM
114
AWS Key Management Service ABAC AWS KMS
ABAC
aws:ResourceTag/tagkey
CMK
IAM
aws:RequestTag/tagkey
IAM 1
aws:TagKeys
IAM 1
KMS: (p. 187)
CMK
IAM
KMS: (p. 186)
CMK
IAM 1
AWS KMS CMK 2
TagResource,UntagResource
TagResource,UntagResource CMK 2
(p. 12),DescribeKey,GetPublicKey
1IAM (p. 87)
2ACMK CMK CMK AWS KMS (p. 126) CMK Resources
· IAM kms:ResourceAliases CMK AWS CMK ARN CMK CMK CMK
· aws:RequestAlias CMK EncryptEncrypt CMK
· IAM aws:ResourceTag/tag-key CMK CMK ARN CMK CMK CMK
· IAM aws:RequestTag/tag-key "Purpose"="Test"CMK
· IAM aws:TagKeys CMK Restricted
115
AWS Key Management Service ?
ABAC aws:ResourceTag/tag-key CMK IAM CMK Purpose=Test CMK AWS
IAM Purpose=Test CMK Purpose=Test CMK CMK Purpose=Test
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AliasBasedIAMPolicy", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "arn:aws:kms:*:111122223333:key/*", "Condition": { "StringEquals": { "aws:ResourceTag/Purpose": "Test" } } } ]
}
CMK CMK (p. 55) (p. 76) Purpose=Test CMK (p. 77) CMK (p. 56)
?
AWS KMS ABAC
AWS CMK (p. 531)
· AWS
Amazon Relational Database ServiceAmazon RDS Amazon Elastic Block Store (Amazon EBS) AWS KMSCMK
116
AWS Key Management Service ABAC AWS KMS
· CMK
CMK AWS CMK CMK
·
aws: RequestTag/tag-key KMS: (p. 186) CMK CMK Encrypt KeyIdalias/restricted-key-1 · CMK · CMK · CMK
kms:RequestAlias
ARN CMK ·
AWS CMK CMK (alias/test* CMK CMK
ABAC AWS KMS
CMK
CMK CMK CMK CMK CMK
CMK Project=Alpha ( IAM )
{ "Version": "2012-10-17", "Statement": [ { "Sid": "IAMPolicyWithResourceTag", "Effect": "Allow", "Action": [
117
AWS Key Management Service ABAC AWS KMS
"kms:GenerateDataKeyWithoutPlaintext", "kms:Decrypt" ], "Resource": "arn:aws:kms:ap-southeast-1:111122223333:key/*", "Condition": { "StringEquals": {
"aws:ResourceTag/Project": "Alpha" } } } ] }
CMK CMK AWS CMK CloudTrail TagResource (p. 323) UntagResource (p. 323)
CMK AWS KMS (p. 55) CMK Amazon CloudWatch
CMK CMK CMK CMK CMK CMK
IAM KMS: (p. 187) CMK
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AliasBasedIAMPolicy", "Effect": "Allow", "Action": [ "kms:List*", "kms:Describe*", "kms:Decrypt" ], "Resource": "arn:aws:kms:*:111122223333:key/*", "Condition": { "ForAnyValue:StringEquals": { "kms:ResourceAliases": [ "alias/ProjectAlpha", "alias/ProjectAlpha_Test", "alias/ProjectAlpha_Dev" ] } } } ]
}
118
AWS Key Management Service ABAC AWS KMS
CloudTrail CreateAlias (p. 299),UpdateAlias (p. 324), DeleteAlias (p. 303)
CMK 1 CMK 1 CMK CMK
(p. 76) CMK
CMK KMS: (p. 187) AccessDeniedCMK CMK (p. 531)
CMK CMK
CMK 5 API AWS KMS
CMK IAM "Purpose"="Test""Purpose"="Test" CMK TagResourceListResourceTags CMK 5 CMK
CMK
DecryptReEncrypt (p. 14) ARN (p. 14) CMK IncorrectKeyExceptionNotFoundException KeyIdDestinationKeyId AccessDenied CMK
CloudTrail CreateAlias (p. 299),UpdateAlias (p. 324), DeleteAlias (p. 303)LastUpdatedDate ListAliases
ListAliasesProjectAlpha_Test kms:ResourceAliases CMK CMK
$ aws kms list-aliases --query 'Aliases[?starts_with(AliasName, `alias/ProjectAlpha`)]'
{
119
AWS Key Management Service CMK
"Aliases": [ { "AliasName": "alias/ProjectAlpha_Test", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/ProjectAlpha_Test", "TargetKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321", "CreationDate": 1566518783.394, "LastUpdatedDate": 1605308931.903 }, { "AliasName": "alias/ProjectAlpha_Restricted", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/ProjectAlpha_Restricted", "TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1553410800.010, "LastUpdatedDate": 1553410800.010 }
] }
CMK CMK CMK CMK
CMK (p. 76)
CMK
IAM AWS (CMK) CMK IAM
· (p. 12) · CreateGrant · DescribeKey · GetKeyRotationStatus · GetPublicKey · ListGrants · RetireGrant · RevokeGrant
KMS: IAM KMS:
CMK AWS KMS AWS KMS (p. 126) CMK
120
AWS Key Management Service 1:
(p. 126) API AWS Key Management ServiceAPI
Warning
CMK CMK CMK CMK CMK IAM (p. 105)
CMK 2
· CMK CMK CMK
· @@ IAM
CMK IAM CMK IAM
(p. 101)()AWS Management Console CreateKeyPutKeyPolicy. CMK CMK (p. 124)
IAM IAM AWS KMS (p. 104)
IAM CMK 2: CMK AWS (p. 220)
AWS KMS CMK AWS CloudTrail (p. 296) CMK CMK
· 1: (p. 121) · 2: IAM (p. 123) · CMK (p. 124) · CMK AWS (p. 125) · CMK (p. 126)
1:
CMK CMK CMK IAM CMK
121
AWS Key Management Service 1:
CMK Principal Amazon (ARN)
IAM IAM
CMK () AWS ()AWS
444455556666 111122223333 CMK 111122223333 CMK CMK CMK 444455556666
{ "Sid": "Allow an external account to use this CMK", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::444455556666:root" ] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*"
}
IAM IAM ID CMK IAM
ID IAM 2 ID CMK ID IAM
Principal Amazon (ARN)
444455556666 ExampleRole ExampleUser 111122223333 CMK CMK CMK 444455556666
{ "Sid": "Allow an external account to use this CMK", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::444455556666:role/ExampleRole",
122
AWS Key Management Service 2: IAM
"arn:aws:iam::444455556666:user/ExampleUser" ] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }
Note
(*) AWS CMK AWS CMK IAM
CMK AWS KMS (p. 126)
(p. 12) CMK AWS KMS AWS CMK Key Users AWS Management Console CMK (p. 124)
CMK (p. 101)()AWS Management ConsoleCreateKeyPutKeyPolicy.
2: IAM
CMK IAM CMK CMK IAM
IAM IAM IAM CMK
IAM IAM IAM
IAM 111122223333 CMK 444455556666, 444455556666
{ "Sid": "AllowUseOfCMKInAccount111122223333",
123
AWS Key Management Service CMK
"Effect": "Allow", "Action": [
"kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }
· IAM Principal
IAM ID · IAM Resource CMK CMK
ARN (p. 14) Resource · Resource CMK Resource CMK
CMK · CMK AWSAWS KMS,
IAM CMK AWS (p. 125)
IAM IAM (p. 104)
CMK
CreateKey CMK Policy CMK (p. 121) IAM (p. 123) PutKeyPolicy AWS Management Console CMK Key Administrators Key Users AWS KMS ID CMK Key Users
ID AWS KMS 2 IAM (p. 123) CMK
124
AWS Key Management Service CMK AWS
CMK
{ "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::444455556666:root" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*"
}
2 CMK AWSAWS KMSCMK AWS
CMK AWS Amazon WorkMail (p. 519) CMK CMK AWS (p. 125)
{ "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::444455556666:root" }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } }
}
(p. 101) PutKeyPolicy AWS KMS
CMK AWS
AWS KMS CMK CMK Amazon S3 (p. 508)AWS Secrets Manager (p. 505)
CMK IAM ID AWS IAM
125
AWS Key Management Service CMK
CMK
CMK AWS CMK AWS Management Console,AWSSDKAWS CLI, AWS Tools for PowerShell
API CMK (p. 13)
· (p. 12),DescribeKey, GetPublicKey ARN (p. 14) ARN (p. 14)CMK ID
· CreateGrant,GetKeyRotationStatus,ListGrants, RevokeGrantCMK ARN
ID AWSCMK CMK
-AWS KMS CMK CMK AWS CMK CMK AWSCMK ARN
AWS KMS
(p. 82) (p. 85)IAM (p. 104)
Note
CancelKeyDeletion
kms:CancelKeyDeletion
IAM
CMK
AWS KMS
CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187)
126
AWS Key Management Service AWS KMS API
ConnectCustomKeyStore IAM
kms:ConnectCustomKeyStore
CreateAlias kms:CreateAlias
IAM
(
)
2 kms:CreateAlias
(CMK )
· (IAM )
· CMK ( )
(p. 73)
CreateCustomKeyStore
IAM
kms:CreateCustomKeyStore
IAM
* CMK
*
AWS KMS
aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191) kms:CallerAccount (p. 162)
( )
CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191) kms:CallerAccount (p. 162)
127
AWS Key Management Service AWS KMS API
CreateGrant kms:CreateGrant
IAM
CMK
AWS KMS
: kms:EncryptionContext: (p. 175) kms:EncryptionContextKeys (p. 175) : kms:GrantConstraintType (p. 178) kms:GranteePrincipal (p. 181) kms:GrantIsForAWSResource (p. 179) kms:GrantOperations (p. 180) kms:RetiringPrincipal (p. 189) CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191)
128
AWS Key Management Service AWS KMS API
CreateKey kms:CreateKey
IAM
IAM
*
AWS KMS
kms:BypassPolicyLockoutSafetyCheck (p. 1 kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) kms:ViaService (p. 191) : aws: RequestTag/tagkey(AWS ) aws: ResourceTag/tagkey(AWS ) aws:TagKeys (AWS )
129
AWS Key Management Service AWS KMS API
kms:Decrypt
IAM
CMK
AWS KMS
kms:EncryptionAlgorithm (p. 166) KMS: (p. 186) : kms:EncryptionContext: (p. 175) kms:EncryptionContextKeys (p. 175) CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191)
130
AWS Key Management Service AWS KMS API
DeleteAlias kms:DeleteAlias
IAM
(
)
2 kms:DeleteAlias
(CMK )
· (IAM )
· CMK ( )
(p. 73)
DeleteCustomKeyStore
IAM
kms:DeleteCustomKeyStore
IAM CMK
*
AWS KMS
( )
CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191) kms:CallerAccount (p. 162)
131
AWS Key Management Service AWS KMS API
DeleteImportedKeyMaterial
kms:DeleteImportedKeyMaterial
DescribeCustomKeyStores IAM
kms:DescribeCustomKeyStores
IAM CMK
*
AWS KMS
CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191) kms:CallerAccount (p. 162)
132
AWS Key Management Service AWS KMS API
DescribeKey kms:DescribeKey
DisableKey kms:DisableKey
IAM CMK
CMK
AWS KMS
CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191) : KMS: (p. 186) CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191)
133
AWS Key Management Service AWS KMS API
DisableKeyRotation
kms:DisableKeyRotation
DisconnectCustomKeyStore IAM
kms:DisconnectCustomKeyStore
EnableKey kms:EnableKey
IAM CMK
* CMK
AWS KMS
CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191) kms:CallerAccount (p. 162)
CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191)
134
AWS Key Management Service AWS KMS API
EnableKeyRotation
kms:EnableKeyRotation
IAM
CMK
AWS KMS
CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191)
135
AWS Key Management Service AWS KMS API
kms:Encrypt
IAM
CMK
AWS KMS
kms:EncryptionAlgorithm (p. 166) KMS: (p. 186) : kms:EncryptionContext: (p. 175) kms:EncryptionContextKeys (p. 175) CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191)
136
AWS Key Management Service AWS KMS API
GenerateDataKey kms:GenerateDataKey
IAM
CMK
AWS KMS
kms:EncryptionAlgorithm (p. 166) KMS: (p. 186) : kms:EncryptionContext: (p. 175) kms:EncryptionContextKeys (p. 175) CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191)
137
AWS Key Management Service AWS KMS API
GenerateDataKeyPair
kms:GenerateDataKeyPair
IAM
AWS KMS
CMK :
kms:DataKeyPairSpec (p. 165)
GenerateDataKeyPair
GenerateDataKeyPairWithoutPlaintext
CMK kms:EncryptionAlgorithm (p. 166)
KMS: (p. 186)
:
kms:EncryptionContext:
(p. 175)
kms:EncryptionContextKeys (p. 175)
CMK :
kms:CallerAccount (p. 162)
kms:CustomerMasterKeySpec (p. 163)
kms:CustomerMasterKeyUsage (p. 164)
kms:KeyOrigin (p. 181)
KMS: (p. 183)
KMS: (p. 184)
KMS: (p. 187)
aws: ResourceTag/tagkey(AWS )
kms:ViaService (p. 191)
138
AWS Key Management Service AWS KMS API
GenerateDataKeyPairWithoutPlaintext
kms:GenerateDataKeyPairWithoutPlaintext
IAM
AWS KMS
CMK :
kms:DataKeyPairSpec (p. 165)
GenerateDataKeyPair
GenerateDataKeyPairWithoutPlaintext
CMK kms:EncryptionAlgorithm (p. 166)
KMS: (p. 186)
:
kms:EncryptionContext:
(p. 175)
kms:EncryptionContextKeys (p. 175)
CMK :
kms:CallerAccount (p. 162)
kms:CustomerMasterKeySpec (p. 163)
kms:CustomerMasterKeyUsage (p. 164)
kms:KeyOrigin (p. 181)
KMS: (p. 183)
KMS: (p. 184)
KMS: (p. 187)
aws: ResourceTag/tagkey(AWS )
kms:ViaService (p. 191)
139
AWS Key Management Service AWS KMS API
GenerateDataKeyWithoutPlaintext
kms:GenerateDataKeyWithoutPlaintext
GenerateRandom kms:GenerateRandom
IAM
IAM CMK
*
AWS KMS
kms:EncryptionAlgorithm (p. 166) KMS: (p. 186) : kms:EncryptionContext: (p. 175) kms:EncryptionContextKeys (p. 175) CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191)
140
AWS Key Management Service AWS KMS API
GetKeyPolicy kms:GetKeyPolicy
GetKeyRotationStatus
kms:GetKeyRotationStatus
IAM CMK
CMK
AWS KMS
CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191) CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191)
141
AWS Key Management Service AWS KMS API
GetParametersForImport
kms:GetParametersForImport
IAM
CMK
AWS KMS
kms:WrappingAlgorithm (p. 195) kms:WrappingKeySpec (p. 196) CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191)
142
AWS Key Management Service AWS KMS API
GetPublicKey kms:GetPublicKey
IAM
CMK
AWS KMS
CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191) : KMS: (p. 186)
143
AWS Key Management Service AWS KMS API
ImportKeyMaterial
kms:ImportKeyMaterial
ListAliases kms:ListAliases
IAM
IAM CMK
*
AWS KMS
CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191) : kms:ExpirationModel (p. 177) kms:ValidTo (p. 190)
144
AWS Key Management Service AWS KMS API
ListGrants kms:ListGrants
ListKeyPolicies kms:ListKeyPolicies
IAM CMK
CMK
AWS KMS
CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191) : kms:GrantIsForAWSResource (p. 179) CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191)
145
AWS Key Management Service AWS KMS API
ListKeys kms:ListKeys ListResourceTags kms:ListResourceTags
IAM
ListRetirableGrants
IAM
kms:ListRetirableGrants
IAM * CMK
*
AWS KMS
CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191)
146
AWS Key Management Service AWS KMS API
PutKeyPolicy kms:PutKeyPolicy
IAM
CMK
AWS KMS
CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191) : kms:BypassPolicyLockoutSafetyCheck (p. 1
147
AWS Key Management Service AWS KMS API
ReEncrypt kms:ReEncryptFrom
kms:ReEncryptTo
2 CMK
· CMK kms:ReEncryptFrom
· CMK kms:ReEncryptTo
IAM
CMK
AWS KMS
kms:EncryptionAlgorithm (p. 166) KMS: (p. 186) : kms:EncryptionContext: (p. 175) kms:EncryptionContextKeys (p. 175) CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191) : kms:ReEncryptOnSameKey (p. 185)
148
AWS Key Management Service AWS KMS API
kms:ReplicateKey
· kms:ReplicateKey
· kms:CreateKey IAM
RetireGrant
kms:RetireGrant
(p. 210)
IAM
IAM CMK
CMK
AWS KMS
CMK :
kms:CallerAccount (p. 162)
kms:CustomerMasterKeySpec (p. 163)
kms:CustomerMasterKeyUsage (p. 164)
kms:KeyOrigin (p. 181)
KMS: (p. 183)
KMS: (p. 184)
KMS: (p. 187)
aws: ResourceTag/tagkey(AWS )
kms:ViaService (p. 191)
:
KMS: (p. 188) KMS: (p. 187)
aws: ResourceTag/tagkey(AWS )
149
AWS Key Management Service AWS KMS API
RevokeGrant kms:RevokeGrant
ScheduleKeyDeletion
kms:ScheduleKeyDeletion
IAM CMK
CMK
AWS KMS
CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191) : kms:GrantIsForAWSResource (p. 179) CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191)
150
AWS Key Management Service AWS KMS API
Sign kms:Sign
IAM
CMK
AWS KMS
: kms:MessageType (p. 183) KMS: (p. 186) kms:SigningAlgorithm (p. 190) CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191)
151
AWS Key Management Service AWS KMS API
TagResource kms:TagResource
IAM
CMK
AWS KMS
CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191) : aws: RequestTag/tagkey(AWS ) aws:TagKeys (AWS )
152
AWS Key Management Service AWS KMS API
UntagResource kms:UntagResource
IAM
CMK
AWS KMS
CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191) : aws: RequestTag/tagkey(AWS ) aws:TagKeys (AWS )
153
AWS Key Management Service AWS KMS API
UpdateAlias kms:UpdateAlias
IAM
(
)
3 kms:UpdateAlias
(CMK )
·
· CMK
· CMK
(p. 73)
UpdateCustomKeyStore
IAM
kms:UpdateCustomKeyStore
IAM CMK
*
AWS KMS
( )
CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191) kms:CallerAccount (p. 162)
154
AWS Key Management Service AWS KMS API
UpdateKeyDescription
kms:UpdateKeyDescription
kms:UpdatePrimaryRegion
kms:UpdatePrimaryRegion (p. 249) (p. 249)
IAM CMK
CMK
AWS KMS
CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191) CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191) KMS: (p. 184)
155
AWS Key Management Service AWS KMS API
kms:Verify
IAM
CMK
AWS KMS
: kms:MessageType (p. 183) KMS: (p. 186) kms:SigningAlgorithm (p. 190) CMK : kms:CallerAccount (p. 162) kms:CustomerMasterKeySpec (p. 163) kms:CustomerMasterKeyUsage (p. 164) kms:KeyOrigin (p. 181) KMS: (p. 183) KMS: (p. 184) KMS: (p. 187) aws: ResourceTag/tagkey(AWS ) kms:ViaService (p. 191)
· AWS KMSAPI Action
· IAM
IAM (p. 87)IAM
IAM IAM · AWS.
:AWS.
:AWS .
156
AWS Key Management Service
KMS: CMK · [] AWS KMS AWS KMS (CMK) 2 Resource * CMK
AWS KMS IAM CMK
(CMK) ARN (p. 14) the section called " ID ARN " (p. 42)
arn:AWS_partition_name:kms:AWS_Region:AWS_account_ID:key/key_ID
arN: aws: kms: us-west-2:111122223333: key/1234abcd-12ab-34cd-56ef-1234567890ab
ARN (p. 14) the section called " ARN " (p. 43)
arn:AWS_partition_name:kms:AWS_region:AWS_account_ID:alias/alias_name
arN: aws: kms: us-west-2:111122223333: alias/ExampleAlias * ()
(CMK ) (*)
IAM AWS KMS Resource AWS KMS (CMK ) AWS KMS CMK Resource kms:CreateKey kms:ListKeys Resource * (arn:AWS_partition_name:kms:AWS_region:AWS_account_ID:* ) · AWS KMS AWS KMS Condition AWS KMS (p. 159) ( AWS ) AWS KMS AWS
AWS KMS
AWS Identity and Access Management (IAM (p. 104)AWS KMS true API
157
AWS Key Management Service AWS
()Condition IAM AWS AWS KMS
· AWS (p. 158) · AWS KMS (p. 159) · AWS KMSAWSNitro (p. 196)
AWS
AWSdefinesAWS IAM AWS KMS IAM
aws:PrincipalArn Amazon ARN CMK (p. 114)(ABAC)AWS KMSAWS: ResourceTag/tag-key CMK
AWS KMS AWS
· aws:SourceAccount · aws:SourceArn
AWS () AWS()IAM IAM ()IAM
IP VPC
· AWS KMS IP (p. 158) · AWS KMS VPC (p. 159)
AWS KMS IP
AWS KMS AWS (p. 475) IP aws:SourceIp AWS KMS AWS: AWS IP AWS IP
1. AWS: AWS IP IAM aws:SourceIp IP IAM Amazon EBSAmazon EC2AWS KMS
2. EBS EC2
158
AWS Key Management Service AWS KMS
2 AWS KMS Amazon EC2 IP IP 1 IP Amazon EC2 EBS
aws:sourceIPAmazon VPC AWS KMS VPC (p. 462) VPC aws:sourceVpce aws:sourceVpc Amazon VPC VPC -
AWS KMS VPC
AWS KMSAmazon Virtual Private Cloud (Amazon VPC) (p. 462) AWSPrivateLink IAM AWS KMS VPC VPC VPC (p. 466)
· aws:SourceVpc VPC · aws:SourceVpce VPC
AWS KMSCMK AWSAWS KMS
IP (p. 158)CMK VPC VPC AWS KMSAmazon S3 Amazon EBS VPC VPC
AWS KMS
AWS KMS IAM AWS KMS kms:EncryptionContext:context-key (p. 17) AWS KMS (CMK)
API
AWS KMSCMK AWS KMS. kms:CustomerMasterKeySpec (p. 163)CreateKey CustomerMasterKeySpecCreateKey RSA_4096
kms:CustomerMasterKeySpec (p. 163) CustomerMasterKeySpec SYMMETRIC_DEFAULT CreateKey SYMMETRIC_DEFAULT CustomerMasterKeySpec CustomerMasterKeySpec
API CMK
AWS KMS CMK KMS: KeyOrigin (p. 181) CMK
159
AWS Key Management Service AWS KMS
CMK GenerateDataKey AWS_KMS Origin
CMK CMK CMK (p. 126) Resources CMK ListKeys CMK , ListKeys CMK CustomerMasterKeySpec
AWS KMS
set
2 AWSIAM 2 ForAnyValue ForAllValues
AWS KMS
· 1 API 1 AWS ,kms:CallerAccount (p. 162) set
· CMK KMS: (p. 187) set
Warning
set () ForAllValuesKMS set :EncryptionContext:aws:RequestTag/tag-keyAWS KMS OverlyPermissiveCondition: Using the ForAllValues set operator with a single-valued condition key matches requests without the specified [encryption context or tag] or with an unspecified [encryption context or tag]. To fix, remove ForAllValues.
ForAnyValueForAllValues ()IAM ForAllValues -ForAllValues()IAM
· kms:BypassPolicyLockoutSafetyCheck (p. 161) · kms:CallerAccount (p. 162) · kms:CustomerMasterKeySpec (p. 163) · kms:CustomerMasterKeyUsage (p. 164)
160
AWS Key Management Service AWS KMS
· kms:DataKeyPairSpec (p. 165) · kms:EncryptionAlgorithm (p. 166) · kms:EncryptionContext: (p. 168) · kms:EncryptionContextKeys (p. 175) · kms:ExpirationModel (p. 177) · kms:GrantConstraintType (p. 178) · kms:GrantIsForAWSResource (p. 179) · kms:GrantOperations (p. 180) · kms:GranteePrincipal (p. 181) · kms:KeyOrigin (p. 181) · kms:MessageType (p. 183) · KMS: (p. 183) · KMS: (p. 184) · KMS: (p. 184) · kms:ReEncryptOnSameKey (p. 185) · KMS: (p. 186) · KMS: (p. 187) · KMS: (p. 188) · kms:RetiringPrincipal (p. 189) · kms:SigningAlgorithm (p. 190) · kms:ValidTo (p. 190) · kms:ViaService (p. 191) · kms:WrappingAlgorithm (p. 195) · kms:WrappingKeySpec (p. 196)
kms:BypassPolicyLockoutSafetyCheck
AWS KMS
kms:BypassPolicyBLooclkeoauntSafetyCheck
API
CreateKey
PutKeyPolicy
IAM IAM
kms:BypassPolicyLockoutSafetyCheck CreateKey PutKeyPolicyBypassPolicyLockoutSafetyCheck
IAM CreateKey BypassPolicyLockoutSafetyCheck true.
{ "Version": "2012-10-17", "Statement": { "Effect": "Deny", "Action": "kms:CreateKey", "Resource": "*", "Condition": { "Bool": {
161
AWS Key Management Service AWS KMS
"kms:BypassPolicyLockoutSafetyCheck": true } } } }
IAM kms:BypassPolicyLockoutSafetyCheck PutKeyPolicy CMK
DenyAllowNull BypassPolicyLockoutSafetyCheck false
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "kms:PutKeyPolicy", "Resource": "*", "Condition": { "Null": { "kms:BypassPolicyLockoutSafetyCheck": true } } }
}
· kms:CustomerMasterKeySpec (p. 163) · kms:KeyOrigin (p. 181) · kms:CustomerMasterKeyUsage (p. 164)
kms:CallerAccount
AWS KMS
kms:CallerAccount
API
CMK
IAM
IDIAM AWS Principal ID Principal ID AWS Principal ID AWS
CMK AWS KMS CMK CMK
162
AWS Key Management Service AWS KMS
(p. 126) Resources CMK (p. 421)
kms:CallerAccount AWSAmazon EBS CMKPrincipal AWSIDkms:CallerAccount ID AWS 111122223333. AWS KMS (kms:ViaService) Amazon EBS kms:ViaService (p. 191)
{ "Sid": "Allow access through EBS for all principals in the account that are authorized to
use EBS", "Effect": "Allow", "Principal": {"AWS": "*"}, "Condition": { "StringEquals": { "kms:CallerAccount": "111122223333", "kms:ViaService": "ec2.us-west-2.amazonaws.com" } }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:CreateGrant", "kms:DescribeKey" ], "Resource": "*"
}
kms:CustomerMasterKeySpec
AWS KMS
kms:CustomerMasterKeySpec
API
CreateKey
IAM
CMK
IAM
kms:CustomerMasterKeySpec CMK CustomerMasterKeySpec
IAM CreateKey CustomerMasterKeySpecCreateKey. CMK RSA CMK
IAM kms:CustomerMasterKeySpec CustomerMasterKeySpec CMK RSA_4096
{ "Effect": "Allow", "Action": "kms:CreateKey", "Resource": "*", "Condition": {
163
AWS Key Management Service AWS KMS
"StringEquals": { "kms:CustomerMasterKeySpec": "RSA_4096"
} } }
kms:CustomerMasterKeySpec CMK CustomerMasterKeySpec CMK CMK CMK CMK (p. 126) Resources CMK
IAM CMK CMK
{ "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:DescribeKey" ], "Resource": "arn:aws:kms:us-west-2:111122223333:key/*", "Condition": { "StringEquals": { "kms:CustomerMasterKeySpec": "SYMMETRIC_DEFAULT" } }
}
· kms:BypassPolicyLockoutSafetyCheck (p. 161) · kms:CustomerMasterKeyUsage (p. 164) · kms:DataKeyPairSpec (p. 165) · kms:KeyOrigin (p. 181)
kms:CustomerMasterKeyUsage
AWS KMS
kms:CustomerMasterKeyUsage
API
CreateKey
IAM
CMK
IAM
kms:CustomerMasterKeyUsage CMK KeyUsage
CreateKeyKeyUsage KeyUsage ENCRYPT_DECRYPT SIGN_VERIFY
KeyUsage ENCRYPT_DECRYPT CMK KeyUsage SIGN_VERIFY
164
AWS Key Management Service AWS KMS
IAM kms:CustomerMasterKeyUsage KeyUsage ENCRYPT_DECRYPT CMK
{ "Effect": "Allow", "Action": "kms:CreateKey", "Resource": "*", "Condition": { "StringEquals": { "kms:CustomerMasterKeyUsage": "ENCRYPT_DECRYPT" } }
}
kms:CustomerMasterKeyUsage CMK KeyUsage CMK CMK CMK CMK (p. 126) Resources CMK
IAM CMK CMK
{ "Effect": "Allow", "Action": [ "kms:CreateGrant", "kms:DescribeKey", "kms:GetPublicKey", "kms:ScheduleKeyDeletion" ], "Resource": "arn:aws:kms:us-west-2:111122223333:key/*", "Condition": { "StringEquals": { "kms:CustomerMasterKeyUsage": "SIGN_VERIFY" } }
}
· kms:BypassPolicyLockoutSafetyCheck (p. 161) · kms:CustomerMasterKeySpec (p. 163) · kms:KeyOrigin (p. 181)
kms:DataKeyPairSpec
AWS KMS
kms:DataKeyPairSpec
API
GenerateDataKeyPair IAM
GenerateDataKeyPairWithoutPlaintext
GenerateDataKeyPairGenerateDataKeyPairWithoutPlaintext
KeyPairSpec
165
AWS Key Management Service AWS KMS
kms:DataKeyPairSpec CMK RSA
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": [ "kms:GenerateDataKeyPair", "kms:GenerateDataKeyPairWithoutPlaintext" ], "Resource": "*", "Condition": { "StringLike": { "kms:DataKeyPairSpec": "RSA*" } }
}
· kms:CustomerMasterKeySpec (p. 163) · the section called "kms:EncryptionAlgorithm" (p. 166) · the section called "kms:EncryptionContext:" (p. 168) · the section called "kms:EncryptionContextKeys" (p. 175)
kms:EncryptionAlgorithm
AWS KMS
kms:EncryptionAlgorithm
API
Decrypt Encrypt
IAM
GenerateDataKey
GenerateDataKeyPair
GenerateDataKeyPairWithoutPlaintext
GenerateDataKeyWithoutPlaintext
ReEncrypt
kms:EncryptionAlgorithm , , EncryptionAlgorithm
AWS KMS CMK AWS KMS
166
AWS Key Management Service AWS KMS
CMK Deny StringNotEquals RSAES_OAEP_SHA_256 ExampleRole CMK
CMK -Deny IAM Allow CMK
{ "Sid": "Allow only one encryption algorithm with this asymmetric CMK", "Effect": "Deny", "Principal": { "AWS": "arn:aws:iam::111122223333:role/ExampleRole" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*" ], "Resource": "*", "Condition": { "StringNotEquals": { "kms:EncryptionAlgorithm": "RSAES_OAEP_SHA_256" } }
}
kms:EncryptionAlgorithm SYMMETRIC_DEFAULT
kms:EncryptionAlgorithm CMK SYMMETRIC_DEFAULT
IAM SYMMETRIC_DEFAULT CMK GenerateDataKey*addsGenerateDataKey,GenerateDataKeyWithoutPlaintext,GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext
{ "Sid": "AllowOnlySymmetricAlgorithm", "Effect": "Deny", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" ], "Resource": "arn:aws:kms:us-west-2:111122223333:key/*", "Condition": {
167
AWS Key Management Service AWS KMS
"StringNotEquals": { "kms:EncryptionAlgorithm": "SYMMETRIC_DEFAULT"
} } }
· kms:SigningAlgorithm (p. 190)
kms:EncryptionContext:
AWS KMS
kms:EncryptionContext:context- key
API
CreateGrant Encrypt
IAM
Decrypt
GenerateDataKey
GenerateDataKeyPair
GenerateDataKeyPairWithoutPlaintext
GenerateDataKeyWithoutPlaintext
ReEncrypt
kms:EncryptionContext:context-key CMK (p. 232) (p. 17) (p. 12) kms:EncryptionContextKeys (p. 175)
CMK (p. 232) AWS KMS
kms: EncryptionContext Replace
"kms:EncryptionContext:context-key": "context-value"
AppName ExampleApp(AppName = ExampleApp).
"kms:EncryptionContext:AppName": "ExampleApp"
(p. 160) ). API 1 kms:EncryptionContext:Department
168
AWS Key Management Service AWS KMS
Department Department 1
kms:EncryptionContext:context-key Allowkms:EncryptionContext:context-key ForAllValuesset
Warning
ForAnyValueForAllValues ForAllValuesKMS set :EncryptionContext:,AWS KMS OverlyPermissiveCondition:EncryptionContext: Using the ForAllValues set operator with a single-valued condition key matches requests without the specified encryption context or with an unspecified encryption context. To fix, remove ForAllValues.
kms:EncryptionContext:context-key StringEqualsoperator.
GenerateDataKeyAppName:ExampleApp.
(StringEquals (p. 172)
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/RoleForExampleApp" }, "Action": "kms:GenerateDataKey", "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:AppName": "ExampleApp" } }
}
KMS: EncryptionContext kms:EncryptionContextKeys (p. 175) kms:EncryptionContext:AppNameAppName=ExampleApp kms:EncryptionContextKeysForAllValues AppName
-ForAllValuesset AppName kms:EncryptionContextKeysForAllValuesset set kms:EncryptionContext:AppName.ForAllValuesset ()IAM
{
169
AWS Key Management Service AWS KMS
"Effect": "Allow", "Principal": {
"AWS": "arn:aws:iam::712816755609:user/alice" }, "Action": "kms:GenerateDataKey", "Resource": "*", "Condition": {
"StringEquals": { "kms:EncryptionContext:AppName": "ExampleApp"
}, "ForAllValues:StringEquals": {
"kms:EncryptionContextKeys": [ "AppName"
] } } }
CMK Deny CMK Stage=Restricted Stage (Stage=Test
{ "Effect": "Deny", "Principal": { "AWS": "arn:aws:iam::111122223333:role/RoleForExampleApp" }, "Action": "kms:GenerateDataKey", "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:Stage": "Restricted" } }
}
1 IAM
Note
ForAnyValueForAllValuesKMS :EncryptionContext: (p. 160) AllowForAllValues "kms:EncryptionContext:Department": "IT" Department=it Stage=Restricted KMS: EncryptionContext set OverlyPermissiveCondition. set
2 Department=IT
170
AWS Key Management Service AWS KMS
Project=Alphakms:EncryptionContext:Department kms:EncryptionContext:ProjectAND
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/RoleForExampleApp" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:Department": "IT", "kms:EncryptionContext:Project": "Alpha" } }
}
1 Department=IT Project=Alpha
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/RoleForExampleApp" }, "Action": "kms:GenerateDataKey", "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:Department": "IT" } }
}, {
"Effect": "Allow", "Principal": {
"AWS": "arn:aws:iam::111122223333:role/RoleForExampleApp" }, "Action": "kms:GenerateDataKey", "Resource": "*", "Condition": {
"StringEquals": { "kms:EncryptionContext:Project": "Alpha"
} } }
KMS: EncryptionContext kms:EncryptionContextKeys (p. 175) kms: EncryptionContext Department=IT Project=Alpha. kms:EncryptionContextKeysForAllValues DepartmentProject
-ForAllValuesset Department Project set KMS: EncryptionContext:
171
AWS Key Management Service AWS KMS
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::712816755609:user/alice" }, "Action": "kms:GenerateDataKey", "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:Department": "IT", "kms:EncryptionContext:Project": "Alpha" }, "ForAllValues:StringEquals": { "kms:EncryptionContextKeys": [ "Department", "Project" ] } }
}
Deny CMK Stage=RestrictedStage=Production.pair.
(RestrictedProductionkms:EncryptionContext:Stage OR ()IAM
{ "Effect": "Deny", "Principal": { "AWS": "arn:aws:iam::111122223333:role/RoleForExampleApp" }, "Action": "kms:GenerateDataKey", "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:Stage": [ "Restricted", "Production" ] } }
}
StringEquals StringEqualsIgnoreCase
kms:EncryptionContext: context-key (context-value )
172
AWS Key Management Service AWS KMS
Appname StringEquals ExampleApp
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/RoleForExampleApp" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:Appname": "ExampleApp" } }
}
kms:EncryptionContextKeys (p. 175) (StringEquals )
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/RoleForExampleApp" }, "Action": "kms:GenerateDataKey", "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "kms:EncryptionContextKeys": "AppName" } }
}
kms:EncryptionContextKeys kms: EncryptionContext: 1 (StringEquals) (AppName) kms:EncryptionContextKeys. (ExampleApp) KMS: .
StringEquals
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/RoleForExampleApp" }, "Action": "kms:GenerateDataKey", "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "kms:EncryptionContextKeys": "AppName" }, "StringEquals": { "kms:EncryptionContext:AppName": "ExampleApp" }
173
AWS Key Management Service AWS KMS
} }
AWS KMS
"encryptionContext": { "department": "10103.0"
}
kms:EncryptionContext:context-keyIAM aws:CurrentTime aws:username
()
CMK AWS KMS user AWS
"encryptionContext": { "user": "bob"
}
TestTeam CMK "user": "<username>" p aws:username olicy
bob "user": "bob"alice "user": "alice"
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/TestTeam" }, "Action": [ "kms:Decrypt", "kms:Encrypt" ], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:user": "${aws:username}" } }
}
174
AWS Key Management Service AWS KMS
IAM kms:EncryptionContext:context-key
Web ID AWS
kms:EncryptionContext:context-key
subAmazon Cognito Amazon Cognito IAM ()Amazon Cognito
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/TestTeam" }, "Action": [ "kms:Decrypt", "kms:Encrypt" ], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:sub": "${cognito-identity.amazonaws.com:sub}" } }
}
· the section called "kms:EncryptionContextKeys" (p. 175) · the section called "kms:GrantConstraintType" (p. 178)
kms:EncryptionContextKeys
AWS KMS
kms:EncryptionContextK(eys )
API
CreateGrant Decrypt
IAM
Encrypt
GenerateDataKey
GenerateDataKeyPair
GenerateDataKeyPairWithoutPlaintext
GenerateDataKeyWithoutPlaintext
ReEncrypt
175
AWS Key Management Service AWS KMS
kms:EncryptionContextKeys CMK (p. 232) (p. 17) kms:EncryptionContext:context-key
CMK (p. 232) AWS KMS
(p. 160) API kms:EncryptionContextKeys ForAnyValueForAllValuesset set IAM
· ForAnyValue: 1
· ForAllValues: set
kms:EncryptionContextKeysForAnyValue CMK 1 AppName
GenerateDataKey 2 AppName=HelperProject=Alpha Project=Alpha
StringEquals (StringEqualsIgnoreCase )
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/RoleForExampleApp" }, "Action": [ "kms:Encrypt", "kms:GenerateDataKey*" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "kms:EncryptionContextKeys": "AppName" } }
}
kms:EncryptionContextKeysCMK
kms:EncryptionContextKeysNull API null CMK
176
AWS Key Management Service AWS KMS
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/RoleForExampleApp" }, "Action": [ "kms:Encrypt", "kms:GenerateDataKey*" ], "Resource": "*", "Condition": { "Null": { "kms:EncryptionContextKeys": false } }
}
· kms:EncryptionContext: (p. 168) · kms:GrantConstraintType (p. 178)
kms:ExpirationModel
AWS KMS
kms:ExpirationModel
API
ImportKeyMaterial IAM
kms:ExpirationModel ExpirationModel ImportKeyMaterial
ExpirationModel KEY_MATERIAL_EXPIRES KEY_MATERIAL_DOES_NOT_EXPIRE KEY_MATERIAL_EXPIRES
Validto ValidTo ExpirationModel KEY_MATERIAL_DOES_NOT_EXPIRE kms:ValidTo (p. 190)
kms:ExpirationModel CMK ExpirationModelKEY_MATERIAL_DOES_NOT_EXPIRE
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:ImportKeyMaterial", "Resource": "*", "Condition": {
177
AWS Key Management Service AWS KMS
"StringEquals": { "kms:ExpirationModel": "KEY_MATERIAL_DOES_NOT_EXPIRE"
} } }
kms:ExpirationModel kms:ExpirationModelNull ExpirationModel ExpirationModel KEY_MATERIAL_EXPIRES
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:ImportKeyMaterial", "Resource": "*", "Condition": { "Null": { "kms:ExpirationModel": true } }
}
· kms:ValidTo (p. 190) · kms:WrappingAlgorithm (p. 195) · kms:WrappingKeySpec (p. 196)
kms:GrantConstraintType
AWS KMS
kms:GrantConstraintType
API
CreateGrant
IAM
CreateGrant
(p. 17) EncryptionContextEquals EncryptionContextSubset 2
kms:GrantConstraintType EncryptionContextEquals
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:CreateGrant",
178
AWS Key Management Service AWS KMS
"Resource": "*", "Condition": {
"StringEquals": { "kms:GrantConstraintType": "EncryptionContextEquals"
} } }
· kms:EncryptionContext: (p. 168) · kms:EncryptionContextKeys (p. 175) · kms:GrantIsForAWSResource (p. 179) · kms:GrantOperations (p. 180) · kms:GranteePrincipal (p. 181) · kms:RetiringPrincipal (p. 189)
kms:GrantIsForAWSResource
AWS KMS
kms:GrantIsForAWBSRooelseoaunrce
API
CreateGrant
ListGrants
RevokeGrant
IAM
CreateGrant,ListGrants, RevokeGrantAWS AWS KMS
kms:GrantIsForAWSResource AWSAWS KMS(Amazon EBS ) CMK
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": true } }
}
· kms:GrantConstraintType (p. 178) · kms:GrantOperations (p. 180) · kms:GranteePrincipal (p. 181)
179
AWS Key Management Service AWS KMS
· kms:RetiringPrincipal (p. 189)
kms:GrantOperations
AWS KMS
kms:GrantOperations
API
CreateGrant
IAM
CreateGrant (p. 200) (p. 199)
(p. 160)kms:GrantOperations CreateGrant ForAnyValueForAllValuesset set IAM
· ForAnyValue: 1 1
· ForAllValues: set
ForAllValues trueCreateGrant OperationsNULL CreateGrant
kms:GrantOperations Encrypt,ReEncryptTo CreateGrant
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "kms:GrantOperations": [ "Encrypt", "ReEncryptTo" ] } }
}
set ForAnyValue 1 EncryptReEncryptToDecrypt ReEncryptFrom
180
AWS Key Management Service AWS KMS
· kms:GrantConstraintType (p. 178) · kms:GrantIsForAWSResource (p. 179) · kms:GranteePrincipal (p. 181) · kms:RetiringPrincipal (p. 189)
kms:GranteePrincipal
AWS KMS
kms:GranteePrincipal
API
CreateGrant
IAM
CreateGrant GranteePrincipal CreateGrant CMK
kms:GranteePrincipal CMK LimitedAdminRole
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "StringEquals": { "kms:GranteePrincipal": "arn:aws:iam::111122223333:role/LimitedAdminRole" } }
}
· kms:GrantConstraintType (p. 178) · kms:GrantIsForAWSResource (p. 179) · kms:GrantOperations (p. 180) · kms:RetiringPrincipal (p. 189)
kms:KeyOrigin
AWS KMS
kms:KeyOrigin
API
CreateKey
IAM
CMK
IAM
181
AWS Key Management Service AWS KMS
kms:KeyOrigin CMK Origin
CreateKeyOrigin ()Origin AWS_KMSAWS_CLOUDHSM EXTERNAL
CMK AWS KMS(AWS_KMSAWS CloudHSM (p. 421)(AWS_CLOUDHSM (p. 405) (EXTERNAL).
kms:KeyOrigin CMK AWS KMS
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:CreateKey", "Resource": "*", "Condition": { "StringEquals": { "kms:KeyOrigin": "AWS_KMS" } }
}
kms:KeyOrigin CMK Origin CMK CMK CMK CMK (p. 126) Resources CMK
IAM CMK CMK
{ "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:GenerateDataKeyPair", "kms:GenerateDataKeyPairWithoutPlaintext", "kms:ReEncrypt*" ], "Resource": "arn:aws:kms:us-west-2:111122223333:key/*", "Condition": { "StringEquals": { "kms:KeyOrigin": "AWS_CLOUDHSM" } }
}
· kms:BypassPolicyLockoutSafetyCheck (p. 161) · kms:CustomerMasterKeySpec (p. 163)
182
AWS Key Management Service AWS KMS
· kms:CustomerMasterKeyUsage (p. 164)
kms:MessageType
AWS KMS
kms:MessageType
API
Sign
Verify
IAM
-kms:MessageTypeSignMessageType MessageType RAW DIGEST
kms:MessageType CMK
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:Sign", "Resource": "*", "Condition": { "StringEquals": { "kms:MessageType": "RAW" } }
}
· the section called "kms:SigningAlgorithm" (p. 190)
KMS:
AWS KMS kms:MultiRegion
Boolean
API
CreateKey
CMK
IAM
(p. 244)-kms:MultiRegionAWS KMS CMK CreateKeyMultiRegionCMK true()false() CMK MultiRegion.
IAM kms:MultiRegion
{
183
AWS Key Management Service AWS KMS
"Effect": "Allow", "Action": "kms:CreateKey", "Resource": {
"*" }, "Condition": {
"Bool": "kms:MultiRegion": false } }
KMS:
AWS KMS
kms:MultiRegionKeyType
API
CreateKey
CMK
IAM
(p. 249) (p. 249)-kms:MultiRegionKeyTypeAWS KMS CMK CreateKeyMultiRegionKeyTypeCMK PRIMARY REPLICA CMK MultiRegionKeyType.
kms:MultiRegionKeyType CMK CMK CMK
IAM kms:MultiRegionKeyType AWS
{ "Effect": "Allow", "Action": [ "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": { "arn:aws:kms:*:111122223333:key/*" }, "Condition": { "StringEquals": "kms:MultiRegionKeyType": "REPLICA" }
}
kms:MultiRegionKeyTypeKMS: (p. 183)
KMS:
AWS KMS kms:PrimaryRegion
()
API
UpdatePrimaryRegion IAM
184
AWS Key Management Service AWS KMS
. AWS
-kms:PrimaryRegion PrimaryRegion-PrimaryRegion AWS CMK (p. 249) (p. 249) 1 AWS us-east-1ap-southeast-2 (eu-*
kms:PrimaryRegion CMK 4
{ "Effect": "Allow", "Action": "kms:UpdatePrimaryRegion", "Principal": { "AWS": "arn:aws:iam::111122223333:role/Developer" }, "Resource": "*", "Condition": { "StringEquals": { "kms:PrimaryRegion": [ "us-east-1", "us-west-2", "eu-west-3", "ap-southeast-2" ] } }
}
kms:ReEncryptOnSameKey
AWS KMS
kms:ReEncryptOnSBamooelKeeayn
API
ReEncrypt
IAM
CMK ReEncrypt
kms:ReEncryptOnSameKey CMK
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:ReEncrypt*", "Resource": "*", "Condition": { "Bool": { "kms:ReEncryptOnSameKey": true } }
185
AWS Key Management Service AWS KMS
}
KMS:
AWS KMS
kms:RequestAlias ()
API
(p. 12)
DescribeKey
GetPublicKey
IAM
CMK -kms:RequestAlias CMK GetPublicKey, DescribeKeyalias (p. 62) CMK GenerateRandom CMK CMK
(p. 114)(ABAC)AWS KMSCMK CMK CMK ABAC AWS KMS (p. 114)
(p. 14)alias/project-alpha (alias/*test* ARN (p. 14)
KeyId ARN (p. 13) CMK
GenerateDataKey CMK KeyIdalias/finance-key ARN ()arn:aws:kms:us-west-2:111122223333:alias/finance-key
{ "Sid": "Key policy using a request alias condition", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/developer" }, "Action": "kms:GenerateDataKey", "Resource": "*", "Condition": { "StringEquals": { "kms:RequestAlias": "alias/finance-key" } }
}
CreateAliasDeleteAlias (p. 73)
186
AWS Key Management Service AWS KMS
KMS:
AWS KMS
kms:ResourceAliases ()
API
CMK IAM
CMK (p. 62)CMK CMK CMK CMK (p. 126) Resources CMK
AWS Region CMK (StringLike AWS ABAC AWS KMS (p. 114)
Note
-KMS: (p. 187)CMK CMK (p. 531). CMK kms:ResourceAliases CMK
(p. 14)alias/project-alpha (alias/*test* ARN (p. 14) CMK CMK
CMK ForAnyValue ForAllValuesset set IAM
· ForAnyValue: CMK 1 CMK
· ForAllValues: CMK set CMK
IAM GenerateDataKey CMK AWS finance-key. CMK CMK alias/finance-key ForAnyValue
kms:ResourceAliases GenerateDataKey CMK finance-key ID (p. 14) ARN (p. 14) CMK
{ "Sid": "AliasBasedIAMPolicy", "Effect": "Allow", "Action": "kms:GenerateDataKey",
187
AWS Key Management Service AWS KMS
"Resource": [ "arn:aws:kms:*:111122223333:key/*", "arn:aws:kms:*:444455556666:key/*",
], "Condition": {
"ForAnyValue:StringEquals": { "kms:ResourceAliases": "alias/finance-key"
} } }
IAM CMK CMK Test 2 ForAllValuesset CMKTest ForAnyValueset CMK Test 1 ForAnyValue CMK
{ "Sid": "AliasBasedIAMPolicy", "Effect": "Allow", "Action": [ "kms:EnableKey", "kms:DisableKey" ], "Resource": "arn:aws:kms:*:111122223333:key/*", "Condition": [ { "ForAllValues:StringLike": { "kms:ResourceAliases": "alias/*Test*" } }, { "ForAnyValue:StringLike": { "kms:ResourceAliases": "alias/*Test*" } } ]
}
KMS:
AWS KMS kms:ReplicaRegion
()
API ReplicateKey
IAM
AWS (p. 244)-kms:ReplicaRegion AWS (p. 249)
1 AWS us-east-1ap-southeast-2 eu-* AWS thatAWS KMS AWS Key Management Service()AWS
kms:ReplicaRegion ReplicaRegion 1
188
AWS Key Management Service AWS KMS
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/Administrator" }, "Action": "kms:ReplicateKey" "Resource": "*", "Condition": { "StringEquals": { "kms:ReplicaRegion": { "us-east-1", "eu-west-3", "ap-southeast-2" } } }
}
. KMS: (p. 184)
kms:RetiringPrincipal
AWS KMS
kms:RetiringPrincipal ()
API
CreateGrant
IAM
CreateGrantRetiringPrincipal CreateGrant RetiringPrincipal RetiringPrincipal CMK
CMK kms:RetiringPrincipal CreateGrant LimitedAdminRole OpsAdmin
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "StringEquals": { "kms:RetiringPrincipal": [ "arn:aws:iam::111122223333:role/LimitedAdminRole", "arn:aws:iam::111122223333:user/OpsAdmin" ] } }
}
· kms:GrantConstraintType (p. 178)
189
AWS Key Management Service AWS KMS
· kms:GrantIsForAWSResource (p. 179) · kms:GrantOperations (p. 180) · kms:GranteePrincipal (p. 181)
kms:SigningAlgorithm
AWS KMS
kms:SigningAlgorithm
API
Sign
Verify
IAM
kms:SigningAlgorithmSign SigningAlgorithmAWS KMS CMK AWS KMS
RSASSA_PSS RSASSA_PSS_SHA512 testers CMK
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/testers" }, "Action": "kms:Sign", "Resource": "*", "Condition": { "StringLike": { "kms:SigningAlgorithm": "RSASSA_PSS*" } }
}
· kms:EncryptionAlgorithm (p. 166) · the section called "kms:MessageType" (p. 183)
kms:ValidTo
AWS KMS
kms:ValidTo
API
ImportKeyMaterial IAM
kms:ValidTo ValidTo ImportKeyMaterial
Unix
190
AWS Key Management Service AWS KMS
ValidTo ImportKeyMaterial ExpirationModel KEY_MATERIAL_DOES_NOT_EXPIRE, ValidTo kms:ExpirationModel (p. 177) ExpirationModel
CMK kms:ValidTo ImportKeyMaterial ValidTo 1546257599.0 (2018 12 31 11:59:59)
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:ImportKeyMaterial", "Resource": "*", "Condition": { "NumericLessThanEquals": { "kms:ValidTo": "1546257599.0" } }
}
· kms:ExpirationModel (p. 177) · kms:WrappingAlgorithm (p. 195) · kms:WrappingKeySpec (p. 196)
kms:ViaService
AWS KMS
kms:ViaService
API
CMK
IAM
kms:ViaService AWS KMS (p. 3) (CMK) AWS kms:ViaService 1 CMK CMK CMK (p. 126) Resources CMK
kms:ViaService CMK (p. 4) Amazon EC2 Amazon RDS ExampleUser
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*",
191
AWS Key Management Service AWS KMS
"kms:GenerateDataKey*", "kms:CreateGrant", "kms:ListGrants", "kms:DescribeKey" ], "Resource": "*", "Condition": { "StringEquals": {
"kms:ViaService": [ "ec2.us-west-2.amazonaws.com", "rds.us-west-2.amazonaws.com"
] } } }
kms:ViaService CMK kms:ViaService AWS Lambda ExampleUser CMK Encrypt
{ "Effect": "Deny", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": [ "kms:Encrypt" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": [ "lambda.us-west-2.amazonaws.com" ] } }
}
Important
kms:ViaService AWS
· CMK CMK AWS AWS KMS (p. 475)
· AWS KMS AWS
AWS CMK (p. 4)kms:ViaService CMK CMK AWS CMK GetKeyPolicy.
kms:ViaService IAM AWS KMS kms:ViaService
192
AWS Key Management Service AWS KMS
kms:ViaService
AWSAWS KMSkms:ViaService CMK AWS AWS KMS ViaService .amazonaws.com
Note
AWS KMS ViaService
AWS App Runner
apprunner.AWS_REGION.amazonaws.com
Amazon AppFlow
appFlow.AWS_REGION.amazonaws.com
Amazon
mgn.AWS_REGION.amazonaws.com
Amazon Athena
athena.AWS_REGION.amazonaws.com
AWS Audit Manager
AWS_REGION.amazonaws.com
Amazon Aurora
rds.AWS_region.amazonaws.com
AWS Backup
backup.AWS_region.amazonaws.com
AWS CodeArtifact
codeArtifact.AWS_REGION.amazonaws.com
Amazon CodeGuru Reviewer
codeguru-reviewer.AWS_REGION.amazonaws.com
Amazon Comprehend
AWS_REGION.amazonaws.com
Amazon Connect
connect.AWS_region.amazonaws.com
AWS Database Migration Service (AWS DMS)
dms.AWS_region.amazonaws.com
AWS Directory Service
directoryservice.AWS_region.amazonaws.com
Amazon DynamoDB
dynamodb.aws_region.amazonaws.com
Amazon EC2 Systems Manager (SSM)
ssm.AWS_region.amazonaws.com
Amazon Elastic Block Store (Amazon EBS)
ec2.AWS_region.amazonaws.com (EBS )
Amazon Elastic Container Registry (Amazon ECR) ECR.AWS_REGION.amazonaws.com
Amazon Elastic File System (Amazon EFS)
elasticfilesystem.AWS_region.amazonaws.com
Amazon Elastic Kubernetes Service (Amazon EKS) eks.AWS_REGION.amazonaws.com
Amazon ElastiCache
ViaService
· elasticache.AWS_REGION.amazonaws.com · dax.AWS_REGION.amazonaws.com
Amazon Elasticsearch Service (Amazon ES)
es.AWS_region.amazonaws.com
Amazon FinSpace
AWS_REGION.amazonaws.com
Amazon Forecast
.AWS_REGION.amazonaws.com
193
AWS Key Management Service AWS KMS
Amazon FSx AWS Glue Amazon HealthLake AWS IoT SiteWise Amazon Kendra Amazon Kinesis Amazon Kinesis Data Firehose Amazon Kinesis Video Streams AWS Lambda Amazon Lex AWS License Manager
Amazon Lookout for Equipment Amazon Lookout for Metrics
Amazon Lookout for Vision Amazon Managed Blockchain
Amazon Managed Streaming for Apache Kafka (Amazon MSK) Amazon Managed Workflows for Apache Airflow (MWAA) Amazon Monitron Amazon MQ Amazon Neptune Amazon Nimble Studio AWS Proton Amazon Quantum Ledger Database (Amazon QLDB) Amazon RDS Performance Insights Amazon Redshift Amazon Rekognition Amazon Relational Database Service (Amazon RDS)
AWS KMS ViaService fsx.AWS_region.amazonaws.com glue.AWS_region.amazonaws.com AWS_REGION.amazonaws.com iotSiteWise.AWS_REGION.amazonaws.com Kendra.AWS_REGION.amazonaws.com kinesis.AWS_region.amazonaws.com Firehose.AWS_REGION.amazonaws.com kinesisvideo.AWS_region.amazonaws.com lambda.AWS_region.amazonaws.com lex.AWS_region.amazonaws.com AWS_REGION.amazonaws.com lookoutequipment.AWS_REGION.amazonaws.com AWS_REGION.amazonaws.com lookoutvision.AWS_REGION.amazonaws.com AWS_REGION.amazonaws.com kafka.AWS_region.amazonaws.com
AWS_REGION.amazonaws.com
Monitron.AWS_REGION.amazonaws.com mq.AWS_REGION.amazonaws.com rds.AWS_region.amazonaws.com AWS_REGION.amazonaws.com .AWS_REGION.amazonaws.com qlDB.AWS_REGION.amazonaws.com
rds.AWS_region.amazonaws.com redshift.AWS_region.amazonaws.com rekognition.AWS_REGION.amazonaws.com rds.AWS_region.amazonaws.com
194
AWS Key Management Service AWS KMS
AWS KMS ViaService
AWS Secrets Manager
secretsmanager.AWS_region.amazonaws.com
Amazon Simple Email Service (Amazon SES)
ses.AWS_region.amazonaws.com
Amazon Simple Notification Service (Amazon SNS) sns.AWS_region.amazonaws.com
Amazon Simple Queue Service (Amazon SQS)
sqs.AWS_region.amazonaws.com
Amazon Simple Storage Service (Amazon S3)
s3.AWS_region.amazonaws.com
AWS Snowball
importexport.AWS_region.amazonaws.com
AWS Storage Gateway
AWS_REGION.amazonaws.com
AWS Systems Manager Incident Manager
SSM AWS_REGION.amazonaws.com
AWS Systems Manager Incident Manager SSM AWS_REGION.amazonaws.com
Amazon Timestream
AWS_REGION.amazonaws.com
Amazon WorkMail
workmail.AWS_region.amazonaws.com
Amazon WorkSpaces
workspaces.AWS_region.amazonaws.com
AWS X-Ray
xray.AWS_region.amazonaws.com
kms:WrappingAlgorithm
AWS KMS
kms:WrappingAlgorithm
API
GetParametersForImport IAM
GetParametersForImportWrappingAlgorithm
kms:WrappingAlgorithm GetParametersForImportRSAES_OAEP_SHA_1. GetParametersForImport WrappingAlgorithm RSAES_OAEP_SHA_1
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:GetParametersForImport", "Resource": "*", "Condition": { "StringNotEquals": { "kms:WrappingAlgorithm": "RSAES_OAEP_SHA_1" }
195
AWS Key Management Service AWS KMSAWSNitro
} }
· kms:ExpirationModel (p. 177) · kms:ValidTo (p. 190) · kms:WrappingKeySpec (p. 196)
kms:WrappingKeySpec
AWS KMS
kms:WrappingKeySpec
API
GetParametersForImport IAM
GetParametersForImportWrappingKeySpec
WrappingKeySpec RSA_2048 GetParametersForImport
kms:WrappingAlgorithm WrappingKeySpec RSA_2048
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:GetParametersForImport", "Resource": "*", "Condition": { "StringEquals": { "kms:WrappingKeySpec": "RSA_2048" } }
}
· kms:ExpirationModel (p. 177) · kms:ValidTo (p. 190) · kms:WrappingAlgorithm (p. 195)
AWS KMSAWSNitro
AWSNitro Amazon EC2 AWS KMS AWSNitro . AWS KMS
196
AWS Key Management Service AWS KMSAWSNitro
kms-decrypt,kms-generate-data-key, kms-generate-random AWSNitro Enclaves SDKAPI API AWS KMS AWS KMS
AWS KMS AWS KMS
KMS: :ImageSha384
AWS KMS
kms:RecipientAttestation:ImageSha384
API
Decrypt
IAM
GenerateDataKey
GenerateRandom
-kms:RecipientAttestation:ImageSha384kms-decrypt,kms-generatedata-key, kms-generate-random -ImageSha384 PCR [0] AWSSDK API
data-processingCMK kmsdecrypt(Decrypt)kms-generate-data-key(GenerateDataKey)kms-generaterandom(GenerateRandom) . -kms:RecipientAttestation:ImageSha384 PCR [0]
{ "Sid" : "Enable enclave data processing", "Effect" : "Allow", "Principal" : { "AWS" : "arn:aws:iam::111122223333:role/data-processing" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateRandom" ], "Resource" : "*", "Condition": { "StringEqualsIgnoreCase": { "kms:RecipientAttestation:ImageSha384":
"9fedcba8abcdef7abcdef6abcdef5abcdef4abcdef3abcdef2abcdef1abcdef1abcdef0abcdef1abcdef2abcdef3abcdef4ab }
} }
197
AWS Key Management Service AWS KMSAWSNitro
KMS: :PCR <PCR_ID>
AWS KMS
kms:RecipientAttestation:PCR
API
Decrypt
IAM
GenerateDataKey
GenerateRandom
-kms:RecipientAttestation:PCR<PCR_ID>kms-decrypt,kms-generatedata-key, kms-generate-random PCR PCR AWSSDK API
PCR PCR ID PCR 96 16
"kms:RecipientAttestation:PCRPCR_ID": "PCR_value"
PCR [1]
kms:RecipientAttestation:PCR1: "0x1abcdef2abcdef3abcdef4abcdef5abcdef6abcdef7abcdef8abcdef9abcdef8abcdef7abcdef6abcdef5abcdef4abcdef3
data-processingCMK kms-decrypt(Decrypt) .
-kms:RecipientAttestation:PCR PCR1 kms:RecipientAttestation:PCR1StringEqualsIgnoreCase PCR
{ "Sid" : "Enable enclave data processing", "Effect" : "Allow", "Principal" : { "AWS" : "arn:aws:iam::111122223333:role/data-processing" }, "Action": "kms:Decrypt", "Resource" : "*", "Condition": { "StringEqualsIgnoreCase": { "kms:RecipientAttestation:PCR1":
"0x1de4f2dcf774f6e3b679f62e5f120065b2e408dcea327bd1c9dddaea6664e7af7935581474844767453082c6f1586116376 }
} }
198
AWS Key Management Service
AgrantAWSprincipalsAWS KMS (p. 3)CMKCMK (DescribeKey CMK (p. 85)IAM (p. 104) IAM
AWSAWS KMS AWSAWS AWS KMS (p. 475)
(p. 379)
· (p. 199) · CMK CMK (p. 200) · (p. 200) · (p. 203) · (p. 207)
(p. 3)(CMK) grant CMK
· 1 CMK CMK AWS
· AWS KMS CMK (p. 530)
· (p. 200)
· IAM (p. 202) (p. 209)
· AWS CMK · ( (p. 202)
(p. 202)it · AWS KMS (p. 202)
KMS:
· CMK (kms:CreateGrant) AWSCMK
199
AWS Key Management Service CMK CMK
AWS ID · AWS KMS. CMK (p. 200) (p. 204) · IAM (p. 200)CMK kms:CreateGrant (p. 207) · CreateGrant (p. 206)
(p. 200)
CMK CMK
CMK CMK CMK AWS KMS ValidationError
CMK
CMK , , GetPublicKey AWS KMS CMK
CMK (p. 283) (p. 405) (p. 421) CMK
SIGN_VERIFY CMK ENCRYPT_DECRYPT CMK Sign Verify
AWS KMS
AWS KMS (p. 17) (p. 204) ID
CMK (p. 13)RetireGrant RevokeGrant.
-AWS KMS (p. 201) AWS KMS (p. 126)
200
AWS Key Management Service
ReEncryptReEncryptFrom,ReEncryptTo ReEncrypt*
·
· · · GenerateDataKey · GenerateDataKeyPair · GenerateDataKeyPairWithoutPlaintext · GenerateDataKeyWithoutPlaintext · · · Sign · · · CreateGrant · DescribeKey · GetPublicKey · RetireGrant
CMK AWS KMS ValidationError · CMK (p. 232)Sign,, GetPublicKey.
AWS KMS · CMK (p. 232) GenerateDataKey,GenerateDataKeyWithoutPlaintext,GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext. · CMK (p. 16)ENCRYPT_DECRYPTSign . · CMK SIGN_VERIFYEncrypt,Decrypt, ReEncrypt.
5 AWS KMS (p. 202) , .
Abase64 (p. 200)
(p. 202) AWS KMS
GenerateDataKey. GenerateDataKey CMK
201
AWS Key Management Service
$ aws kms generate-data-key \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --key-spec AES_256 \ --grant-token $token
(p. 202)RetireGrant .
$ aws kms retire-grant \ --grant-token $token
CreateGrantAWS KMS CloudTrail (p. 300)[CreateGrant] -ListGrants ListRetirableGrants ID (p. 200)
(p. 209)
ID 1 AWS ( AWS ()IAM IAM CMK IAM AWS ()
(p. 210)
(p. 202) AWS AWS ()IAM IAM CMK
AWS ()RetireGrant (p. 202) AWS (root ) AWS AWS (p. 210) ()
(p. 210)
5 AWS KMS
202
AWS Key Management Service
AWS KMS AWSSDK
AWS KMS · (p. 209)
(p. 200) (p. 209) · -CreateGrantName
Note
5
CreateGrant
· (p. 203) · (p. 204) · CreateGrant (p. 206)
CreateGrant CMK (p. 202) (p. 200) (p. 202) Constraints
5 (p. 202)
CreateGrantexampleUser Decrypt CMK (p. 232)RetiringPrincipal (p. 17) "Department": "IT"
$ aws kms create-grant \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --grantee-principal arn:aws:iam::111122223333:user/exampleUser \ --operations Decrypt \ --retiring-principal arn:aws:iam::111122223333:role/adminRole \ --constraints EncryptionContextSubset={Department=IT}
CreateGrantAWS SDK AWS KMS CreateGrant
203
AWS Key Management Service
Name AWS KMS.
$ aws kms create-grant \ --name IT-1234abcd-exampleUser-decrypt --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --grantee-principal arn:aws:iam::111122223333:user/exampleUser \ --operations Decrypt \ --retiring-principal arn:aws:iam::111122223333:role/adminRole \ --constraints EncryptionContextSubset={Department=IT}
(p. 379)
(p. 157) (p. 85)IAM (p. 104)
AWS KMS2 EncryptionContextEqualsEncryptionContextSubset (p. 17) (p. 200)
Note
CMK AWS KMS
· EncryptionContextEquals
· EncryptionContextSubset
8 384
CMK Constraints CreateGrant. exampleUser "Department": "IT" Decrypt
$ aws kms create-grant \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --grantee-principal arn:aws:iam::111122223333:user/exampleUser \ --operations Decrypt \ --retiring-principal arn:aws:iam::111122223333:role/adminRole \ --constraints EncryptionContextSubset={Department=IT}
exampleUser Decrypt CMK ListGrants
Decrypt "Department": "IT" 1
204
AWS Key Management Service
$ aws kms list-grants --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
{ "Grants": [ { "Name": "", "IssuingAccount": "arn:aws:iam::111122223333:root", "GrantId": "8c94d1f12f5e69f440bae30eaec9570bb1fb7358824f9ddfa1aa5a0dab1a59b2", "Operations": [ "Decrypt" ], "GranteePrincipal": "arn:aws:iam::111122223333:user/exampleUser", "Constraints": { "EncryptionContextSubset": { "Department": "IT" } }, "CreationDate": 1568565290.0, "KeyId": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "RetiringPrincipal": "arn:aws:iam::111122223333:role/adminRole"
} ] }
EncryptionContextSubset
$ aws kms generate-data-key \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --key-spec AES_256 \ --encryption-context Department=IT,Purpose=Test
AWSCMK AWS Amazon DynamoDB AWS CMK (p. 4) DynamoDB DynamoDB EncryptionContextSubset "subscriberID": "111122223333" "tableName": "Services" DynamoDB AWS
ListGrantsAWSDynamoDB CMK
$ aws kms list-grants --key-id 0987dcba-09fe-87dc-65ba-ab0987654321
{ "Grants": [ { "Operations": [ "Decrypt", "Encrypt", "GenerateDataKey", "ReEncryptFrom", "ReEncryptTo", "RetireGrant", "DescribeKey" ], "IssuingAccount": "arn:aws:iam::111122223333:root", "Constraints": { "EncryptionContextSubset": { "aws:dynamodb:tableName": "Services", "aws:dynamodb:subscriberId": "111122223333" }
205
AWS Key Management Service
}, "CreationDate": 1518567315.0, "KeyId": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65baab0987654321", "GranteePrincipal": "dynamodb.us-west-2.amazonaws.com", "RetiringPrincipal": "dynamodb.us-west-2.amazonaws.com", "Name": "8276b9a6-6cf0-46f1-b2f0-7993a7f8c89a", "GrantId": "1667b97d27cf748cf05b487217dd4179526c949d14fb3903858e25193253fe59" } ] }
CreateGrant
CreateGrant. (p. 202) CreateGrant
· · - (p. 204)
CreateGrant (p. 207)
GenerateDataKeyDecrypt CreateGrant CreateGrant
# The original grant in a ListGrants response. {
"Grants": [ { "KeyId": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1572216195.0, "GrantId": "abcde1237f76e4ba7987489ac329fbfba6ad343d6f7075dbd1ef191f0120514a", "Operations": [ "GenerateDataKey", "Decrypt", "CreateGrant ] "RetiringPrincipal": "arn:aws:iam::111122223333:role/adminRole", "Name": "", "IssuingAccount": "arn:aws:iam::111122223333:root", "GranteePrincipal": "arn:aws:iam::111122223333:user/exampleUser", "Constraints": { "EncryptionContextSubset": { "Department": "IT" } },
} ] }
ExampleUser CreateGrantDecrypt- ScheduleKeyDeletionReEncrypt
EncryptionContextSubset
206
AWS Key Management Service
EncryptionContextSubset EncryptionContextEquals
CreateGrant
# The child grant in a ListGrants response. {
"Grants": [ { "KeyId": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1572249600.0, "GrantId": "fedcba9999c1e2e9876abcde6e9d6c9b6a1987650000abcee009abcdef40183f", "Operations": [ "CreateGrant" "Decrypt" ] "RetiringPrincipal": "arn:aws:iam::111122223333:user/exampleUser", "Name": "", "IssuingAccount": "arn:aws:iam::111122223333:root", "GranteePrincipal": "arn:aws:iam::111122223333:user/anotherUser", "Constraints": { "EncryptionContextEquals": { "Department": "IT" } },
} ] }
anotherUserCreateGrant anotherUser
() AWS KMS IAM
· (p. 207) · (p. 208) · (p. 209) · (p. 210)
IAM CreateGrant (p. 206)
API CreateGrant
IAM
207
AWS Key Management Service
API ListGrants ListRetirableGrants
RevokeGrant
IAM
( (p. 210))
-
IAM 1 AWS KMS AWS KMS (p. 159)
kms:GrantConstraintType (p. 178)
(p. 204) kms:GrantIsForAWSResource (p. 179)
CreateGrant,ListGrants, RevokeGrant AWSAWS KMS kms:GrantOperations (p. 180)
kms:GranteePrincipal (p. 181)
(p. 202) kms:RetiringPrincipal (p. 189)
(p. 202)
ListGrants CMK ID (p. 382)
AWS (p. 202) ListRetirableGrants
Note
ListGrants GranteePrincipal AWS GranteePrincipal
CMK
$ aws kms list-grants --key-id 1234abcd-12ab-34cd-56ef-1234567890ab {
"Grants": [
208
AWS Key Management Service
{ "KeyId": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1572216195.0, "GrantId": "abcde1237f76e4ba7987489ac329fbfba6ad343d6f7075dbd1ef191f0120514a", "Constraints": { "EncryptionContextSubset": { "Department": "IT" } }, "RetiringPrincipal": "arn:aws:iam::111122223333:role/adminRole", "Name": "", "IssuingAccount": "arn:aws:iam::111122223333:root", "GranteePrincipal": "arn:aws:iam::111122223333:user/exampleUser", "Operations": [ "Decrypt" ]
} ] }
5 (p. 202)AWS KMS AWS KMSAccessDeniedException
(p. 201) CreateGrantAWS KMS . AWS KMS (p. 200)
CreateGrantGenerateDataKey Decrypt. CreateGranttoken. GenerateDataKeytoken.
# Create a grant; save the grant token $ token=$(aws kms create-grant \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --grantee-principal arn:aws:iam::111122223333:user/appUser \ --retiring-principal arn:aws:iam::111122223333:user/acctAdmin \ --operations GenerateDataKey Decrypt \ --query GrantToken \ --output text)
# Use the grant token in a request $ aws kms generate-data-key \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ -key-spec AES_256 \ --grant-tokens $token
(RevokeGrant (p. 210)
# Retire the grant $ aws kms retire-grant --grant-token $token
209
AWS Key Management Service
-RetireGrantRevokeGrant
RevokeGrant
AWS KMSRevokeGrant (p. 85)IAM (p. 104)-RevokeGrantAPI kms:RevokeGrant RetireGrant
IAM
(p. 202)- (p. 202) RetireGrant AWS )
kms:RetireGrant kms:RetireGrant-kms:RetireGrant -kms:RetireGrant · Denykms:RetireGrant
· - AWS (root ) CMK kms:RetireGrant
· AWS
kms:RetireGrant IAM
(p. 201) AWS KMS, .
5 (p. 202) (p. 209)
AWS KMS
AWS Key Management ServiceAWS Identity and Access Management(IAM) AWS KMS IAM AWS KMS AWS
AWS KMS AWS KMS AWS KMS
210
AWS Key Management Service AWS KMS
IAM
AWS KMS
IAM AWS []
AWS KMS
AWS KMSAWSservicerOLE (p. 421) AWS KMSAWS CloudHSM AWS CloudHSMAWS KMS (p. 421)
AWSServiceRoleForKeyManagementServiceCustomKeyStores cks.kms.amazonaws.com AWS KMS
AWS CloudHSM AWS KMS AWS KMS AWS KMS AWS CloudHSM HSM
AWSservicerOLE AWS KMSAWS KMSAWS CloudHSM Amazon EC2 (p. 426)
AWS KMS
AWS KMSAWSservicerOLE (p. 244) AWS KMS AWS KMS (p. 249)
-AWSservicerOLE mrk.kms.amazonaws.com 1 AWS KMS AWS KMS AWS KMS
AWSservicerOLE
211
AWS Key Management Service
AWS KMSAWS KMS (p. 255)
AWS KMS
(CMK) AWS KMSCMK (p. 199)CMK AWS Identity and Access Management(IAM) CMK CMK AWS (ID)
· (p. 212) · IAM (p. 214) · (p. 215) · (p. 216)
(p. 85)AWS KMS (CMK) CMK 1
(p. 87), IAM IAM CMK AWS (p. 120)CMK IAM IAM CMK IAM (p. 214)
AWS KMS CMK (p. 4)AWS CMK (p. 4) [AWS Management ConsoleGetKeyPolicyAWS KMSAPI. CMK kms:GetKeyPolicy CMK the section called "" (p. 97)
Principal IAM IAM AWS ()Principal CMK
Note
(*) AWS CMK AWS CMK IAM
(p. 86)
Example 1
{ "Sid": "Enable IAM policies",
212
AWS Key Management Service
"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:root"}, "Action": "kms:*", "Resource": "*" }
arn:aws:iam::111122223333:root AWS 111122223333 CMK CMK
AWS root IAM CMK (p. 87) IAM CMK IAM (p. 214) AWS CMK
Example 2
{ "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:user/KMSKeyAdmin"}, "Action": [ "kms:Describe*", "kms:Put*", "kms:Create*", "kms:Update*", "kms:Enable*", "kms:Revoke*", "kms:List*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*"
}
arn:aws:iam::111122223333:user/ KMSKeyAdminKmskeyAdmin IAM AWS 111122223333 CMK
Example 3
{ "Sid": "Allow use of the key", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:role/EncryptionApp"}, "Action": [ "kms:DescribeKey", "kms:GenerateDataKey*", "kms:Encrypt", "kms:ReEncrypt*", "kms:Decrypt" ], "Resource": "*"
}
213
AWS Key Management Service IAM
arn:aws:iam::111122223333:role/EncryptionApp EncryptionApp IAM AWS 111122223333 CMK
Example 4
{ "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:role/EncryptionApp"}, "Action": [ "kms:ListGrants", "kms:CreateGrant", "kms:RevokeGrant" ], "Resource": "*", "Condition": {"Bool": {"kms:GrantIsForAWSResource": true}}
}
arn:aws:iam::111122223333:role/EncryptionApp EncryptionApp IAM AWS 111122223333 3CMK AWS AWS KMS (p. 475) (p. 199)Condition AWS KMS AWS
()IAM
AWS KMS AWS KMS (p. 85)
IAM
IAM CMK CMK IAM (p. 216)
IAM CMK IAM Policy Simulator IAM API
IAM · IAM IAM (p. 214) · IAM API IAM (p. 215)
IAM IAM
IAM IAM CMK
IAM CMK
1. AWS Management Console IAM https://policysim.aws.amazon.com/
2. [Users, Groups, and Roles]
214
AWS Key Management Service
3. ()
4. [Policy Simulator]
a. [Select service] [Key Management Service] b. AWS KMS [Select actions]
AWS KMS [Select All] 5. () Policy Simulator CMK CMK CMK Amazon (ARN) 6. [Run Simulation ()]
[Results] IAM 2 6 AWS
IAM API IAM
IAM API IAM API
1. For AWS CMK ( "Principal": {"AWS": "arn:aws:iam::111122223333:root"}) ListUsersListRoles IAM
2. IAM IAM API SimulatePrincipalPolicy · PolicySourceArn Amazon (ARN) SimulatePrincipalPolicy PolicySourceArn 1 IAM 1 · ActionNames AWS KMS API AWS KMS API kms:* AWS KMS API API kms:", for example "kms:ListKeysAWS KMSAPI ()AWS Key Management ServiceAPI · IAM CMK ResourceArns CMK Amazon (ARN) IAM CMK ResourceArns
IAM SimulatePrincipalPolicy allowed, explicitDeny, implicitDenyallowed AWS KMS API CMK ARN
CMK AWS KMS AWS CMK CMK (p. 199)
215
AWS Key Management Service
CMK AWS KMS ListGrants CMK CMK JSON AWS CLI
{"Grants": [{ "Operations": ["Decrypt"], "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Name": "0d8aa621-43ef-4657-b29c-3752c41dc132", "RetiringPrincipal": "arn:aws:iam::123456789012:root", "GranteePrincipal": "arn:aws:sts::111122223333:assumed-role/aws:ec2-infrastructure/
i-5d476fab", "GrantId": "dc716f53c93acacf291b1540de3e5a232b76256c83b2ecb22cdefa26576a2d3e", "IssuingAccount": "arn:aws:iam::111122223333:root", "CreationDate": 1.444151834E9, "Constraints": {"EncryptionContextSubset": {"aws:ebs:id": "vol-5cccfb4e"}}
}]}
CMK "GranteePrincipal" EC2 i-5d476fab EC2 EBS vol-5cccfb4e EC2 CMK CMK EBS EC2
JSON AWS CLI AWS
{"Grants": [{ "Operations": ["Encrypt"], "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Name": "", "GranteePrincipal": "arn:aws:iam::444455556666:root", "GrantId": "f271e8328717f8bde5d03f4981f06a6b3fc18bcae2da12ac38bd9186e7925d11", "IssuingAccount": "arn:aws:iam::111122223333:root", "CreationDate": 1.444151269E9
}]}
(CMK) AWS KMS
· CMK (p. 212) AWS CMK
· IAM IAM (p. 214) CMK IAM AWS
· CMK (p. 215) · CMK (AWS Organizations
VPC (p. 463)
AWS KMSCMK AWS KMS
216
AWS Key Management Service
2 · Use authorization IAM
CMK 217
AWS Key Management Service
· CMK AWS CMK AWS IAM CMK CMK
CMK IAM DENY ALLOW
· 1: CMK AWS (p. 218) · 2: CMK AWS
(p. 220)
1: CMK AWS
Alice 111122223333 AWS CMK AWS Alice CMK Alice CMK IAM CMK AWS CMK IAM CMK Alice IAM
218
AWS Key Management Service
· Alice CMK (p. 86) AWS
(p. 87)CMK IAM CMK CMK IAM ?
{ "Version" : "2012-10-17", "Id" : "key-test-1", "Statement" : [ { "Sid" : "Delegate to IAM policies", "Effect" : "Allow", "Principal" : { "AWS" : "arn:aws:iam::111122223333:root" }, "Action" : "kms:*", "Resource" : "*" } ] 219
AWS Key Management Service
}
· IAM CMK Alice Alice CMK
2: CMK AWS
Bob 1 (111122223333) (p. 12) 2 (444455556666) CMK
Tip CMK IAM CMK CMK (p. 120) · 2 CMK 2 IAM CMK · 2 CMK 1 CMK 1 IAM CMK · 1 IAM Engineering 2 CMK · 1 Bob Engineering · Bob CMK IAM CMK
220
AWS Key Management Service
1 Bob 2 CMK · CMK 2444455556666CMK IAM
CMK 1 (111122223333) CMK ( Action ) 1 CMK IAM 1 2 CMK 2 [ IAM ?]
{ "Id": "key-policy-acct-2", "Version": "2012-10-17", "Statement": [ { "Sid": "Permission to use IAM policies", "Effect": "Allow", 221
AWS Key Management Service
"Principal": { "AWS": "arn:aws:iam::444455556666:root"
}, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow account 1 to use this CMK", "Effect": "Allow", "Principal": {
"AWS": "arn:aws:iam::111122223333:root" }, "Action": [
"kms:Encrypt", "kms:Decrypt", "kms:ReEncryptFrom", "kms:ReEncryptTo", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:DescribeKey" ], "Resource": "*" } ] }
· AWS ( 1111122223333) 2 CMK (444455556666)-Action 2 1 Engineering 1 ()Engineering
IAM 2 CMK CMK 1 1
IAM ?
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncryptFrom", "kms:ReEncryptTo", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:DescribeKey" ], "Resource": [ "arn:aws:kms:us-
west-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab" ]
} ] }
222
AWS Key Management Service
· 1 Engineering AssumeRolePolicyDocument Bob Engineering
{ "Role": { "Arn": "arn:aws:iam::111122223333:role/Engineering", "CreateDate": "2019-05-16T00:09:25Z", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": { "Principal": { "AWS": "arn:aws:iam::111122223333:user/bob" }, "Effect": "Allow", "Action": "sts:AssumeRole" } }, "Path": "/", "RoleName": "Engineering", "RoleId": "AROA4KJY2TU23Y7NK62MV" }
}
223
AWS Key Management Service
AWS Key Management Service
AWS AWS
AWS
· AWSAWS AWSAWSAWS AWS Key Management Service(AWS KMS)AWS
· -- AWSAWS KMS
AWS Key Management Service AWS KMS
· AWS Key Management Service (p. 224) · AWS Key Management Service Identity and Access Management (p. 226) · AWS Key Management Service (p. 227) · AWS Key Management Service (p. 228) · AWS Key Management Service (p. 229) · AWS Key Management Service (p. 230)
AWS Key Management Service
AWS Key Management Service
· (p. 224) · (p. 226)
AWS KMS (p. 3) (CMK) AWS KMS (HSM)
224
AWS Key Management Service
CMK AWS KMS AWS KMS HSM AWS KMS API
· (p. 225) · (p. 225) · (p. 225)
AWS KMSFIPS 140-2 2 HSM CMK HSM CMK HSM
CMK AWS KMS
AWS Key Management Service
CMK AWS KMS AWS KMS API AWS KMS API CMK (p. 13) AWS KMS (p. 421) CMK AWS KMS AWS CloudHSM API
AWS KMS API (p. 5) API CMK (p. 405)
AWS KMS API Transport Layer Security (TLS) 1.2 AWS KMS PFS (Perfect Forward Secrecy)
API AWS FIPS 140-2 FIPS FIPS (FIPS) 140-2AWS KMSFIPS AWS Key Management Service ()AWS
AWS KMS HSM (ECC) (AES) AWS Key Management Service
AWS KMS AWS KMS (CMK) CMK
AWS KMSCMK FIPS 140-2 2 HSM AWS KMS HSM AWS KMS
225
AWS Key Management Service
CMK HSM
HSM HSM AWS HSM
(p. 421)AWS KMS CMK AWS CloudHSM HSM FIPS 140-2 3
1 CMK (p. 405) AWS KMS AWS KMS HSM RSA AWS KMS HSM HSM AWS KMS HSM AWS KMS
CMK AWS Key Management Service
AWS KMS AWS Management Console API (CMK)
AWS KMS 2 AWS
· IPsec VPN · AWS Direct Connect AWS Direct Connect
AWS KMS API Transport Layer Security (TLS) 1.2 CMK (HSM) AWS AWS KMS API
Virtual Private Cloud (VPC) AWS KMS AWS PrivateLink VPC VPC AWS KMS (p. 462)
AWS KMS Transport Layer Security (TLS) (p. 470)TLS TLS AWS KMSAPI
AWS Key Management Service Identity and Access Management
AWS Identity and Access Management(IAM) AWS IAM () AWS KMS
226
AWS Key Management Service
IAM AWS KMS (p. 104)
(p. 85)AWS KMS (CMK) CMK IAM (p. 104) (p. 199)CMK AWS KMS (p. 81)
Amazon Virtual Private Cloud (Amazon VPC) VPC (p. 462)AWS KMSpoweredAWSPrivateLinkVPC AWS KMS API CMK VPC (p. 463)
AWS Key Management Service
AWS KMS (CMK) AWS AWS CMK
AWS CloudTrail
AWS KMS API AWS CloudTrail AWS KMS API AWS KMS AWS API (CMK ) AWS CloudTrail
CMK CMK the section called "AWS CloudTrail " (p. 296) Amazon CloudWatch
AWS CloudTrail Amazon CloudWatch
AWS KMSCloudWatch (p. 405)the section called "CloudWatch " (p. 333) Amazon CloudWatch Events
AWS KMSCMK CloudWatch (p. 283) (p. 393) (p. 405) CMK AWS KMS (API ) 1 the section called "AWS KMS " (p. 336) Amazon CloudWatch Amazon CloudWatch
CloudWatch CMK AWS KMS 2 CMK CMK CloudWatch CMK AWS KMS (p. 333)
227
AWS Key Management Service
Amazon CloudWatch
CMK CloudWatch CMK the section called "Amazon CloudWatch " (p. 399)
AWS Key Management Service
AWS AWS Key Management Service SOCPCIFedRAMPHIPPA
· (p. 228) · (p. 228)
AWS KMS AWS Artifact
· (C5) · ISO 27001:2013 (SoA) · ISO 27001:2013 · ISO 27017:2015 (SoA) · ISO 27017:2015 · ISO 27018:2015 (SoA) · ISO 27018:2014 · ISO 9001:2015 · PCI DSS Attestation of Compliance (AOC) Responsibility Summary · Service Organization Controls (SOC) 1 · Service Organization Controls (SOC) 2 · Service Organization Controls (SOC) 2 ·
AWS ArtifactAWS
AWS KMS AWS KMS AWS
228
AWS Key Management Service
· AWS-- AWS AWS
· - AWS
· AWS-
· AWS Config-- AWS
· AWS Security Hub-- AWS AWS
AWS Key Management Service
AWS Key Management Service(AWS KMS) AWS Amazon Web Services:
AWS KMSAWS KMSAPI AWS Key Management ServiceAPI AWS KMS Transport Layer Security (TLS) 1.0 AWS KMS FIPS TLS 1.2 Ephemeral Diffie-Hellman (DHE) Elliptic Curve Ephemeral Diffie-Hellman (ECDHE) Perfect Forward Secrecy (PFS) Java 7
ID IAM AWS Security Token Service (AWS STS)
API AWS KMS IP VPC VPC CMK IAM AWS AWS (p. 158)
IP IP 1 KMSTestRole (p. 12) (CMK)
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:role/KMSTestRole"}, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*",
229
AWS Key Management Service
"Condition": { "NotIpAddress": { "aws:SourceIp": [ "192.0.2.0/24", "203.0.113.0/24" ] }
} } }
AWS KMS Amazon Web Services: AWS KMS (HSM) HSM AWS KMS (CMK) CMK HSM HSM AWS KMSHSM AWS Key Management Service
AWS Key Management Service
AWS Key Management Service (AWS KMS) AWS Key Management Service · IAM (p. 105) · IAM ()IAM
230
AWS Key Management Service
AWS KMS (p. 3) (CMK) AWS
CMK AWS (p. 85),IAM (p. 104), grant (p. 199)CMK (p. 58)CMK (p. 49) (p. 65), CMK (p. 393)CMK AWS AWS KMS (p. 475)AWS CloudTrail (p. 296) CMK
AWS KMS CMK CMK
· CMK (p. 232): 1 256 AWS KMS CMK AWS KMS
· CMK (p. 232): AWS KMS AWS KMS API AWS KMS AWS KMS
AWS KMS (p. 5) (p. 7) AWS KMS AWS KMS CMK
· -- AWS KMS AWS KMS CMK
· -- RSA (ECC) AWS KMS CMK AWS KMS
AWS KMS ECC RSA AWS KMS AWS KMS
CMK CMK CMK AWS KMS
CMK AWSAWS KMS
· CMK CMK (p. 21) · CMK CMK CMK
(p. 46)
231
AWS Key Management Service CMK CMK
· CMK AWS KMS API the section called " CMK CMK " (p. 241)
· AWS KMS CMK CMK the section called "AWS CMK " (p. 93)
· CMK the section called "AWS KMS " (p. 159)
· CMK the section called "" (p. 532)
· CMK AWS KMS()AWS
· CMK CMK (p. 232) · CMK (p. 233) · CMK (p. 240) · CMK CMK (p. 241)
CMK CMK
AWS KMS CMK
KMS (CMK) CMK
AWS KMS CMK AWS KMS 256 CMK AWS KMS
AWS KMS CMK CMK SYMMETRIC_DEFAULT (p. 236) CMK CMK (p. 22)
AWS KMS AWS CMK CMK CMK CMK CMK (p. 46)
AWS KMS CMK CMK (p. 405) (p. 421) CMK CMK CMK Comparing Symmetric and Asymmetric CMKs (p. 241)
AWS KMS CMK CMK
232
AWS Key Management Service CMK
CMK AWS KMS AWS KMS AWS KMS AWS KMS API AWS KMS (p. 60)AWS KMS
AWS KMS AWS CMK CMK AWS CMK AWSAWS KMS CMK CMK
AWS KMS 2 CMK
· RSA CMK: () RSA key pair CMKAWS KMS
· (ECC) CMK: key pair CMKAWS KMS
RSA CMK AWS KMS RSA (p. 236)ECC CMK AWS KMS (p. 239)
CMK CMK Comparing Symmetric and Asymmetric CMKs (p. 241)CMK CMK CMK (p. 46)
CMK AWSAWS KMS
CMK
CMK CMK CMK CMK CMK CMK CMK the section called "" (p. 21)
AWS KMS2 CMK (p. 234) (p. 235)
CMK
CMK (p. 232) AWS KMS (p. 17) (AAD) CMK AWS KMS AWS
AWS KMS AWS CMK (p. 232) CMK CMK AWS KMS
233
AWS Key Management Service
CMK (p. 232) RSA (ECC) (p. 235) CMK AWS Verify (p. 235)
CMK (p. 232)RSA (p. 237) (ECC) (p. 239)RSA CMK AWS KMS Encrypt (p. 60)AWS KMS
CMK AWS KMS CMK AWS KMS AWS KMS AWS KMS (p. 60)
AWS KMS Decrypt SIGN_VERIFY (p. 234) CMK Decrypt AWS KMSRSA CMK
AWS KMS -AWS KMSGetPublicKey
AWS
CMK AWSAWS KMS (p. 475)] AWS CMK (p. 232)
CMK AWS KMS AWS Key Management Service (p. 532)
CMK (p. 16)CMK CMK
CMK (ECC) CMK RSA CMK
CMK
CMK CMK
234
AWS Key Management Service
CMK
RSA CMK
ECC CMK
AWS KMS CMK CMK (p. 235)
AWS KMS :
· (ECC) CMK [] · RSA CMK [] []
CMK km:CustomerMasterKeyUsage (p. 164)
CMK (p. 16) (CMK) CMK CMK CMK (p. 393)
Note
EclipseAWS KMSAPI CMK CustomerMasterKeySpec (KeySpec) (KeyPairSpec) (WrappingKeySpec)
CMK CMK AWS KMS CMK
CMK kms:CustomerMasterKeySpec (p. 163)
AWS KMS CMK
· CMK (p. 236) · SYMMETRIC_DEFAULT
· RSA (p. 236) · RSA_2048 · RSA_3072 · RSA_4096
· (p. 239) · NIST · ECC_NIST_P256 (secp256r1)
235
AWS Key Management Service
· ECC_NIST_P384 (secp384r1) · ECC_NIST_P521 (secp521r1) · · ECC_SECG_P256K1 (secp256k1)
· SYMMETRIC_DEFAULT (p. 236) · RSA (p. 236) · (p. 239)
SYMMETRIC_DEFAULT
SYMMETRIC_DEFAULT CMK AWS KMSSYMMETRIC_DEFAULT CreateKey CustomerMasterKeySpec SYMMETRIC_DEFAULT SYMMETRIC_DEFAULT
CMK SYMMETRIC_DEFAULT (AES)GCM256 (p. 17) (AAD) GCM AWS Key Management Service
AES-256-GCM 256 AES-GCM 128 AWS KMS
AWS KMS CMK AWS KMS AWS CMK CMK (p. 405) (p. 421) CMK CMK CMK Comparing Symmetric and Asymmetric CMKs (p. 241)
RSA
RSA AWS KMS RSA CMK AWS KMS AWS KMS AWS KMS
Warning
AWS KMS AWS KMS CMK CMK CMK
AWS KMS CMK RSA (p. 234)
236
AWS Key Management Service
AWS KMS RSA
· RSA_2048 · RSA_3072 · RSA_4096
RSA RSA RSA RSACMK AWS KMS AWS Key Management Service (p. 532)
RSA
RSA CMK
RSA CMK AWS KMS Encrypt AWS KMS RSA
Decrypt CMK AWS KMS RSA
AWS KMS AWS KMS RSA CMK CMK Decrypt
AWS KMS RSA CMK 2 PKCS #1 v2.2 EclipseAWS KMSRSAES_OAEP (MGF1) Encrypt Decrypt
RSA
RSAES_OAEP_SHA_1
RSAES_OAEP_SHA_256
PKCS #1 v2.2 7.1 MGF1 SHA-1 OAEP RSA
PKCS #1 7.1. MGF1 SHA-256 OAEP RSA
CMK km: EncryptionAlgorithm (p. 166) CMK
CMK (p. 32)CMK CMK AWS KMS DescribeKey.AWS KMS AWS KMS GetPublicKey.
RSA Encrypt 1
237
AWS Key Management Service
CMK 4096
(key_size_in_bits / 8) - (2 * hash_length_in_bits/8) - 2RSA_2048 SHA-256 (2048/8) - (2 * 256/8) -2 = 190
RSA_2048
214
190
RSA_3072
342
318
RSA_4096
470
446
RSA
RSA CMK
CMK AWS KMS Sign AWS KMS RSA Ver ify CMK AWS KMS RSA AWS KMS
AWS KMS RSA CMK Sign Verify
RSA
RSASSA_PKCS1_V1_5_SHA_256
PKCS #1 v2.2 8.2PKCS #1v1 .5 SHA-256 RSA
RSASSA_PKCS1_V1_5_SHA_384
PKCS #1 v2.2 8.2PKCS #1v1 .5 SHA-384 RSA
RSASSA_PKCS1_V1_5_SHA_512
PKCS #1 v2.2 8.2PKCS #1v1 .5 SHA-512 RSA
RSASSA_PSS_SHA_256
PKCS #1 v2.2 8.1 MGF1 SHA-256 256 PSS RSA
RSASSA_PSS_SHA_384
PKCS #1 v2.2 8.1 MGF1 SHA-384 384 PSS RSA
RSASSA_PSS_SHA_512
PKCS #1 v2.2 8.1 MGF1 SHA-512 512 PSS RSA
238
AWS Key Management Service
CMK km: SigningAlgorithm (p. 190) CMK
CMK (p. 32)CMK CMK AWS KMS DescribeKey.AWS KMS AWS KMSGetPublicKey .
(ECC) AWS KMS ECC CMK AWS KMS WITAWS KMS, (p. 412)AWS KMS
AWS KMS CMK ECC
· NIST · ECC_NIST_P256 (secp256r1) · ECC_NIST_P384 (secp384r1) · ECC_NIST_P521 (secp521r1)
· · ECC_SECG_P256K1 (secp256k1)
ECC
CMK ECC_SECG_P256K1 Bitcoin
ECCCMKAWS KMS AWS Key Management Service (p. 532)
ECC AWS KMS CMK km: SigningAlgorithm (p. 190) CMK
ECC
ECC_NIST_P256
ECDSA_SHA_256
SHA-256 NIST FIPS 186-4 6.4ECDSA
ECC_NIST_P384
ECDSA_SHA_384
SHA-384 NIST FIPS 186-4 6.4ECDSA
ECC_NIST_P521
ECDSA_SHA_512
SHA-512
239
AWS Key Management Service CMK
ECC_SECG_P256K1
ECDSA_SHA_256
NIST FIPS 186-4 6.4ECDSA
SHA-256 NIST FIPS 186-4 6.4ECDSA
CMK
CMK CMK CMK
AWS KMS AWS KMS API CMK CMK CMK (p. 46)
AWS KMS CMK (p. 32)CMK RSA CMK [ ]
AWS KMS API DescribeKey KeyMetadata CMK DescribeKey RSA CMK
{ "KeyMetadata": { "AWSAccountId": "111122223333", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1571767572.317, "Enabled": false, "Description": "", "KeyUsage": "SIGN_VERIFY", "KeyState": "Disabled", "Origin": "AWS_KMS", "KeyManager": "CUSTOMER", "MultiRegion": false, "CustomerMasterKeySpec": "RSA_2048",
240
AWS Key Management Service CMK CMK
"SigningAlgorithms": [ "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512"
] } }
CMK CMK
AWS KMS AWS KMS API CMK CMK AWS KMS CMK
CMK (p. 405) (p. 283) CMK (p. 421) CMK
CMK AWS KMS CMK
CMK CMK AWS KMS
AWS KMS API CMK
CMK CMK (SIGN_VERIFY) (ENCRYPT_DECRYPT)
CancelKeyDeletion
CreateAlias
CreateGrant
CreateKey
- = EXTERNAL
- = AWS_CLOODHSM
DeleteAlias DeleteImportedKeyMaterial DescribeKey
241
AWS Key Management Service CMK CMK
AWS KMS API CMK DisableKey DisableKeyRotation EnableKey EnableKeyRotation GenerateDataKey GenerateDataKeyPair
[1] GenerateDataKeyPairWithoutPlaintext
[1] GenerateDataKeyWithoutPlaintext GetKeyPolicy GetKeyRotationStatus
GetParametersForImport GetPublicKey ImportKeyMaterial ListAliases ListGrants ListKeyPolicies
CMK CMK (SIGN_VERIFY) (ENCRYPT_DECRYPT)
KeyRotationEnaKbelyeRdotationEnabled false false
242
AWS Key Management Service CMK CMK
AWS KMS API CMK
ListResourceTags
ListRetirableGrants
PutKeyPolicy
ReEncrypt
RetireGrant
RevokeGrant
ScheduleKeyDeletion
Sign
TagResource
UntagResource
UpdateAlias CMK CMK ENCRYPT_DECRYPT SIGN_VERIFY UpdateKeyDescription
CMK CMK (SIGN_VERIFY) (ENCRYPT_DECRYPT)
[1] GenerateDataKeyPairWithoutPlaintext GenerateDataKeyPair CMK
243
AWS Key Management Service
AWS KMS (CMK) AWS (p. 15) ID (p. 14) AWS AWS AWS KMS
CMK AWS KMS (p. 270)AWS KMS (p. 266)
AWS
AWS
AWS
( (CA) CA CA ) CA -
-
(AWS Encryption SDK DynamoDB , Amazon S3 Amazon DynamoDB DynamoDB AWS KMS()AWS
AWSAWS KMS
244
AWS Key Management Service
Amazon S3 CMK
AWS AWSnorAWS KMS AWS CMK (p. 4) CMKAWS
AWS KMS CMK
AWS thatAWS KMS () ()
CMK 1 CMK AWS KMS (p. 530)
Topics
· (p. 251) · (p. 256) · (p. 262) · (p. 266) · (p. 270) · (p. 273)
AWS KMS AWS
AWS AWS KMS Each AWS
245
AWS Key Management Service
EclipseAWS KMS 1
· 1
·
· CMK AWS CloudTrail
(KMS: ) (KMS: ). AWS KMS (kms:MultiRegion kms:ReplicaRegion (p. 251)
(p. 249) AWS thatAWS KMS () [] [] CMK CMK ( (p. 250) ) (p. 256)()AWS KMS CreateKeyAPI MultiRegionSet true mrk-mrk- MRK
246
AWS Key Management Service
(p. 250) 1 AWS AWS () ,AWS KMS (p. 249) ID (p. 250) CMK AWS KMS2 (p. 259)()AWS KMS API.
(p. 249) CMK (p. 250) CMK ID ARNAmazon ARN ID ARN ID mrk-
Primary key: arn:aws:kms:us-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef12345678990ab Replica key: arn:aws:kms:eu-west-1:111122223333:key/mrk-1234abcd12ab34cd56ef12345678990ab
ID AWS KMS CMK ID CMK ID CMK ID ARN AWS 4 ID CMK
247
AWS Key Management Service
-- (p. 250)AWS KMS (p. 249) (p. 249) AWS KMS (p. 322) CloudTrail AWS KMS (p. 269) -- 1 - (p. 249) 1 (p. 266) -- CMK AWS KMS
248
AWS Key Management Service Concepts
AWS KMS (p. 273)
Concepts
A ID CMK 1 ( (p. 249) AWS CMK ID AWS
CMK
(p. 231)AWS KMS (p. 405) (p. 421)
1 (p. 249) (p. 249) AWS (p. 268) 1 AWS AWS
AWS
A (CMK) AWS 1
· (p. 259) · (p. 249) (p. 249)(
ID ) · (p. 283) · (p. 273)
AWS KMS
CMK CMK
A (CMK) ID (p. 14) (p. 15) (p. 249)
249
AWS Key Management Service Replicate
AWS AWS AWS
CMK (p. 269) (p. 266)
Replicate
(p. 249) AWS ,AWS KMS (p. 249) ID (p. 14) (p. 250) AWS KMS
AWS KMS
· ID (p. 14)-- (Region ARN (p. 14)) · (p. 15) · (p. 15) · (p. 16) · (p. 16) · (p. 283)--
(p. 269)
(p. 249) (p. 268),AWS KMS
, , (p. 85), (p. 199), (p. 58), (p. 62), (p. 49) AWS KMS
AWS CloudTrail (p. 322)event.
250
AWS Key Management Service
Note
IAM Resource CMK CMK CMK CMK KMS: (p. 183)
AWS
IAM IAM AWS ARN IAM
· (p. 251) · (p. 252) · AWS KMS (p. 255)
IAM
· -- (CMK) (p. 85) (p. 250)AWS KMS
AWS KMS AWS KMS · -- CreateKey ReplicateKey (p. 86) · IAM -- CMK IAM (p. 87)IAM (p. 104) AWS (aws:RequestedRegion
kms:CreateKey
251
AWS Key Management Service
· --AWS KMS (p. 199)1 CMK CMK 1 CMK
· ARN-- ARN (p. 246) ARN ID
IAM ARN ARN IAM ARN Region (*)
{ "Effect": "Allow", "Action": [ "kms:Describe*", "kms:List*" ], "Resource": { "arn:aws:kms:*::111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab" }
}
AWS KMS: (p. 183)mrk-prefix. · -- iam:CreateServiceLinkedRole
AWS KMS IAM (p. 255)AWS KMS AWS ( AWS KMS AWS KMS () iam:CreateServiceLinkedRole
· kms:CreateKey · kms:ReplicateKey · kms:UpdatePrimaryRegion · iam:CreateServiceLinkedRole
(p. 256)KMS: iam:CreateServiceLinkedRole IAM CMK
252
AWS Key Management Service
-iam:CreateServiceLinkedRoleAWS KMSAWSservicerOLE (p. 255) (p. 250)
IAM AWS KMSCMK.
{ "Version": "2012-10-17", "Statement":{ "Action": [ "kms:CreateKey", "iam:CreateServiceLinkedRole" ], "Effect":"Allow", "Resource":"*" }
}
KMS: (p. 183)true() false( ) IAM Denykms:MultiRegion
{ "Version": "2012-10-17", "Statement":{ "Action":"kms:CreateKey", "Effect":"Deny", "Resource":"*", "Condition": { "Bool": "kms:MultiRegion": true } }
}
(p. 253)
· KMS: · KMS: IAM
CMK -kms:ReplicateKey AWS KMS
AWS KMS: (p. 188)kms:ReplicateKey
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/Administrator" }, "Action": "kms:ReplicateKey",
253
AWS Key Management Service
"Resource": "*", "Condition": {
"StringEquals": { "kms:ReplicaRegion": [ "us-east-1", "eu-west-3", "ap-southeast-2" ]
} } }
(p. 266) KMS: IAM
· kms:UpdatePrimaryRegion
· kms:UpdatePrimaryRegion
CMK CMK
{ "Effect": "Allow", "Resource": "*", "Principal": { "AWS": "arn:aws:iam::111122223333:role/Administrator" }, "Action": "kms:UpdatePrimaryRegion"
}
AWS KMS: (p. 184) IAM AWS 1
{ "Effect": "Allow", "Action": "kms:UpdatePrimaryRegion", "Resource": { "arn:aws:kms:*:111122223333:key/*" }, "Condition": { "StringEquals": { "kms:PrimaryRegion": [ "us-west-2", "sa-east-1", "ap-southeast-1" ] } }
}
254
AWS Key Management Service AWS KMS
CMK AWS Region KMS: (p. 183) KMS: (p. 184) CreateKey CMK EncryptEnableKey
IAM kms:MultiRegion
{ "Effect": "Deny", "Action": "kms:*", "Resource": "*", "Condition": { "Bool": "kms:MultiRegion": true }
}
IAM kms:MultiRegionKeyType
{ "Effect": "Allow", "Action": [ "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": { "arn:aws:kms:us-west-2:111122223333:key/*" }, "Condition": { "StringEquals": "kms:MultiRegionKeyType": "REPLICA" }
}
AWS KMS
(p. 251),AWS KMS IAM AWS KMS (p. 250) (p. 322) CloudTrail AWS KMS, AWS CloudTrail
A1 IAM AWSAWS AWS IAM
AWS KMSAWSservicerOLE AWSkeyManagement
255
AWS Key Management Service
kms:SynchronizeMultiRegionKey
AWSservicerOLE mrk.kms.amazonaws.comAWS KMS AWS KMS AWS KMS :AWS KMS CMK
AWS IAM
AWS KMSAWSservicerOLE AWS ()
AWSservicerOLE ()IAM
AWS KMSAWSservicerOLE AWS AWS KMS AWSservicerOLE AWS
AWS KMSAPI.
· (p. 256) · (p. 259)
(p. 249)()AWS KMSAWS KMSAPI. AWS AWS KMS
CMK (p. 22) CMK KMS: iam:CreateServiceLinkedRoleKMS: (p. 184)
AWS KMS (p. 271)
256
AWS Key Management Service
· () (p. 257) · (AWS KMSAPI) (p. 258)
()
AWS KMSCMK (p. 21)
1. AWS Management Console AWS Key Management Service (AWS KMS) (https://console.aws.amazon.com/kms)
2. AWS 3. [Customer managed keys ()] 4. [] 5. (p. 231)
6. [Advanced options ()] 7. []AWS KMS
KMS (p. 270) 8. []]
CMK 9. alias (p. 62)CMK
CMK CMK AWS KMS
Note
CMK ABAC AWS KMS (p. 114) CMK (p. 77) 10. () CMK
CMK CMK AWS KMS 11. () CMK [
CMK CMK AWS KMS CMK
Note
CMK CMK ABAC AWS KMS (p. 114) CMK (p. 56) 12. CMK IAM
257
AWS Key Management Service
Note
IAM IAM CMK
(p. 85)CMK CMK CMK AWS KMS CMK 13. [] ] CMK
(AWS KMSAPI)
CreateKey. MultiRegion True
AWS (us-east-1) CMK (p. 86)
MultiRegionMultiRegionConfiguration - ID (p. 14) mrk-
$ aws kms create-key --multi-region {
"KeyMetadata": { "Origin": "AWS_KMS", "KeyId": "mrk-1234abcd12ab34cd56ef1234567890ab", "Description": "", "KeyManager": "CUSTOMER", "Enabled": true, "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "KeyUsage": "ENCRYPT_DECRYPT", "KeyState": "Enabled", "CreationDate": 1606329032.475, "Arn": "arn:aws:kms:us-east-1:111122223333:key/
mrk-1234abcd12ab34cd56ef1234567890ab", "AWSAccountId": "111122223333", "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ], "MultiRegion": true, "MultiRegionConfiguration": { "MultiRegionKeyType": "PRIMARY", "PrimaryKey": { "Arn": "arn:aws:kms:us-east-1:111122223333:key/
mrk-1234abcd12ab34cd56ef1234567890ab", "Region": "us-east-1"
}, "ReplicaKeys": [ ] } } }
258
AWS Key Management Service
(p. 249)()AWS KMS . CreateKey
(p. 288)Creating Enabled( (p. 270) Creating KMSInvalidStateExceptionDescribeKey KeyState
AWS KMS (p. 272)
· (p. 259) · () (p. 259) · (AWS KMSAPI) (p. 261)
AWS
AWS KMS
· 1 --
· -- 2 useast-1us-west-2
· -- AWS
· -- AWS
()
AWS KMS 1
CMK (p. 250)
AWS KMS
259
AWS Key Management Service
1. AWS Management Console AWS Key Management Service (AWS KMS) (https://console.aws.amazon.com/kms)
2. AWS 3. [Customer managed keys ()] 4. ID (p. 249)CMK
5. [[] 6. ] [
- 7. 1 AWS
AWS
[] X 8. alias (p. 62)CMK
CMK (p. 250) CMKAWS KMS
CMK ABAC AWS KMS (p. 114) CMK (p. 77) 9. () CMK
CMK CMK AWS KMS 10. () CMK [
CMK CMK AWS KMS
CMK CMK ABAC AWS KMS (p. 114) CMK (p. 56) 11. CMK IAM
Note
IAM IAM CMK
260
AWS Key Management Service
(p. 85)CMK CMK CMK AWS KMS CMK 12. []
(AWS KMSAPI)
. CreateKey 1 (p. 259)
ReplicateKey (p. 250) AWS KMSCMK
Note
Tags,Description, KeyPolicyAWS KMS (p. 86)
() (ap-southeast-2) () (us-east-1) KeyId
KeyId (CustomerMasterKeySpec)KeyUsage (Origin). Description (ReplicaKeyPolicy) (ReplicaTags).
ARN (ap-southeast-2 ) ReplicaKey () (eu-west-1)
$ aws kms replicate-key \ --key-id arn:aws:kms:us-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab \ --replica-region ap-southeast-2
{ "ReplicaKeyMetadata": { "MultiRegion": true, "MultiRegionConfiguration": { "MultiRegionKeyType": "REPLICA", "PrimaryKey": { "Arn": "arn:aws:kms:us-east-1:111122223333:key/
mrk-1234abcd12ab34cd56ef1234567890ab", "Region": "us-east-1"
}, "ReplicaKeys": [
{ "Arn": "arn:aws:kms:ap-southeast-2:111122223333:key/
mrk-1234abcd12ab34cd56ef1234567890ab", "Region": "ap-southeast-2"
261
AWS Key Management Service
}, {
"Arn": "arn:aws:kms:eu-west-1:111122223333:key/ mrk-1234abcd12ab34cd56ef1234567890ab",
"Region": "eu-west-1" } ] }, "AWSAccountId": "111122223333", "Arn": "arn:aws:kms:ap-southeast-2:111122223333:key/ mrk-1234abcd12ab34cd56ef1234567890ab", "CreationDate": 1607472987.918, "Description": "", "Enabled": true, "KeyId": "mrk-1234abcd12ab34cd56ef1234567890ab", "KeyManager": "CUSTOMER", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", "Origin": "AWS_KMS", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ] }, "ReplicaKeyPolicy": "{\n \"Version\" : \"2012-10-17\",\n \"Id\" : \"keydefault-1\",..., "ReplicaTags": [] }
AWS KMSAWS KMSAPI
· (p. 262) · API (p. 264)
AWS KMS AWS
- (p. 28)()AWS KMS CMK AWS []
-AWSAWS
· CMK (p. 36)
262
AWS Key Management Service
· CMK (p. 29)
· mrk- ID
· (p. 28) 263
AWS Key Management Service API
-[] [] [Regionality] - AWS KMS Region sa-east-1AWS KMSsaeast-1 []
API
AWS KMSAPI DescribeKey. LikeAWS KMSAWS KMSAPI ListKeysListAliases DescribeKey AWS DescribeKey () (ap-northeast-1)
264
AWS Key Management Service API
$ aws kms describe-key \ --key-id arn:aws:kms:ap-northeast-1:111122223333:key/
mrk-1234abcd12ab34cd56ef1234567890ab \ --region ap-northeast-1
KeyMetadata MultiRegionConfiguration () (us-west-2) AWS ( () )DescribeKeyMultiRegionConfiguration
{ "KeyMetadata": { "MultiRegion": true, "AWSAccountId": "111122223333", "Arn": "arn:aws:kms:ap-northeast-1:111122223333:key/
mrk-1234abcd12ab34cd56ef1234567890ab", "CreationDate": 1586329200.918, "Description": "", "Enabled": true, "KeyId": "mrk-1234abcd12ab34cd56ef1234567890ab", "KeyManager": "CUSTOMER", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", "Origin": "AWS_KMS", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ], "MultiRegionConfiguration": { "MultiRegionKeyType": "PRIMARY", "PrimaryKey": { "Arn": "arn:aws:kms:us-west-2:111122223333:key/
mrk-1234abcd12ab34cd56ef1234567890ab", "Region": "us-west-2"
}, "ReplicaKeys": [
{ "Arn": "arn:aws:kms:eu-west-1:111122223333:key/
mrk-1234abcd12ab34cd56ef1234567890ab", "Region": "eu-west-1"
}, {
"Arn": "arn:aws:kms:ap-northeast-1:111122223333:key/ mrk-1234abcd12ab34cd56ef1234567890ab",
"Region": "ap-northeast-1" }, {
"Arn": "arn:aws:kms:sa-east-1:111122223333:key/ mrk-1234abcd12ab34cd56ef1234567890ab",
"Region": "sa-east-1" } ] } } }
265
AWS Key Management Service
· (p. 266)
1 · (p. 269) · (p. 270)
1 Enabled (p. 288) (p. 267)Updating DescribeKey -Enabled () (us-east-east-east-east-east-east-east-east-west-west-west-westwest-west () (us-east-1) () (eu-west-1)
266
AWS Key Management Service
eu-west-1 us-east-1 AWS KMS (p. 250) ARN (p. 14) (p. 100) KMS:
-Updating
AWS KMS. UpdatePrimaryRegion DescribeKey UpdatingEnabled Updating
267
AWS Key Management Service
Updating: CMK (p. 288)
()
AWS KMSconsole.
1. AWS Management ConsoleAWS Key Management Service(AWS KMS) (https://console.aws.amazon.com/kms
2. AWS (Region)
3. [Customer managed keys ()] 4. ID (p. 249)CMK
5. [ 6. [] [ 7. 1
- (p. 254) 8.
(AWS KMSAPI)
.
KeyIdPrimaryRegion AWS
us-west-2 eu-west-1-KeyIdus-west-2 -PrimaryRegion AWS eu-west-1
$ aws kms update-primary-region \ --key-id arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab
\ --primary-region eu-west-1
HTTP DescribeKey CMK Enabled (p. 267)
DescribeKeyeu-west-1 eu-west-1 ( ID)us-west-2
268
AWS Key Management Service
$ aws kms describe-key \ --key-id arn:aws:kms:eu-west-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab
\
{ "KeyMetadata": { "AWSAccountId": "111122223333", "KeyId": "mrk-1234abcd12ab34cd56ef1234567890ab", "Arn": "arn:aws:kms:eu-west-1:111122223333:key/
mrk-1234abcd12ab34cd56ef1234567890ab", "CreationDate": 1609193147.831, "Enabled": true, "Description": "multi-region-key", "KeyUsage": "ENCRYPT_DECRYPT", "KeyState": "Enabled", "Origin": "AWS_KMS", "KeyManager": "CUSTOMER", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ], "MultiRegion": true, "MultiRegionConfiguration": { "MultiRegionKeyType": "PRIMARY", "PrimaryKey": { "Arn": "arn:aws:kms:eu-west-1:111122223333:key/
mrk-1234abcd12ab34cd56ef1234567890ab", "Region": "eu-west-1"
}, "ReplicaKeys": [
{ "Arn": "arn:aws:kms:us-west-2:111122223333:key/
mrk-1234abcd12ab34cd56ef1234567890ab", "Region": "us-west-2"
} ] } } }
(p. 283) (p. 250)
· AWS KMS
· AWS KMS AWS KMS
· AWS KMS
·
269
AWS Key Management Service
CMK CMK (p. 283)
CMK (p. 232),AWS KMS RSA (ECC) key pair key pair
AWS KMS (p. 60) (p. 60)
· AWS KMS
·
(p. 259) CMK CMK CMK (p. 271)
CMK (p. 232) (p. 15)EXTERNALAWS KMS CMK (p. 232) CMK (p. 421) (p. 283) CMK
CMK CMK (p. 406)
· CMK (p. 271)
270
AWS Key Management Service CMK · (p. 271) · (p. 272)
CMK
AWS KMS (CMK) AWS KMS CMK CMK ID CMK AWS
(p. 410) (p. 256)AWS KMS KMS: iam:CreateServiceLinkedRoleIAM KMS: (p. 184)kms:KeyOrigin (p. 181) AWS KMS CMK
271
AWS Key Management Service
API OriginMultiRegion
$ aws kms create-key --origin EXTERNAL --multi-region true
PendingImport CMK AWS Key Management Service (AWS KMS) (p. 405)
AWS KMSAWS KMSAPI (p. 259)AWS KMS PendingImport AWS KMS ID (p. 14), (p. 16), (p. 16), (p. 15) : 1. (p. 271)
272
AWS Key Management Service
2.
AWS KMS () (p. 259)
. KeyId ID ARN (AWS KMSAPI) (p. 261) 3. (p. 412)
AWS KMS AWS Key Management Service (AWS KMS) (p. 405)
· KMS: CMK CMK CMK IAM
· KMS: IAM · KMS: IAM
· KMS: IAM
· KMS: IAM
· kms: AWS KMSconsole.
(p. 73)
CMK AWS KMS
273
AWS Key Management Service
CMK
Warning
AWS KMS CMK CMK (p. 58)
CMK (p. 266)
CMK (p. 393) CMK (p. 402)CloudWatch (p. 399)CMK CMK CMK CMK (p. 394)
· (p. 274) · (p. 274) · (p. 277)
· KMS: --
· KMS: -- · kms:DescribeKey--
· KMS: --
· KMS: --
· KMS: · KMS:
IAM CMK
AWS KMSAWS KMSAPI CMK
274
AWS Key Management Service
1. 730 30
2. (p. 288)Pending deletion(PendingDeletion
3. Disabled (p. 58)CMK
4. AWS KMS AWS CloudTraillogAWS KMSCMK (p. 321) CMK (p. 305)
()
(p. 396) AWS
275
AWS Key Management Service
1. AWS Management ConsoleAWS Key Management Service(AWS KMS)
https://console.aws.amazon.com/kms 2. [Customer managed keys ()] 3.
4. ID 5. [
6. ARN
7. [] ( ) (p. 396)
8. ARN
(AWS KMSAPI)
ScheduleKeyDeletion. CMK ID (p. 14) ARN (p. 14) CMK Region ARN us-west-2 ( ()) 30
$ aws kms schedule-key-deletion \ --region us-west-2 \
276
AWS Key Management Service
--key-id arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab
ARN (KeyId) (PendingWindowInDays) (DeletionDate) (KeyState) PendingDeletion
ARN ID
{ "KeyId": "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", "DeletionDate": 1599523200.0, "KeyState": "PendingDeletion", "PendingWindowInDays": 30
}
ScheduleKeyDeletion
CMK (p. 259)
CMK CMK DescribeKey.
AWS KMS CMK
CMK CMK CMK CMK (p. 266)
CMK (p. 275) CMK (p. 393)
AWS KMSAWS KMSAPI CMK CMK CMK
1. 73030 CMK
CMK (p. 288)Pending replica deletion(PendingReplicaDeletion). Pending deletion(PendingDeletion).
CMK CMK Pending replica deletion
277
AWS Key Management Service
CMK Primary (us-east-1)
started) Replica (us-west-2) Replica (eu-west-1) Replica (ap-southeast-2)
Key state Pending replica deletion (waiting period 30 days -- not
Enabled Enabled Enabled
2. 730 30 CMK (p. 288)CMKPending deletion(PendingDeletion) CMK
3CMK3CMK PendingReplicaDeletion CMK
CMK: Primary CMK (us-east-1)
started)
Key state Pending replica deletion (waiting period 30 days -- not
278
AWS Key Management Service
Replica (us-west-2) Replica (eu-west-1) Replica (ap-southeast-2)
Pending deletion (7 days) Pending deletion (7 days) Pending deletion (30 days)
3. Disabled (p. 58)CMK
4. AWS KMS Pending replica deletion(PendingReplicaDeletion) Pending deletion(PendingDeletion730
CMK: Primary CMK (us-east-1)
Key state Pending deletion (waiting period 30 days)
5. AWS KMS CMK 14 CMK 7 CMK 7 14
279
AWS Key Management Service
· 1 : CMKCMK7CMK 7
· 7 : CMKAWS KMS CMK CMK 7
· 14 : AWS KMS
AWS CloudTraillogAWS KMS CMK (p. 321) CMK (p. 305)
()
1. AWS Management ConsoleAWS Key Management Service(AWS KMS) https://console.aws.amazon.com/kms
2. [] AWS
3. [Customer managed keys ()] 4.
1 CMK 5. [Key actions ()][Schedule key deletion()]
6.
[] 7. [Waiting period (in days) ( ())] 730 CMK
CMK CMK AWS KMSCMK 8. [] <number of days> 9. [Schedule deletion]
CMK (p. 32) fieldPending deletion
( CMK CMK (p. 262)
(AWS KMSAPI)
ScheduleKeyDeletion. CMK ID (p. 14) ARN (p. 14) CMK Region ARN
us-east-1 ( () 30
$ aws kms schedule-key-deletion \
280
AWS Key Management Service
--key-id arn:aws:kms:us-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab
ARN (PendingWindowInDays).
PendingDeletion DeletionDatefieldCMK PendingReplicaDeletionDeletionDate CMK
ARN ID
{ "KeyId": "arn:aws:kms:us-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", "KeyState": "PendingReplicaDeletion", "PendingWindowInDays": 30
}
CMK DescribeKey CMK PendingDeletion
ARN DescribeKey 1 DeletionDatePendingDeletionWindowInDays CMK
CMK CMK PendingReplicaDeletionPendingWindowInDays) DeletionDateCMK
$ aws kms describe-key \ --key-id arn:aws:kms:us-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab
{ "KeyMetadata": { "AWSAccountId": "111122223333", "KeyId": "mrk-1234abcd12ab34cd56ef1234567890ab", "Arn": "arn:aws:kms:us-east-1:111122223333:key/
mrk-1234abcd12ab34cd56ef1234567890ab", "CreationDate": 1597902361.481, "Enabled": false, "Description": "", "KeyUsage": "ENCRYPT_DECRYPT", "KeyState": "PendingReplicaDeletion", "Origin": "AWS_KMS", "KeyManager": "CUSTOMER", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ], "MultiRegion": true, "MultiRegionConfiguration": { "MultiRegionKeyType": "PRIMARY", "PrimaryKey": { "Arn": "arn:aws:kms:us-east-1:111122223333:key/
mrk-1234abcd12ab34cd56ef1234567890ab", "Region": "us-east-1"
}, "ReplicaKeys": [
{ "Arn": "arn:aws:kms:us-west-2:111122223333:key/
mrk-1234abcd12ab34cd56ef1234567890ab",
281
AWS Key Management Service
"Region": "us-west-2" }, {
"Arn": "arn:aws:kms:eu-west-1:111122223333:key/ mrk-1234abcd12ab34cd56ef1234567890ab",
"Region": "eu-west-1" }, {
"Arn": "arn:aws:kms:ap-southeast-2:111122223333:key/ mrk-1234abcd12ab34cd56ef1234567890ab",
"Region": "ap-southeast-2" } ] }, "PendingDeletionWindowInDays": 30 } }
DescribeKey PendingDeletionPendingDeletionDeletionDate PendingWindowInDaysfield
$ aws kms describe-key \ --key-id arn:aws:kms:us-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab
{ "KeyMetadata": { "AWSAccountId": "111122223333", "KeyId": "mrk-1234abcd12ab34cd56ef1234567890ab", "Arn": "", "CreationDate": 1597902361.481, "Enabled": false, "Description": "", "KeyUsage": "ENCRYPT_DECRYPT", "KeyState": "PendingDeletion", "DeletionDate": 1597968000.0, "Origin": "AWS_KMS", "KeyManager": "CUSTOMER", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ], "MultiRegion": true, "MultiRegionConfiguration": { "MultiRegionKeyType": "PRIMARY", "PrimaryKey": { "Arn": "arn:aws:kms:us-east-1:111122223333:key/
mrk-1234abcd12ab34cd56ef1234567890ab", "Region": "us-east-1"
}, "ReplicaKeys": [] } } }
282
AWS Key Management Service
AWS Key Management Service(AWS KMS) (CMK) CMK CMK CMK (p. 4) CMK AWS KMSCMK AWS KMS CMK CMK AWS KMS CMK (p. 393) CMK ( )CMK CMK
· CMK ID (p. 14), ARN (p. 14)
· CMK ID ARN
· AWS KMS CMK
CMK CMK CMK CMK CMK CMK (p. 286) CMK (p. 231) (p. 421) CMK (p. 283) CMK CMK
283
AWS Key Management Service
CMK AWS Key Management Service AWS Key Management Service
· (p. 284) · (p. 285) · (p. 286)
AWS KMS AWS KMS CMK (p. 4)
· AWS KMSCMK CMK CMK AWS KMSCMK AWS KMS
· CMK (p. 4) () AWS KMS CMK 365 365
· CMK CMK AWS KMS CMK CMK 365 AWS KMS 365 365 AWS KMS
· CMK CMK AWS KMS false 365 AWS KMS 365 365 AWS KMS
· AWS CMK AWS CMK (p. 4) AWS KMS AWS CMK 3 (1095 )
· AWS CMK AWS CMK (p. 5)- (p. 283)AWS CMK AWSCMK
· AWS CMK (p. 4) AWSAWS
· CMK (p. 244)AWS KMS AWS KMS (p. 269)
· AWS KMS AWS CMK (p. 4) CMK (p. 4)CMK Rotation Amazon CloudWatch EventsRotateKey (p. 320)AWS CloudTraillog. CMK
284
AWS Key Management Service
· CMK CMK CMK (p. 286) · CMK (p. 232) · (p. 421) CMK · (p. 405) CMK
AWS KMS AWS KMS API CMK
AWS KMS CMK 365 365
· () (p. 285) · (AWS KMSAPI) (p. 285)
()
1. AWS Management Console AWS Key Management Service (AWS KMS) (https://console.aws.amazon.com/kms)
2. AWS 3. [Customer managed keys ()] (
AWS 3 ) 4. CMK ID 5. []
[] AWS KMS [] [AWS_KMS] CMK CMK (p. 405) CMK (p. 421) CMK (p. 286) 6. [ CMK ]
Note
CMK [ CMK ] CMK (p. 284) : CMK (p. 288) 7. [Save]
(AWS KMSAPI)
AWS Key Management Service (AWS KMS) API CMK
285
AWS Key Management Service
AWS Command Line Interface (AWS CLI) EnableKeyRotation CMK Dis ableKeyRotation CMK ID (p. 14) ARN (p. 14) CMK CMK GetKeyRotationStatus GetKeyRotationStatus
$ aws kms enable-key-rotation --key-id 1234abcd-12ab-34cd-56ef-1234567890ab $ aws kms get-key-rotation-status --key-id 1234abcd-12ab-34cd-56ef-1234567890ab {
"KeyRotationEnabled": true } $ aws kms disable-key-rotation --key-id 1234abcd-12ab-34cd-56ef-1234567890ab $ aws kms get-key-rotation-status --key-id 1234abcd-12ab-34cd-56ef-1234567890ab {
"KeyRotationEnabled": false }
CMK CMK CMK CMK CMK CMK 1 CMK
286
AWS Key Management Service
CMK (p. 421) CMK (p. 405) CMK CMK
Note
CMK CMK AWS KMS CMK
CMK CMK ID ARN CMK ID ARN (p. 62)(CMK CMK CMK CMK (p. 71)
CMK UpdateAlias AWS KMS API CMK TestKey ListAliases CMK LastUpdatedDate
$ aws kms list-aliases {
"Aliases": [ { "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/TestKey", "AliasName": "alias/TestKey", "TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1521097200.123, "LastUpdatedDate": 1521097200.123 },
] }
$ aws kms update-alias --alias-name alias/TestKey --target-key-id 0987dcba-09fe-87dc-65baab0987654321
$ aws kms list-aliases {
"Aliases": [ { "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/TestKey", "AliasName": "alias/TestKey", "TargetKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321", "CreationDate": 1521097200.123, "LastUpdatedDate": 1604958290.722 },
] }
287
AWS Key Management Service CMK
: CMK
(CMK) CMK
AWS KMSAPI CMK (#) (X) (?). CMK
CMK API (CreateKeyListKeys,
· CMK (p. 288) · (p. 288)
CMK
CMK CMK
· CMK Enabled PendingImport
· CMK EnabledDisabledPendingImportPendingDeletion Unavailable
· CMK EnabledDisabled PendingDeletion
· -PendingImport CMK (p. 405) · Unavailable (p. 421) CMK
CMK UnavailableAWS CloudHSM CMK · -Creating,Updating, PendingReplicaDeletion (p. 244) · Creating
EnabledPendingImport · Updating Enabled · PendingReplicaDeletion PendingDeletion (p. 273)
(CMK) AWS KMS
288
AWS Key Management Service
([n]) Note
API
CancelKeyDeletion
Disabled
[4]
[4]
CreateAlias
[4]
[4], [13]
[4]
[4]
[3] CreateGrant
[1]
[2] [5]
[14]
[3]
[1] DeleteAlias
DeleteImportedKeyMaterial
[9]
[9]
DescribeKey
DisableKey
DisableKeyRotation
[2] [5] [3]
[11]
[14]
[9]
()
[14]
[15]
[3]
[5]
[12]
[14]
[15]
[7]
[1] [3] [6]
[7]
[14]
[7]
[7]
[7]
289
AWS Key Management Service
API
EnableKey EnableKeyRotation
Disabled
[3]
[5]
[12]
[14]
[7]
[1] [3] [6]
[7]
[14]
[7]
[7]
[1] GenerateDataKey
[2] [5] [3]
[11]
[14]
[1] GenerateDataKeyPair
[2] [5] [3]
[11]
[14]
[1]
[2] [5]
[3]
GenerateDataKeyPairWithoutPlaintext
[11]
[14]
[1] GenerateDataKeyWithoutPlaintext
[2] [5] [3]
[11]
[14]
[1] GetKeyPolicy GetKeyRotationStatus
[2] [5] [3]
[11]
[14]
[7]
[7]
[7]
[6]
[7]
[7]
[15] [7]
[7]
290
AWS Key Management Service
API
Disabled
GetParametersForImport
[9]
[9]
[8]
[9]
[9]
[14]
GetPublicKey
[1]
[2]
[14]
[3]
ImportKeyMaterial
[9]
[9]
ListAliases
ListGrants
ListKeyPolicies
ListResourceTags
PutKeyPolicy
ReEncrypt
[8] [9]
[9]
[14]
RetireGrant
[1]
[2] [5]
[11]
[14]
[3]
[1]
[2] [5]
[14]
[3]
[15]
[15]
291
AWS Key Management Service
API
RevokeGrant
Disabled
ScheduleKeyDeletion
Sign
[3]
[1]
[2]
[14]
[3]
TagResource
[3] UntagResource
[3] UpdateAlias
[10] UpdateKeyDescription
[3]
[1]
[2] [5]
[14]
[3]
[1]
[2]
[14]
[3]
[15]
292
AWS Key Management Service
· [1] DisabledException: <CMK ARN> is disabled. · [2] DisabledException: <CMK ARN> is pending deletion (or pending replica
deletion). · [3] KMSInvalidStateException: <CMK ARN> is pending deletion (or pending replica
deletion). · [4] KMSInvalidStateException: <CMK ARN> is not pending deletion (or pending
replica deletion). · [5] KMSInvalidStateException: <CMK ARN> is pending import. · [6] UnsupportedOperationException: <CMK ARN> origin is EXTERNAL which is not
valid for this operation. · [7] CMK CMK
: UnsupportedOperationException · [8] CMK : KMSInvalidStateException · [9] CMK :
UnsupportedOperationException · [10] CMK CMK
: KMSInvalidStateException : <CMK ARN> is pending deletion. · [11] KMSInvalidStateException: <CMK ARN> is unavailable. CMK · [12] CMK · [13] CMK CMK PendingDeletion CMK · [14]KMSInvalidStateException: <CMK ARN> is creating. AWS KMS CMK (ReplicateKey). · [15]KMSInvalidStateException: <CMK ARN> is updating. AWS KMS CMK (UpdatePrimaryRegion).
293
AWS Key Management Service
AWS KMS (CMK) AWS AWS CMK
· ? · ? · ? · (p. 294) ? · ? · ?
CMK AWS KMS CMK
CMK AWS KMS API
· AWS KMSAPI . CMK (p. 12) (DecryptEncryptReEncryptGenerateDataKey )
· AWS KMSAPI CMK CMK ( , , , , [, ] [ ] CMK ([ PutKeyPolicy ] [ RevokeGrant] )
· AWS KMS ( (p. 405) ) ( CMK )
AWS CMK
CMK
· AWS CloudTrail-- CloudTrail CloudWatch Logs CloudTrail
294
AWS Key Management Service
CloudTrail CloudTrail ()AWS CloudTrail · Amazon CloudWatch 1 Amazon Simple Notification Service (Amazon SNS) Amazon EC2 Auto Scaling CloudWatch Amazon CloudWatch (p. 333) · Amazon CloudWatch -- 1 AWS KMS (p. 336) Amazon CloudWatch · Amazon CloudWatch -- AWS CloudTrail Amazon CloudWatch Logs
CMK 1 CloudWatch -AWS KMS, CloudWatch,AWS Trusted AdvisorAWS AWS
(p. 28)AWS AWS KMSconsole] CMK
· ID · · · ( (p. 405) CMK ) · Origin · ID ( (p. 421) CMK )
CloudWatch
· · ·
CloudWatch
· · · AWS · /
AWS Trusted Advisor AWS 4 Trusted Advisor; 50 AWS Trusted Advisor
295
AWS Key Management Service AWS CloudTrail
AWS CloudTrail AWS KMS API
AWS KMSAWS CloudTrailAWS KMS AWSCloudTrail API AWS KMSAWS KMS,AWS KMSAPI API AWS Command Line Interface(AWS CLI)AWS Tools for PowerShell
CloudTrail AWS KMS (ListAliases GetKeyRotationStatusCMK CreateKeyPutKeyPolicy, (p. 12)GenerateDataKeyDecrypt
CloudTrail CMK (p. 120) CMK
AWS KMS (Plaintext EncryptGetKeyPolicy
AWS KMS CloudTrail AWS KMSCloudTrail AWS KMS (p. 297)
· CloudTrail (p. 296) · AWS KMS (p. 297) · AWS KMS (p. 297)
CloudTrail
CloudTrail AWS AWS KMS CloudTrail CloudTrail AWS [ AWS CloudTrail
AWS AWS KMS CloudTrail Amazon S3 AWS Amazon S3 AWSCloudTrail
· · CloudTrail · Amazon SNS CloudTrail · CloudTrail
CloudTrail
CloudTrail AWS CloudTrailCMK (p. 294)
ID
296
AWS Key Management Service AWS KMS
· IAM ·
· AWS
CloudTrail userIdentity
AWS KMS
AWS KMSCloudTrail AWS KMS (CMK) AWS CMK CloudTrail (p. 17)
AWS KMS AWS CloudTrail AWS KMS AWS KMS AWS KMS
Warning
AWS KMSCloudTrailCMK cloudtrail:PutEventSelectors
AWS KMS :
· CloudTrail AWS Management Console()AWS CloudTrail
· CloudTrail API PutEventSelectors. ExcludeManagementEventSources kms.amazonaws.com : AWS Key Management Service()AWS CloudTrail
AWS KMS AWS KMS
excludeAWS KMS API CloudTrailPutEventSelectorsAPI CloudTrail AWS KMS CloudTrail PutEventSelectors ExcludeManagementEventSourceskms.amazonaws.com
AWS KMS
AWS KMSCloudTrail AWS KMSAWS AWS KMS CMK (p. 305)
CloudTrail AWS KMS.
· CancelKeyDeletion (p. 298) · CreateAlias (p. 299) · CreateGrant (p. 300)
297
AWS Key Management Service AWS KMS
· CreateKey (p. 301) · Decrypt (p. 302) · (p. 303) · DeleteAlias (p. 303) · DeleteExpiredKeyMaterial (p. 304) · DeleteKey (p. 305) · DescribeKey (p. 306) · DisableKey (p. 307) · EnableKey (p. 308) · EnableKeyRotation (p. 308) · Encrypt (p. 309) · GenerateDataKey (p. 310) · GenerateDataKey () (p. 310) · GenerateDataKeyPair (p. 311) · GenerateDataKeyPairWithoutPlaintext (p. 312) · GenerateDataKeyWithoutPlaintext (p. 313) · GenerateRandom (p. 313) · GenerateRandom (p. 314) · GetKeyPolicy (p. 315) · GetParametersForImport (p. 315) · ImportKeyMaterial (p. 316) · ListAliases (p. 317) · ListGrants (p. 317) · ReEncrypt (p. 318) · ReplicateKey (p. 319) · RotateKey (p. 320) · ScheduleKeyDeletion (p. 321) · SynchronizeMultiRegionKey (p. 322) · TagResource (p. 323) · UntagResource (p. 323) · UpdateAlias (p. 324) · UpdatePrimaryRegion (p. 325) · Amazon EC2 1 (p. 326) · Amazon EC2 2 (p. 328)
CancelKeyDeletion
AWS CloudTrailCancelKeyDeletion . (p. 393)
{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice",
298
AWS Key Management Service AWS KMS
"accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2020-07-27T21:53:17Z", "eventSource": "kms.amazonaws.com", "eventName": "CancelKeyDeletion", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "keyId": "1234abcd-12ab-34cd-56ef-1234567890ab" }, "responseElements": { "keyId": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, "requestID": "e3452e68-d4b0-4ec7-a768-7ae96c23764f", "eventID": "d818bf03-6655-48e9-8b26-f279a07075fd", "readOnly": false, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
CreateAlias
AWS CloudTrailCreateAlias. -resources CMK AWS KMS (p. 65)
{ "Records": [ { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2014-11-04T00:52:27Z" } } }, "eventTime": "2014-11-04T00:52:27Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateAlias", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "aliasName": "alias/my_alias",
299
AWS Key Management Service AWS KMS
"targetKeyId": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}, "responseElements": null, "requestID": "d9472f40-63bc-11e4-bc2b-4198b6150d5c", "eventID": "f72d3993-864f-48d6-8f16-e26e1ae8dff0", "readOnly": false, "resources": [{
"ARN": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"accountId": "111122223333" }, {
"ARN": "arn:aws:kms:us-east-1:123456789012:alias/my_alias", "accountId": "111122223333" }], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" } ] }
CreateGrant
AWS CloudTrailCreateGrant. AWS KMS (p. 199)
{ "Records": [ { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-11-04T00:53:12Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateGrant", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "keyId": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "constraints": { "encryptionContextSubset": { "ContextKey1": "Value1" } }, "operations": ["Encrypt", "RetireGrant"], "granteePrincipal": "EX_PRINCIPAL_ID"
}, "responseElements": {
"grantId": "f020fe75197b93991dc8491d6f19dd3cebb24ee62277a05914386724f3d48758" }, "requestID": "f3c08808-63bc-11e4-bc2b-4198b6150d5c", "eventID": "5d529779-2d27-42b5-92da-91aaea1fc4b5", "readOnly": false, "resources": [{
300
AWS Key Management Service AWS KMS
"ARN": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"accountId": "111122223333" }], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" } ] }
CreateKey
AWS CloudTrailCreateKey (p. 232) AWS KMS (p. 21)
ACreateKeyCreateKeyCreateKey .
{ "Records": [ { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2020-06-30T02:34:07Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateKey", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "policy": "{\n \"Version\":\"2012-10-17\",\n \"Statement\":[{\n \"Effect
\":\"Allow\",\n \"Principal\":{\"AWS\":\"arn:aws:iam::123456789012:user/Alice\"},\n \"Action\":\"kms:*\",\n \"Resource\":\"*\"\n }, {\n \"Effect\":\"Allow\",\n \"Principal\":{\"AWS\":\"arn:aws:iam::012345678901:user/Bob\"},\n \"Action\":
\"kms:CreateGrant\",\n \"Resource\":\"*\"\n }, {\n \"Effect\":\"Allow\",\n \"Principal\":{\"AWS\":\"arn:aws:iam::012345678901:user/Charlie\"},\n \"Action\":
\"kms:Encrypt\",\n \"Resource\":\"*\"\n}]\n}", "description": "", "keyUsage": "ENCRYPT_DECRYPT", "customerMasterKeySpec": "SYMMETRIC_DEFAULT", "origin": "AWS_KMS", "bypassPolicyLockoutSafetyCheck": false
}, "responseElements": { "keyMetadata": {
"aWSAccountId": "111122223333", "keyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "arn": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "creationDate": "Jun 30, 2020 2:34:07 AM", "enabled": true, "description": "", "keyUsage": "ENCRYPT_DECRYPT", "keyState": "Enabled", "origin": "AWS_KMS", "keyManager": "CUSTOMER",
301
AWS Key Management Service AWS KMS
"customerMasterKeySpec": "SYMMETRIC_DEFAULT", "encryptionAlgorithms": [
"SYMMETRIC_DEFAULT" ] }, "requestID": "ebe8ee68-63bc-11e4-bc2b-4198b6150d5c", "eventID": "ba116326-1792-4784-87dd-a688d1cb42ec", "readOnly": false, "resources": [{ "ARN": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333" }], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" } ] }
Decrypt
AWS CloudTrailDecrypt.
{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2020-07-27T22:58:24Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "encryptionAlgorithm": "SYMMETRIC_DEFAULT", "keyId": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "encryptionContext": { "Department": "Engineering", "Project": "Alpha" }
}, "responseElements": null, "requestID": "b4a65126-30d5-4b28-98b9-9153da559963", "eventID": "e5a2f202-ba1a-467c-b4ba-f729d45ae521", "readOnly": true, "resources": [
{ "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }
], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
302
AWS Key Management Service AWS KMS
AWS CloudTrailkms-decryptNitro SDK-kms-decryptAPI AWS KMS Decrypt
AWSNitro Enclaves Amazon EC2 AWSAWS KMSNitro Linux Amazon EC2
CloudTrail
{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2020-07-27T22:58:24Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "encryptionAlgorithm": "SYMMETRIC_DEFAULT", "keyId": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, "responseElements": null, "additionalEventData": { "recipient": { "attestationDocumentModuleId": "i-123456789abcde123-enc123456789abcde12", "attestationDocumentEnclaveImageDigest":
"ee0d451a2ff9aaaa9bccd07700b9cab123a0ac2386ef7e88ad5ea6c72ebabea840957328e2ec890b408c9b06cb8ebe6a", }
}, "requestID": "b4a65126-30d5-4b28-98b9-9153da559963", "eventID": "e5a2f202-ba1a-467c-b4ba-f729d45ae521", "readOnly": true, "resources": [
{ "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }
], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
DeleteAlias
AWS CloudTrailDeleteAlias. (p. 71)
303
AWS Key Management Service AWS KMS
{ "Records": [ { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2014-11-04T00:52:27Z" } } }, "eventTime": "2014-11-04T00:52:27Z", "eventSource": "kms.amazonaws.com", "eventName": "DeleteAlias", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "aliasName": "alias/my_alias" }, "responseElements": null, "requestID": "d9542792-63bc-11e4-bc2b-4198b6150d5c", "eventID": "12f48554-bb04-4991-9cfc-e7e85f68eda0", "readOnly": false, "resources": [{ "ARN": "arn:aws:kms:us-east-1:111122223333:alias/my_alias", "accountId": "111122223333" }, { "ARN": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333"
}], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" } ] }
DeleteExpiredKeyMaterial
(CMK) AWS KMS CloudTrail (p. 316)AWS KMS CMK AWS Key Management Service (AWS KMS) (p. 405)
AWS KMS AWS CloudTrail
{ "eventVersion": "1.05", "userIdentity": { "accountId": "111122223333", "invokedBy": "AWS Internal" },
304
AWS Key Management Service AWS KMS
"eventTime": "2021-01-01T16:00:00Z", "eventSource": "kms.amazonaws.com", "eventName": "DeleteExpiredKeyMaterial", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": null, "responseElements": null, "eventID": "cfa932fd-0d3a-4a76-a8b8-616863a2b547", "readOnly": false, "resources": [
{ "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }
], "eventType": "AwsServiceEvent", "recipientAccountId": "111122223333", "serviceEventDetails": {
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab" } }
DeleteKey
AWS CloudTrail (CMK) CMK AWS KMSAWS KMSCloudTrail
ScheduleKeyDeletion CloudTrail ScheduleKeyDeletion (p. 321)CMK (p. 393)
{ "eventVersion": "1.05", "userIdentity": { "accountId": "111122223333", "invokedBy": "AWS Internal" }, "eventTime": "2020-07-31T00:07:00Z", "eventSource": "kms.amazonaws.com", "eventName": "DeleteKey", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": null, "responseElements": null, "eventID": "b25f9cda-74e1-4458-847b-4972a0bf9668", "readOnly": false, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }
], "eventType": "AwsServiceEvent", "recipientAccountId": "111122223333", "serviceEventDetails": {
305
AWS Key Management Service AWS KMS
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab" } }
DescribeKey
DescribeKey.AWS KMS DescribeKeyCMK (p. 28)()AWS KMSconsole. (p. 28)AWS KMS
{ "Records": [ { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2014-11-05T20:51:21Z" } }, "invokedBy": "signin.amazonaws.com" }, "eventTime": "2014-11-05T20:51:34Z", "eventSource": "kms.amazonaws.com", "eventName": "DescribeKey", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "signin.amazonaws.com", "requestParameters": { "keyId": "1234abcd-12ab-34cd-56ef-1234567890ab" }, "responseElements": null, "requestID": "874d4823-652d-11e4-9a87-01af2a1ddecb", "eventID": "f715da9b-c52c-4824-99ae-88aa1bb58ae4", "readOnly": true, "resources": [ { "ARN": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333"
} ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }, { "eventVersion": "1.02", "userIdentity": {
"type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice", "sessionContext": {
306
AWS Key Management Service AWS KMS
"attributes": { "mfaAuthenticated": "false", "creationDate": "2014-11-05T20:51:21Z"
} }, "invokedBy": "signin.amazonaws.com" }, "eventTime": "2014-11-05T20:51:55Z", "eventSource": "kms.amazonaws.com", "eventName": "DescribeKey", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "signin.amazonaws.com", "requestParameters": { "keyId": "0987dcba-09fe-87dc-65ba-ab0987654321" }, "responseElements": null, "requestID": "9400c720-652d-11e4-9a87-01af2a1ddecb", "eventID": "939fcefb-dc14-4a52-b918-73045fe97af3", "readOnly": true, "resources": [ {
"ARN": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65baab0987654321",
"accountId": "111122223333" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" } ] }
DisableKey
AWS CloudTrailDisableKey. AWS KMS (p. 58)
{ "Records": [ { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-11-04T00:52:43Z", "eventSource": "kms.amazonaws.com", "eventName": "DisableKey", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "keyId": "1234abcd-12ab-34cd-56ef-1234567890ab" }, "responseElements": null, "requestID": "e26552bc-63bc-11e4-bc2b-4198b6150d5c", "eventID": "995c4653-3c53-4a06-a0f0-f5531997b741", "readOnly": false, "resources": [{
307
AWS Key Management Service AWS KMS
"ARN": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"accountId": "111122223333" }], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" } ] }
EnableKey
AWS CloudTrailEnableKey. AWS KMS (p. 58)..
{ "Records": [ { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-11-04T00:52:20Z", "eventSource": "kms.amazonaws.com", "eventName": "EnableKey", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "keyId": "1234abcd-12ab-34cd-56ef-1234567890ab" }, "responseElements": null, "requestID": "d528a6fb-63bc-11e4-bc2b-4198b6150d5c", "eventID": "be393928-3629-4370-9634-567f9274d52e", "readOnly": false, "resources": [{ "ARN": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333"
}], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" } ] }
EnableKeyRotation
AWS CloudTrailEnableKeyRotation. CloudTrail RotateKey (p. 320)AWS KMS (p. 283)
{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser",
308
AWS Key Management Service AWS KMS
"principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2020-07-25T23:41:56Z", "eventSource": "kms.amazonaws.com", "eventName": "EnableKeyRotation", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "keyId": "1234abcd-12ab-34cd-56ef-1234567890ab" }, "responseElements": null, "requestID": "81f5b794-452b-4d6a-932b-68c188165273", "eventID": "fefc43a7-8e06-419f-bcab-b3bf18d6a401", "readOnly": false, "resources": [ {
"accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
Encrypt
AWS CloudTrailEncrypt.
{ "Records": [ { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-11-04T00:53:11Z", "eventSource": "kms.amazonaws.com", "eventName": "Encrypt", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "encryptionContext": { "Department": "Engineering" }, "keyId": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "encryptionAlgorithm": "SYMMETRIC_DEFAULT",
}, "responseElements": null, "requestID": "f3423043-63bc-11e4-bc2b-4198b6150d5c", "eventID": "91235988-eb87-476a-ac2c-0cdc244e6dca",
309
AWS Key Management Service AWS KMS
"readOnly": true, "resources": [{
"ARN": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"accountId": "111122223333" }], "eventType": "AwsServiceEvent", "recipientAccountId": "111122223333" } ] }
GenerateDataKey
AWS CloudTrailGenerateDataKey.
{ "Records": [ { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-11-04T00:52:40Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKey", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "keyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "keySpec": "AES_256", "encryptionContext": { "Department": "Engineering", "Project": "Alpha" } }, "responseElements": null, "requestID": "e0eb83e3-63bc-11e4-bc2b-4198b6150d5c", "eventID": "a9dea4f9-8395-46c0-942c-f509c02c2b71", "readOnly": true, "resources": [{ "ARN": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333"
}], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" } ] }
GenerateDataKey ()
AWS CloudTrailkms-generate-data-keyNitro SDK-kms-generate-data-keyAPI AWS KMS GenerateDataKey
310
AWS Key Management Service AWS KMS
AWSNitro Enclaves Amazon EC2 AWSAWS KMSNitro Linux Amazon EC2
CloudTrail
{ "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-11-04T00:52:40Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKey", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "keyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "numberOfBytes": 32 }, "responseElements": null, "additionalEventData": { "recipient": { "attestationDocumentModuleId": "i-123456789abcde123-enc123456789abcde12", "attestationDocumentEnclaveImageDigest":
"ee0d451a2ff9aaaa9bccd07700b9cab123a0ac2386ef7e88ad5ea6c72ebabea840957328e2ec890b408c9b06cb8ebe6a"
} }, "requestID": "e0eb83e3-63bc-11e4-bc2b-4198b6150d5c", "eventID": "a9dea4f9-8395-46c0-942c-f509c02c2b71", "readOnly": true, "resources": [{
"ARN": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"accountId": "111122223333" }], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
GenerateDataKeyPair
AWS CloudTrailGenerateDataKeyPair. (CMK) RSA
{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice"
311
AWS Key Management Service AWS KMS
}, "eventTime": "2020-07-27T18:57:57Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKeyPair", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": {
"keyPairSpec": "RSA_3072", "encryptionContext": {
"Project": "Alpha" }, "keyId": "1234abcd-12ab-34cd-56ef-1234567890ab" }, "responseElements": null, "requestID": "52fb127b-0fe5-42bb-8e5e-f560febde6b0", "eventID": "9b6bd6d2-529d-4890-a949-593b13800ad7", "readOnly": true, "resources": [ {
"accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
GenerateDataKeyPairWithoutPlaintext
AWS CloudTrailGenerateDataKeyPairWithoutPlaintext. (CMK) RSA
{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2020-07-27T18:57:57Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKeyPairWithoutPlaintext", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "keyPairSpec": "RSA_4096", "encryptionContext": { "Index": "5" }, "keyId": "1234abcd-12ab-34cd-56ef-1234567890ab" }, "responseElements": null, "requestID": "52fb127b-0fe5-42bb-8e5e-f560febde6b0", "eventID": "9b6bd6d2-529d-4890-a949-593b13800ad7", "readOnly": true, "resources": [ {
312
AWS Key Management Service AWS KMS
"accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
GenerateDataKeyWithoutPlaintext
AWS CloudTrailGenerateDataKeyWithoutPlaintext.
{ "Records": [ { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-11-04T00:52:23Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKeyWithoutPlaintext", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "errorCode": "InvalidKeyUsageException", "requestParameters": { "keyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "keySpec": "AES_256", "encryptionContext": { "Project": "Alpha" } }, "responseElements": null, "requestID": "d6b8e411-63bc-11e4-bc2b-4198b6150d5c", "eventID": "f7734272-9ec5-4c80-9f36-528ebbe35e4a", "readOnly": true, "resources": [{ "ARN": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333"
}], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" } ] }
GenerateRandom
AWS CloudTrailGenerateRandom. resources
{
313
AWS Key Management Service AWS KMS
"Records": [ {
"eventVersion": "1.02", "userIdentity": {
"type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-11-04T00:52:37Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateRandom", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": null, "responseElements": null, "requestID": "df1e3de6-63bc-11e4-bc2b-4198b6150d5c", "eventID": "239cb9f7-ae05-4c94-9221-6ea30eef0442", "readOnly": true, "resources": [], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" } ] }
GenerateRandom
AWS CloudTrailkms-generate-randomNitro SDK-kms-generate-randomAPI AWS KMS GenerateRandom
AWSNitro Enclaves Amazon EC2 AWSAWS KMSNitro Linux Amazon EC2
CloudTrail
{ "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-11-04T00:52:37Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateRandom", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": null, "responseElements": null, "additionalEventData": { "recipient": { "attestationDocumentModuleId": "i-123456789abcde123-enc123456789abcde12",
314
AWS Key Management Service AWS KMS
"attestationDocumentEnclaveImageDigest": "ee0d451a2ff9aaaa9bccd07700b9cab123a0ac2386ef7e88ad5ea6c72ebabea840957328e2ec890b408c9b06cb8ebe6a"
} }, "requestID": "df1e3de6-63bc-11e4-bc2b-4198b6150d5c", "eventID": "239cb9f7-ae05-4c94-9221-6ea30eef0442", "readOnly": true, "resources": [], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
GetKeyPolicy
AWS CloudTrailGetKeyPolicy. AWS KMS (CMK) (p. 97)
{ "Records": [ { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-11-04T00:50:30Z", "eventSource": "kms.amazonaws.com", "eventName": "GetKeyPolicy", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "keyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "policyName": "default" }, "responseElements": null, "requestID": "93746dd6-63bc-11e4-bc2b-4198b6150d5c", "eventID": "4aa7e4d5-d047-452a-a5a6-2cce282a7e82", "readOnly": true, "resources": [{ "ARN": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333"
}], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" } ] }
GetParametersForImport
AWS CloudTrailGetParametersForImport . CMK CloudTrail GetParametersForImport AWS KMS (p. 412)
315
AWS Key Management Service AWS KMS
{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2020-07-25T23:58:23Z", "eventSource": "kms.amazonaws.com", "eventName": "GetParametersForImport", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "keyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "wrappingAlgorithm": "RSAES_OAEP_SHA_256", "wrappingKeySpec": "RSA_2048" }, "responseElements": null, "requestID": "b5786406-e3c7-43d6-8d3c-6d5ef96e2278", "eventID": "4023e622-0c3e-4324-bdef-7f58193bba87", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }
], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
ImportKeyMaterial
AWS CloudTrailImportKeyMaterial. CloudTrail ImportKeyMaterialAWS KMS (p. 417) (CMK)
{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2020-07-26T00:08:00Z", "eventSource": "kms.amazonaws.com", "eventName": "ImportKeyMaterial", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "keyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "validTo": "Jan 1, 2021 8:00:00 PM",
316
AWS Key Management Service AWS KMS
"expirationModel": "KEY_MATERIAL_EXPIRES" }, "responseElements": null, "requestID": "89e10ee7-a612-414d-95a2-a128346969fd", "eventID": "c7abd205-a5a2-4430-bbfa-fc10f3e2d79f", "readOnly": false, "resources": [
{ "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }
], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
ListAliases
AWS CloudTrailListAliases. resources AWS KMS (p. 66)
{ "Records": [ { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-11-04T00:51:45Z", "eventSource": "kms.amazonaws.com", "eventName": "ListAliases", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "limit": 5, "marker":
"eyJiIjoiYWxpYXMvZTU0Y2MxOTMtYTMwNC00YzEwLTliZWItYTJjZjA3NjA2OTJhIiwiYSI6ImFsaWFzL2U1NGNjMTkzLWEzMDQtN }, "responseElements": null, "requestID": "bfe6c190-63bc-11e4-bc2b-4198b6150d5c", "eventID": "a27dda7b-76f1-4ac3-8b40-42dfba77bcd6", "readOnly": true, "resources": [], "eventType": "AwsApiCall", "recipientAccountId": "111122223333"
} ] }
ListGrants
AWS CloudTrailListGrants. AWS KMS (p. 199)
317
AWS Key Management Service AWS KMS
{ "Records": [ { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-11-04T00:52:49Z", "eventSource": "kms.amazonaws.com", "eventName": "ListGrants", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "keyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "marker":
"eyJncmFudElkIjoiMWY4M2U2ZmM0YTY2NDgxYjQ2Yzc4MTdhM2Y4YmQwMDFkZDNiYmQ1MGVlYTMyY2RmOWFiNWY1Nzc1NDNjYmNmM \u003d\u003d",
"limit": 10 }, "responseElements": null, "requestID": "e5c23960-63bc-11e4-bc2b-4198b6150d5c", "eventID": "d24380f5-1b20-4253-8e92-dd0492b3bd3d", "readOnly": true, "resources": [{
"ARN": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"accountId": "111122223333" }], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" } ] }
ReEncrypt
AWS CloudTrailReEncrypt. resources CMK CMK 2 (CMK)
{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2020-07-27T23:09:13Z", "eventSource": "kms.amazonaws.com", "eventName": "ReEncrypt", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": {
318
AWS Key Management Service AWS KMS
"sourceEncryptionAlgorithm": "SYMMETRIC_DEFAULT", "sourceEncryptionContext": {
"Project": "Alpha", "Department": "Engineering" }, "destinationKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321", "destinationEncryptionAlgorithm": "SYMMETRIC_DEFAULT", "destinationEncryptionContext": { "Level": "3A" } }, "responseElements": null, "requestID": "03769fd4-acf9-4b33-adf3-2ab8ca73aadf", "eventID": "542d9e04-0e8d-4e05-bf4b-4bdeb032e6ec", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65baab0987654321" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
ReplicateKey
AWS CloudTrail . AReplicateKeyReplicateKeyCreateKey.
(p. 259)
{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2020-11-18T01:29:18Z", "eventSource": "kms.amazonaws.com", "eventName": "ReplicateKey", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "keyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "replicaRegion": "us-west-2", "bypassPolicyLockoutSafetyCheck": false, "description": "" }, "responseElements": {
319
AWS Key Management Service AWS KMS
"replicaKeyMetadata": { "aWSAccountId": "111122223333", "keyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "arn": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "creationDate": "Nov 18, 2020, 1:29:18 AM", "enabled": false, "description": "", "keyUsage": "ENCRYPT_DECRYPT", "keyState": "Creating", "origin": "AWS_KMS", "keyManager": "CUSTOMER", "customerMasterKeySpec": "SYMMETRIC_DEFAULT", "encryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ], "multiRegion": true, "multiRegionConfiguration": { "multiRegionKeyType": "REPLICA", "primaryKey": { "arn": "arn:aws:kms:us-
east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "region": "us-east-1"
}, "replicaKeys": [
{ "arn": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "region": "us-west-2"
} ] } }, "replicaPolicy": "{\n \"Version\":\"2012-10-17\",\n \"Statement\":[{\n \"Effect\":\"Allow\",\n \"Principal\":{\"AWS\":\"arn:aws:iam::123456789012:user/Alice \"},\n \"Action\":\"kms:*\",\n \"Resource\":\"*\"\n }, {\n \"Effect\":\"Allow \",\n \"Principal\":{\"AWS\":\"arn:aws:iam::012345678901:user/Bob\"},\n \"Action \":\"kms:CreateGrant\",\n \"Resource\":\"*\"\n }, {\n \"Effect\":\"Allow\",\n \"Principal\":{\"AWS\":\"arn:aws:iam::012345678901:user/Charlie\"},\n \"Action\": \"kms:Encrypt\",\n \"Resource\":\"*\"\n}]\n}", }, "requestID": "abcdef68-63bc-11e4-bc2b-4198b6150d5c", "eventID": "fedcba44-6773-4f96-8763-1993aec9ae6a", "readOnly": false, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:useast-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }
RotateKey
AWS CloudTrail (CMK) AWS KMS CMK (EnableKeyRotation)AWS KMS365 CMK 365
320
AWS Key Management Service AWS KMS
CloudTrail EnableKeyRotation EnableKeyRotation (p. 308)AWS KMS (p. 283)
{ "eventVersion": "1.05", "userIdentity": { "accountId": "111122223333", "invokedBy": "AWS Internal" }, "eventTime": "2021-01-14T01:41:59Z", "eventSource": "kms.amazonaws.com", "eventName": "RotateKey", "awsRegion": "us-west-2", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": null, "responseElements": null, "eventID": "a24b3967-ddad-417f-9b22-2332b918db06", "readOnly": false, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }
], "eventType": "AwsServiceEvent", "recipientAccountId": "111122223333", "serviceEventDetails": {
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab" } }
ScheduleKeyDeletion
AWS CloudTrailScheduleKeyDeletion CMK
ScheduleKeyDeletion (p. 277) keyStatePendingReplicaDeletiondeletionDate
CloudTrail DeleteKey (p. 305) (p. 393)
{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2021-03-23T18:58:30Z", "eventSource": "kms.amazonaws.com", "eventName": "ScheduleKeyDeletion", "awsRegion": "us-east-1",
321
AWS Key Management Service AWS KMS
"sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": {
"pendingWindowInDays": 20, "keyId": "1234abcd-12ab-34cd-56ef-1234567890ab" }, "responseElements": { "keyId": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "keyState": "PendingDeletion", "deletionDate": "Apr 12, 2021 18:58:30 PM" }, "requestID": "ee408f36-ea01-422b-ac14-b0f147c68334", "eventID": "3c4226b0-1e81-48a8-a333-7fa5f3cbd118", "readOnly": false, "resources": [ {
"accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
SynchronizeMultiRegionKey
AWS CloudTrailAWS KMS (p. 244) (p. 250) AWS KMS
-resources CloudTrail ARN AWS
{ "eventVersion": "1.08", "userIdentity": { "accountId": "111122223333", "invokedBy": "AWS Internal" }, "eventTime": "2020-11-18T02:04:37Z", "eventSource": "kms.amazonaws.com", "eventName": "SynchronizeMultiRegionKey", "awsRegion": "us-west-2", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": null, "responseElements": null, "requestID": "12345681-de97-42e9-bed0-b02ae1abd8dc", "eventID": "abcdec99-2b5c-4670-9521-ddb8f031e146", "readOnly": false, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }
],
322
AWS Key Management Service AWS KMS
"eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }
TagResource
AWS CloudTrailTagResource DepartmentIT
UntagResource CloudTrail UntagResource (p. 323)AWS KMS (p. 49)
{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2020-07-01T21:19:25Z", "eventSource": "kms.amazonaws.com", "eventName": "TagResource", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "keyId": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "tags": [ { "tagKey": "Department", "tagValue": "IT" } ]
}, "responseElements": null, "requestID": "b942584a-f77d-4787-9feb-b9c5be6e746d", "eventID": "0a091b9b-0df5-4cf9-b667-6f2879532b8f", "readOnly": false, "resources": [
{ "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }
], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
UntagResource
Dept UntagResource AWS CloudTrail
323
AWS Key Management Service AWS KMS
TagResource CloudTrail TagResource (p. 323)AWS KMS (p. 49)
{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2020-07-01T21:19:19Z", "eventSource": "kms.amazonaws.com", "eventName": "UntagResource", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "keyId": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "tagKeys": [ "Dept" ]
}, "responseElements": null, "requestID": "cb1d507b-6015-47f4-812b-179713af8068", "eventID": "0b00f4b0-036e-411d-aa75-87eb4a35a4b3", "readOnly": false, "resources": [
{ "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }
], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
UpdateAlias
AWS CloudTrailUpdateAlias. -resources CMK AWS KMS (p. 65)
{ "Records": [ { "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": ""EX_PRINCIPAL_ID",", "arn": ""arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2020-11-13T23:18:15Z", "eventSource": "kms.amazonaws.com",
324
AWS Key Management Service AWS KMS
"eventName": "UpdateAlias", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": {
"aliasName": "alias/my_alias", "targetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab" }, "responseElements": null, "requestID": "d9472f40-63bc-11e4-bc2b-4198b6150d5c", "eventID": "f72d3993-864f-48d6-8f16-e26e1ae8dff0", "readOnly": false, "resources": [ {
"accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:alias/my_alias" }, { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" } ] }
UpdatePrimaryRegion
AWS CloudTrail (p. 244)
-UpdatePrimaryRegion2 CloudTrail 1 1
CloudTrail UpdatePrimaryRegion (us-west-2) -primaryRegion (ap-northeast-1)
{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2021-03-10T20:23:37Z", "eventSource": "kms.amazonaws.com", "eventName": "UpdatePrimaryRegion", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "keyId": "mrk-1234abcd12ab34cd56ef1234567890ab", "primaryRegion": "ap-northeast-1"
325
AWS Key Management Service AWS KMS
}, "responseElements": null, "requestID": "ee408f36-ea01-422b-ac14-b0f147c68334", "eventID": "3c4226b0-1e81-48a8-a333-7fa5f3cbd118", "readOnly": false, "resources": [
{ "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:key/
mrk-1234abcd12ab34cd56ef1234567890ab" }
], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111122223333" }
CloudTrail UpdatePrimaryRegion ap-northeast-1
{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice", "invokedBy": "kms.amazonaws.com" }, "eventTime": "2021-03-10T20:23:37Z", "eventSource": "kms.amazonaws.com", "eventName": "UpdatePrimaryRegion", "awsRegion": "ap-northeast-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "keyId": "arn:aws:kms:ap-northeast-1:111122223333:key/
mrk-1234abcd12ab34cd56ef1234567890ab", "primaryRegion": "ap-northeast-1"
}, "responseElements": null, "requestID": "ee408f36-ea01-422b-ac14-b0f147c68334", "eventID": "091e6be5-737f-43c6-8431-e3679d6d0619", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111122223333" }
Amazon EC2 1
Amazon EC2 IAM
Amazon EC2 Alice CloudTrail EC2 "vol-13439757" volumeId AWS KMS
326
AWS Key Management Service AWS KMS
"aws:ebs:id": "vol-13439757" encryptionContext 2 principalId accountId
{ "Records": [ { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2014-11-05T20:40:44Z" } }, "invokedBy": "signin.amazonaws.com" }, "eventTime": "2014-11-05T20:50:18Z", "eventSource": "ec2.amazonaws.com", "eventName": "CreateVolume", "awsRegion": "us-east-1", "sourceIPAddress": "72.72.72.72", "userAgent": "signin.amazonaws.com", "requestParameters": { "size": "10", "zone": "us-east-1a", "volumeType": "gp2", "encrypted": true }, "responseElements": { "volumeId": "vol-13439757", "size": "10", "zone": "us-east-1a", "status": "creating", "createTime": 1415220618876, "volumeType": "gp2", "iops": 30, "encrypted": true }, "requestID": "1565210e-73d0-4912-854c-b15ed349e526", "eventID": "a3447186-135f-4b00-8424-bc41f1a93b4f", "eventType": "AwsApiCall", "recipientAccountId": "123456789012" }, { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2014-11-05T20:40:44Z" }
327
AWS Key Management Service AWS KMS
}, "invokedBy": "AWS Internal" }, "eventTime": "2014-11-05T20:50:19Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKeyWithoutPlaintext", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": { "encryptionContext": {
"aws:ebs:id": "vol-13439757" }, "numberOfBytes": 64, "keyId": "alias/aws/ebs" }, "responseElements": null, "requestID": "create-123456789012-758241111-1415220618", "eventID": "4bd2a696-d833-48cc-b72c-05e61b608399", "readOnly": true, "resources": [ {
"ARN": "arn:aws:kms:us-east-1:123456789012:key/ e29ddfd4-1bf6-4e1b-8ecb-08216bd70d07",
"accountId": "123456789012" } ], "eventType": "AwsApiCall", "recipientAccountId": "123456789012" } ] }
Amazon EC2 2
Amazon EC2 IAM Encrypt AWS KMS (CMK) CloudTrail
Amazon EC2 AWS KMS(GenerateDataKeyWithoutPlaintext). (CreateGrant) Amazon EC2 AWS KMS (Decrypt).
Amazon EC2 "i-81e2f56c", RunInstances instanceId ID ("123456789012:aws:ec2infrastructure:i-81e2f56c") granteePrincipal Decrypt ("arn:aws:sts::123456789012:assumed-role/aws:ec2-infrastructure/i-81e2f56c")
- ARN (p. 14) CMK arn:aws:kms:useast-1:123456789012:key/e29ddfd4-1bf6-4e1b-8ecb-08216bd70d07, 3 AWS KMS (CreateGrant,GenerateDataKeyWithoutPlaintext, Decrypt).
{ "Records": [ { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice",
328
AWS Key Management Service AWS KMS
"accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice", "sessionContext": {
"attributes": { "mfaAuthenticated": "false", "creationDate": "2014-11-05T21:34:36Z"
} }, "invokedBy": "signin.amazonaws.com" }, "eventTime": "2014-11-05T21:35:27Z", "eventSource": "ec2.amazonaws.com", "eventName": "RunInstances", "awsRegion": "us-east-1", "sourceIPAddress": "72.72.72.72", "userAgent": "signin.amazonaws.com", "requestParameters": { "instancesSet": {
"items": [ { "imageId": "ami-b66ed3de", "minCount": 1, "maxCount": 1 }
] }, "groupSet": {
"items": [ { "groupId": "sg-98b6e0f2" }
] }, "instanceType": "m3.medium", "blockDeviceMapping": {
"items": [ { "deviceName": "/dev/xvda", "ebs": { "volumeSize": 8, "deleteOnTermination": true, "volumeType": "gp2" } }, { "deviceName": "/dev/sdb", "ebs": { "volumeSize": 8, "deleteOnTermination": false, "volumeType": "gp2", "encrypted": true } }
] }, "monitoring": {
"enabled": false }, "disableApiTermination": false, "instanceInitiatedShutdownBehavior": "stop", "clientToken": "XdKUT141516171819", "ebsOptimized": false }, "responseElements": { "reservationId": "r-5ebc9f74",
329
AWS Key Management Service AWS KMS
"ownerId": "123456789012", "groupSet": {
"items": [ { "groupId": "sg-98b6e0f2", "groupName": "launch-wizard-2" }
] }, "instancesSet": {
"items": [ { "instanceId": "i-81e2f56c", "imageId": "ami-b66ed3de", "instanceState": { "code": 0, "name": "pending" }, "amiLaunchIndex": 0, "productCodes": {
}, "instanceType": "m3.medium", "launchTime": 1415223328000, "placement": {
"availabilityZone": "us-east-1a", "tenancy": "default" }, "monitoring": { "state": "disabled" }, "stateReason": { "code": "pending", "message": "pending" }, "architecture": "x86_64", "rootDeviceType": "ebs", "rootDeviceName": "/dev/xvda", "blockDeviceMapping": {
}, "virtualizationType": "hvm", "hypervisor": "xen", "clientToken": "XdKUT1415223327917", "groupSet": {
"items": [ { "groupId": "sg-98b6e0f2", "groupName": "launch-wizard-2" }
] }, "networkInterfaceSet": {
}, "ebsOptimized": false } ] } }, "requestID": "41c4b4f7-8bce-4773-bf0e-5ae3bb5cbce2", "eventID": "cd75a605-2fee-4fda-b847-9c3d330ebaae", "eventType": "AwsApiCall", "recipientAccountId": "123456789012" }, {
330
AWS Key Management Service AWS KMS
"eventVersion": "1.02", "userIdentity": {
"type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice", "sessionContext": {
"attributes": { "mfaAuthenticated": "false", "creationDate": "2014-11-05T21:34:36Z"
} }, "invokedBy": "AWS Internal" }, "eventTime": "2014-11-05T21:35:35Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateGrant", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": { "constraints": {
"encryptionContextSubset": { "aws:ebs:id": "vol-f67bafb2"
} }, "granteePrincipal": "123456789012:aws:ec2-infrastructure:i-81e2f56c", "keyId": "arn:aws:kms:us-east-1:123456789012:key/ e29ddfd4-1bf6-4e1b-8ecb-08216bd70d07" }, "responseElements": { "grantId": "6caf442b4ff8a27511fb6de3e12cc5342f5382112adf75c1a91dbd221ec356fe" }, "requestID": "41c4b4f7-8bce-4773-bf0e-5ae3bb5cbce2", "eventID": "c1ad79e3-0d3f-402a-b119-d5c31d7c6a6c", "readOnly": false, "resources": [ {
"ARN": "arn:aws:kms:us-east-1:123456789012:key/ e29ddfd4-1bf6-4e1b-8ecb-08216bd70d07",
"accountId": "123456789012" } ], "eventType": "AwsApiCall", "recipientAccountId": "123456789012" }, { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice", "sessionContext": {
"attributes": { "mfaAuthenticated": "false", "creationDate": "2014-11-05T21:34:36Z"
} }, "invokedBy": "AWS Internal" }, "eventTime": "2014-11-05T21:35:32Z",
331
AWS Key Management Service AWS KMS
"eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKeyWithoutPlaintext", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": {
"encryptionContext": { "aws:ebs:id": "vol-f67bafb2"
}, "numberOfBytes": 64, "keyId": "alias/aws/ebs" }, "responseElements": null, "requestID": "create-123456789012-758247346-1415223332", "eventID": "ac3cab10-ce93-4953-9d62-0b6e5cba651d", "readOnly": true, "resources": [ {
"ARN": "arn:aws:kms:us-east-1:123456789012:key/ e29ddfd4-1bf6-4e1b-8ecb-08216bd70d07",
"accountId": "123456789012" } ], "eventType": "AwsApiCall", "recipientAccountId": "123456789012" }, { "eventVersion": "1.02", "userIdentity": { "type": "AssumedRole", "principalId": "123456789012:aws:ec2-infrastructure:i-81e2f56c", "arn": "arn:aws:sts::123456789012:assumed-role/aws:ec2-infrastructure/i-81e2f56c", "accountId": "123456789012", "accessKeyId": "", "sessionContext": {
"attributes": { "mfaAuthenticated": "false", "creationDate": "2014-11-05T21:35:38Z"
}, "sessionIssuer": {
"type": "Role", "principalId": "123456789012:aws:ec2-infrastructure", "arn": "arn:aws:iam::123456789012:role/aws:ec2-infrastructure", "accountId": "123456789012", "userName": "aws:ec2-infrastructure" } } }, "eventTime": "2014-11-05T21:35:47Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-east-1", "sourceIPAddress": "172.172.172.172", "requestParameters": { "encryptionContext": { "aws:ebs:id": "vol-f67bafb2" } }, "responseElements": null, "requestID": "b4b27883-6533-11e4-b4d9-751f1761e9e5", "eventID": "edb65380-0a3e-4123-bbc8-3d1b7cff49b0", "readOnly": true, "resources": [ { "ARN": "arn:aws:kms:us-east-1:123456789012:key/ e29ddfd4-1bf6-4e1b-8ecb-08216bd70d07",
332
AWS Key Management Service CloudWatch
"accountId": "123456789012" } ], "eventType": "AwsApiCall", "recipientAccountId": "123456789012" } ] }
Amazon CloudWatch
Amazon CloudWatch CMK AWS KMS CMK 2 Amazon CloudWatch Amazon CloudWatch
· AWS KMS (p. 333) · CloudWatch AWS KMS (p. 334) · AWS KMS (p. 336)
AWS KMS
writeCMK (p. 405)AWS KMS CloudWatch AWS KMSAWS Management ConsoleAmazon CloudWatch API API
AWS KMS
AWS/KMS
SecondsUntilKeyMaterialExpiration
AWS KMSEXTERNAL Minimum Seconds
CloudWatch CloudWatch AWS KMS (p. 334)
AWS KMS
AWS KMSAWS/KMS 1 KeyId KMS KMS
333
AWS Key Management Service
AWS KMS
AWS KMSAWS Management ConsoleAmazon CloudWatch API API
CloudWatch
1. CloudWatch (https://console.aws.amazon.com/cloudwatch/) 2. AWS
3. [Metrics ()] 4. [All metrics] [AWS ] [KMS]
5. [Per-Key Metrics]
Amazon CloudWatch API
AWS KMS CloudWatch API ListMetricsNamespaceAWS/KMSAWS Command Line Interface (AWS CLI)
$ aws cloudwatch list-metrics --namespace AWS/KMS
CloudWatch AWS KMS
Amazon SNS CloudWatch 1 Amazon SNS Auto Scaling CloudWatch
· CloudWatch (p. 334) · CloudWatch CMK (p. 336)
CloudWatch
CMK (p. 405) AWS KMS CMK CMK CloudWatch 10
334
AWS Key Management Service
(AWS Management Console) 1. CloudWatch (https://console.aws.amazon.com/cloudwatch/) 2. AWS
3. [Alarms] [] 4. [Browse Metrics][KMS] 5. CMK ID 6. [Minimum] [1 ] []
7. [Create Alarm]
a. [] KeyMaterialExpiresSoon b. [:] [:] <=
10 864000 c. [] 1 d. [Send notification to:] · Amazon SNS [ New list ]
[Email list:] E 1 E · Amazon SNS e. [Create Alarm]
8. no-reply@sns.amazonaws.com AWS-E [Confirm subscription] E
335
AWS Key Management Service AWS KMS
Important
E E
CloudWatch CMK
CMK (p. 393)CMK AWS KMS CMK CMK CloudWatch CMK
Amazon CloudWatch (p. 399)
AWS KMS
AWS KMS Amazon CloudWatch Events CMK JSON (JavaScript Object Notation) CMK CloudWatch 1 AWS LambdaAmazon SNS Amazon SQS Amazon Kinesis Data Streams
CloudWatch AWS CloudTrailread/write API Amazon CloudWatch Events
CloudWatch AWS KMS
· (p. 336) · (p. 337) · CMK (p. 337)
(p. 283) CMK (p. 4),AWS KMSCMK AWS CMK (p. 4) 3
WelAWS KMSKMS CMK Rotation CloudWatch AWS KMS
{ "version": "0", "id": "6a7e8feb-b491-4cf7-a9f1-bf3703467718", "detail-type": "KMS CMK Rotation", "source": "aws.kms", "account": "111122223333", "time": "2016-08-25T21:05:33Z", "region": "us-west-2",
336
AWS Key Management Service AWS KMS
"resources": [ "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
], "detail": {
"key-id": "1234abcd-12ab-34cd-56ef-1234567890ab" } }
CMK (p. 405) AWS KMS CloudWatch AWS KMS
{ "version": "0", "id": "9da9af57-9253-4406-87cb-7cc400e43465", "detail-type": "KMS Imported Key Material Expiration", "source": "aws.kms", "account": "111122223333", "time": "2016-08-22T20:12:19Z", "region": "us-west-2", "resources": [ "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" ], "detail": { "key-id": "1234abcd-12ab-34cd-56ef-1234567890ab" }
}
CMK
CMK (p. 393)CMK AWS KMS AWS KMS CMK CloudWatch AWS KMS CloudWatch CMK
{ "version": "0", "id": "e9ce3425-7d22-412a-a699-e7a5fc3fbc9a", "detail-type": "CMK Deletion", "source": "aws.kms", "account": "111122223333", "time": "2016-08-19T03:23:45Z", "region": "us-west-2", "resources": [ "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" ], "detail": { "key-id": "1234abcd-12ab-34cd-56ef-1234567890ab" }
}
337
AWS Key Management Service
AWS KMS API
AWS KMS API · · · · · · · · ·
The sample code in the following topics show how to use the AWS SDKs to call the AWS KMS API. AWS KMS (p. 21)
· (p. 338) · (p. 339) · (p. 351) · (p. 362) · (p. 370) · (p. 379)
AWS SDK for JavaAWS SDK for .NETAWS SDK for Python (Boto3)AWS SDK for RubyAWS SDK for PHPAWSSDK for JavaScript in Node.js Node.jsAWS Key Management Service(AWS KMS) API AWS KMS Java
Java AWS KMS
AWSKMS kmsClient = AWSKMSClientBuilder.standard().build();
Java · Fluent Client BuildersAWS · ()AWS SDK for Java · AWSKMSClientBuilder()AWS SDK for JavaAPI
338
AWS Key Management Service
C#
AmazonKeyManagementServiceClient kmsClient = new AmazonKeyManagementServiceClient();
Python
kms_client = boto3.client('kms')
Ruby
require 'aws-sdk-kms' # in v2: require 'aws-sdk' kmsClient = Aws::KMS::Client.new
PHP PHP AWS KMS AWS KMS 2014-11-01 KMSClient ()AWS SDK for PHPAPI
// Create a KMSClient $KmsClient = new Aws\Kms\KmsClient([
'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-1' ]);
Node.js
const kmsClient = new AWS.KMS();
AWS KMS API AWS KMS (p. 3) (CMK) (p. 5)
· (p. 339) · (p. 341) · (p. 344) · CMK ID ARN (p. 346) · (p. 348) · (p. 349)
(p. 3) (CMK) CreateKey CMK Description (p. 338) AWS KMS
339
AWS Key Management Service
AWS KMS CMK (p. 21)
Java
createKey ()AWS SDK for JavaAPI
// Create a CMK // String desc = "Key for protecting critical data";
CreateKeyRequest req = new CreateKeyRequest().withDescription(desc); CreateKeyResult result = kmsClient.createKey(req);
C#
https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/KeyManagementService/ MKeyManagementServiceCreateKeyCreateKeyRequest.html AWS SDK for .NETCreateKey
// Create a CMK // String desc = "Key for protecting critical data";
CreateKeyRequest req = new CreateKeyRequest() {
Description = desc }; CreateKeyResponse response = kmsClient.CreateKey(req);
Python
create_key AWS SDK for Python (Boto3)
# Create a CMK
desc = 'Key for protecting critical data'
response = kms_client.create_key( Description=desc
)
Ruby
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#create_keyinstance_method AWS SDK for Rubycreate_key
# Create a CMK
desc = 'Key for protecting critical data'
response = kmsClient.create_key({ description: desc
})
PHP
https://docs.aws.amazon.com/aws-sdk-php/v3/api/apikms-2014-11-01.html#createkey AWS SDK for PHPCreateKey
340
AWS Key Management Service
// Create a CMK // $desc = "Key for protecting critical data";
$result = $KmsClient->createKey([ 'Description' => $desc
]);
Node.js
createKey ()AWSSDK for JavaScript in Node.js Node.js
// Create a CMK // const Description = 'Key for protecting critical data';
kmsClient.createKey({ Description }, (err, data) => { ...
});
PowerShell
PowerShell CMK New-KMSkey
# Create a CMK
$desc = 'Key for protecting critical data' New-KmsKey -Description $desc
AWS KMSPowerShell AWS.Tools. AWS Tools for Windows PowerShell
GenerateDataKey CMK CMK KeySpec NumberOfBytes ()
(p. 338) AWS KMS
Java
generateDataKey ()AWS SDK for JavaAPI
// Generate a data key // // Replace the following example key ARN with any valid key identfier String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
GenerateDataKeyRequest dataKeyRequest = new GenerateDataKeyRequest(); dataKeyRequest.setKeyId(keyId);
341
AWS Key Management Service
dataKeyRequest.setKeySpec("AES_256");
GenerateDataKeyResult dataKeyResult = kmsClient.generateDataKey(dataKeyRequest);
ByteBuffer plaintextKey = dataKeyResult.getPlaintext();
ByteBuffer encryptedKey = dataKeyResult.getCiphertextBlob();
C#
https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/KeyManagementService/ MKeyManagementServiceGenerateDataKeyGenerateDataKeyRequest.html AWS SDK for .NETGenerateDataKey
// Generate a data key // // Replace the following example key ARN with any valid key identfier String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; GenerateDataKeyRequest dataKeyRequest = new GenerateDataKeyRequest() {
KeyId = keyId, KeySpec = DataKeySpec.AES_256 };
GenerateDataKeyResponse dataKeyResponse = kmsClient.GenerateDataKey(dataKeyRequest);
MemoryStream plaintextKey = dataKeyResponse.Plaintext;
MemoryStream encryptedKey = dataKeyResponse.CiphertextBlob;
Python
data_key ()AWS SDK for Python (Boto3)
# Generate a data key
# Replace the following example key ARN with any valid key identfier key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
response = kms_client.generate_data_key( KeyId=key_id, KeySpec='AES_256'
)
plaintext_key = response['Plaintext']
encrypted_key = response['CiphertextBlob']
Ruby
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/ Client.html#generate_data_key-instance_method AWS SDK for Rubygenerate_data_key
# Generate a data key
# Replace the following example key ARN with any valid key identfier key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
342
AWS Key Management Service
response = kmsClient.generate_data_key({ key_id: key_id, key_spec: 'AES_256'
})
plaintext_key = response.plaintext
encrypted_key = response.ciphertext_blob
PHP
https://docs.aws.amazon.com/aws-sdk-php/v3/api/apikms-2014-11-01.html#generatedatakey AWS SDK for PHPGenerateDataKey
// Generate a data key // // Replace the following example key ARN with any valid key identfier $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $keySpec = 'AES_256';
$result = $KmsClient->generateDataKey([ 'KeyId' => $keyId, 'KeySpec' => $keySpec,
]);
$plaintextKey = $result['Plaintext'];
$encryptedKey = $result['CiphertextBlob'];
Node.js
generateDataKey ()AWSSDK for JavaScript in Node.js Node.js
// Generate a data key // // Replace the following example key ARN with any valid key identfier const KeyId = 'arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; const KeySpec = 'AES_256'; kmsClient.generateDataKey({ KeyId, KeySpec }, (err, data) => {
if (err) console.log(err, err.stack); else {
const { CiphertextBlob, Plaintext } = data; ...
} });
PowerShell
New-KmsDataKey
(Plaintext ) (CiphertextBlob ) MemoryStream MemoryStreamMemoryStream Base64 CONVERT[CO
# Generate a data key
343
AWS Key Management Service
# Replace the following example key ARN with any valid key identfier $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' $keySpec = 'AES_256'
$response = New-KmsDataKey -KeyId $keyId -KeySpec $keySpec $plaintextKey = $response.Plaintext $encryptedKey = $response.CiphertextBlob
AWS KMSPowerShell AWS.Tools. AWS Tools for Windows PowerShell
CMK ARN (p. 288), (CMK) Desc ribeKey
DescribeKey ListAliases (p. 351)
(p. 338) AWS KMS
AWS KMS CMK (p. 28)
Java
DescribeKey ()AWS SDK for JavaAPI
// Describe a CMK // // Replace the following example key ARN with any valid key identfier String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
DescribeKeyRequest req = new DescribeKeyRequest().withKeyId(keyId); DescribeKeyResult result = kmsClient.describeKey(req);
C#
https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/KeyManagementService/ MKeyManagementServiceDescribeKeyDescribeKeyRequest.html AWS SDK for .NETDescribeKey
// Describe a CMK // // Replace the following example key ARN with any valid key identfier String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
DescribeKeyRequest describeKeyRequest = new DescribeKeyRequest() {
KeyId = keyId };
DescribeKeyResponse describeKeyResponse = kmsClient.DescribeKey(describeKeyRequest);
344
AWS Key Management Service
Python
describe_key AWS SDK for Python (Boto3)
# Describe a CMK
# Replace the following example key ARN with any valid key identfier key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
response = kms_client.describe_key( KeyId=key_id
)
Ruby
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/ Client.html#describe_key-instance_method AWS SDK for Rubydescribe_key
# Describe a CMK
# Replace the following example key ARN with any valid key identfier key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
response = kmsClient.describe_key({ key_id: key_id
})
PHP
https://docs.aws.amazon.com/aws-sdk-php/v3/api/apikms-2014-11-01.html#describekey AWS SDK for PHPDescribeKey
// Describe a CMK // // Replace the following example key ARN with any valid key identfier $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
$result = $KmsClient->describeKey([ 'KeyId' => $keyId,
]);
Node.js
DescribeKey ()AWSSDK for JavaScript in Node.js Node.js
// Describe a CMK // // Replace the following example key ARN with any valid key identfier const KeyId = 'arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; kmsClient.describeKey({ KeyId }, (err, data) => {
... });
PowerShell
CMK Get-KMSkey
345
AWS Key Management Service ID ARN
# Describe a CMK
# Replace the following example key ARN with any valid key identfier $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' Get-KmsKey -KeyId $keyId
AWS KMSPowerShell AWS.Tools. AWS Tools for Windows PowerShell
CMK ID ARN
ID (p. 14) ARN (p. 14) ListKey s Limit CMK AWS KMS CMK (KeyId) (p. 13)
(p. 338) AWS KMS
AWS KMS ID ARN ID ARN (p. 42)
Java
listKeys ()AWS SDK for JavaAPI
// List CMKs in this account // Integer limit = 10;
ListKeysRequest req = new ListKeysRequest().withLimit(limit); ListKeysResult result = kmsClient.listKeys(req);
C#
https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/KeyManagementService/ MKeyManagementServiceListKeysListKeysRequest.html AWS SDK for .NETListKeys
// List CMKs in this account // int limit = 10;
ListKeysRequest listKeysRequest = new ListKeysRequest() {
Limit = limit }; ListKeysResponse listKeysResponse = kmsClient.ListKeys(listKeysRequest);
Python
list_keys AWS SDK for Python (Boto3)
# List CMKs in this account
346
AWS Key Management Service ID ARN
response = kms_client.list_keys( Limit=10
)
Ruby
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#list_keysinstance_method AWS SDK for Rubylist_keys
# List CMKS in this account
response = kmsClient.list_keys({ limit: 10
})
PHP
https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-kms-2014-11-01.html#listkeys AWS SDK for PHPListKeys
// List CMKs in this account // $limit = 10;
$result = $KmsClient->listKeys([ 'Limit' => $limit,
]);
Node.js
listKeys ()AWSSDK for JavaScript in Node.js Node.js
// List CMKs in this account // const Limit = 10; kmsClient.listKeys({ Limit }, (err, data) => {
... });
PowerShell
CMK ID ARN Get-KMSKeyList
- Limit AWS Tools for PowerShell AWS Tools for PowerShell
# List CMKs in this account
$limit = 10 Get-KmsKeyList | Select-Object -First $limit
AWS KMSPowerShell AWS.Tools. AWS Tools for Windows PowerShell
347
AWS Key Management Service
(CMK) EnableKey
(p. 338) AWS KMS
AWS KMS CMK (p. 58)
Java
Java EnableKey ()AWS SDK for JavaAPI
// Enable a CMK // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
EnableKeyRequest req = new EnableKeyRequest().withKeyId(keyId); kmsClient.enableKey(req);
C#
https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/KeyManagementService/ MKeyManagementServiceEnableKeyEnableKeyRequest.html AWS SDK for .NETEnableKey
// Enable a CMK // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
EnableKeyRequest enableKeyRequest = new EnableKeyRequest() {
KeyId = keyId }; kmsClient.EnableKey(enableKeyRequest);
Python
enable_key AWS SDK for Python (Boto3)
# Enable a CMK
# Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
response = kms_client.enable_key( KeyId=key_id
)
Ruby
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#enable_keyinstance_method AWS SDK for Rubyenable_key
348
AWS Key Management Service
# Enable a CMK
# Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
response = kmsClient.enable_key({ key_id: key_id
})
PHP
https://docs.aws.amazon.com/aws-sdk-php/v3/api/apikms-2014-11-01.html#enablekey AWS SDK for PHPEnableKey
// Enable a CMK // // Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
$result = $KmsClient->enableKey([ 'KeyId' => $keyId,
]);
Node.js
EnableKey ()AWSSDK for JavaScript in Node.js Node.js
// Enable a CMK // // Replace the following example key ARN with a valid key ID or key ARN const KeyId = 'arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; kmsClient.enableKey({ KeyId }, (err, data) => {
... });
PowerShell
CMK Enable-KMSkey
# Enable a CMK
# Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' Enable-KmsKey -KeyId $keyId
AWS KMSPowerShell AWS.Tools. AWS Tools for Windows PowerShell
CMK DisableKey CMK (p. 12)
(p. 338) AWS KMS
349
AWS Key Management Service
AWS KMS CMK (p. 58)
Java
disableKey ()AWS SDK for JavaAPI
// Disable a CMK // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
DisableKeyRequest req = new DisableKeyRequest().withKeyId(keyId); kmsClient.disableKey(req);
C#
https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/KeyManagementService/ MKeyManagementServiceDisableKeyDisableKeyRequest.html AWS SDK for .NETDisableKey
// Disable a CMK // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
DisableKeyRequest disableKeyRequest = new DisableKeyRequest() {
KeyId = keyId }; kmsClient.DisableKey(disableKeyRequest);
Python
disable_key AWS SDK for Python (Boto3)
# Disable a CMK
# Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
response = kms_client.disable_key( KeyId=key_id
)
Ruby
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#disable_keyinstance_method AWS SDK for Rubydisable_key
# Disable a CMK
# Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
response = kmsClient.disable_key({ key_id: key_id
350
AWS Key Management Service
})
PHP
https://docs.aws.amazon.com/aws-sdk-php/v3/api/apikms-2014-11-01.html#disablekey AWS SDK for PHPDisableKey
// Disable a CMK // // Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
$result = $KmsClient->disableKey([ 'KeyId' => $keyId,
]);
Node.js
disableKey ()AWSSDK for JavaScript in Node.js Node.js
// Disable a CMK // // Replace the following example key ARN with a valid key ID or key ARN const KeyId = 'arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; kmsClient.disableKey({ KeyId }, (err, data) => {
... });
PowerShell
CMK Disable-KMSkey
# Disable a CMK
# Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' Disable-KmsKey -KeyId $keyId
AWS KMSPowerShell AWS.Tools. AWS Tools for Windows PowerShell
AWS KMS API the section called "" (p. 62)
· (p. 352) · (p. 354) · (p. 358) · (p. 360)
351
AWS Key Management Service
AWS Management Console (CMK) CMK CreateKey
CreateAlias aws/ -aws/ Amazon Web Services AWS CMK (p. 3)
(p. 338) AWS KMS
Java
createAlias ()AWS SDK for JavaAPI
// Create an alias for a CMK // String aliasName = "alias/projectKey1"; // Replace the following example key ARN with a valid key ID or key ARN String targetKeyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
CreateAliasRequest req = new CreateAliasRequest().withAliasName(aliasName).withTargetKeyId(targetKeyId);
kmsClient.createAlias(req);
C#
https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/KeyManagementService/ MKeyManagementServiceCreateAliasCreateAliasRequest.html AWS SDK for .NETCreateAlias
// Create an alias for a CMK // String aliasName = "alias/projectKey1"; // Replace the following example key ARN with a valid key ID or key ARN String targetKeyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
CreateAliasRequest createAliasRequest = new CreateAliasRequest() {
AliasName = aliasName, TargetKeyId = targetKeyId }; kmsClient.CreateAlias(createAliasRequest);
Python
create_alias AWS SDK for Python (Boto3)
# Create an alias for a CMK
alias_name = 'alias/projectKey1' # Replace the following example key ARN with a valid key ID or key ARN target_key_id = 'arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
response = kms_client.create_alias(
352
AWS Key Management Service
AliasName=alias_name, TargetKeyId=key_id )
Ruby
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#create_aliasinstance_method AWS SDK for Rubycreate_alias
# Create an alias for a CMK
alias_name = 'alias/projectKey1' # Replace the following example key ARN with a valid key ID or key ARN target_key_id = 'arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
response = kmsClient.create_alias({ alias_name: alias_name, target_key_id: target_key_id
})
PHP
https://docs.aws.amazon.com/sdk-for-php/latest/reference/apikms-2014-11-01.html#createalias AWS SDK for PHPCreateAlias
// Create an alias for a CMK // $aliasName = "alias/projectKey1"; // Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
$result = $KmsClient->createAlias([ 'AliasName' => $aliasName, 'TargetKeyId' => $keyId,
]);
Node.js
createAlias es ()AWSSDK for JavaScript in Node.js Node.js
// Create an alias for a CMK // const AliasName = 'alias/projectKey1';
// Replace the following example key ARN with a valid key ID or key ARN const TargetKeyId = 'arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; kmsClient.createAlias({ AliasName, TargetKeyId }, (err, data) => {
... });
PowerShell
New-KMSAlias
# Create an alias for a CMK
353
AWS Key Management Service
$aliasName = 'alias/projectKey1' # Replace the following example key ARN with a valid key ID or key ARN $targetKeyId = 'arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
New-KMSAlias -TargetKeyId $targetKeyId -AliasName $aliasName
AWS KMSPowerShell AWS.Tools. AWS Tools for Windows PowerShell
ListAliases
ListAliases CMK (p. 3)AWSAWS CMK (p. 3)TargetKeyId AWS CMK
(p. 338) AWS KMS
Java
Java listAliases ()AWS SDK for JavaAPI
// List the aliases in this AWS #####
// Integer limit = 10;
ListAliasesRequest req = new ListAliasesRequest().withLimit(limit); ListAliasesResult result = kmsClient.listAliases(req);
C#
https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/KeyManagementService/ MKeyManagementServiceListAliasesListAliasesRequest.html AWS SDK for .NETListAliases
// List the aliases in this AWS #####
// int limit = 10;
ListAliasesRequest listAliasesRequest = new ListAliasesRequest() {
Limit = limit }; ListAliasesResponse listAliasesResponse = kmsClient.ListAliases(listAliasesRequest);
Python
list_aliases AWS SDK for Python (Boto3)
354
AWS Key Management Service
# List the aliases in this AWS #####
response = kms_client.list_aliases( Limit=10
)
Ruby
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#list_aliasesinstance_method AWS SDK for Rubylist_aliases
# List the aliases in this AWS #####
response = kmsClient.list_aliases({ limit: 10
})
PHP
https://docs.aws.amazon.com/sdk-for-php/latest/reference/apikms-2014-11-01.html#listaliases AWS SDK for PHPList Aliases
// List the aliases in this AWS #####
// $limit = 10;
$result = $KmsClient->listAliases([ 'Limit' => $limit,
]);
Node.js
listAliases as ()AWSSDK for JavaScript in Node.js Node.js
// List the aliases in this AWS #####
// const Limit = 10; kmsClient.listAliases({ Limit }, (err, data) => {
... });
PowerShell
Get-KMSAliasList
Limit list AWS Tools for PowerShell AWS Tools for PowerShell
355
AWS Key Management Service
# List the aliases in this AWS #####
$limit = 10
$result = Get-KMSAliasList | Select-Object -First $limit
AWS KMSPowerShell AWS.Tools. AWS Tools for Windows PowerShell
CMK KeyId CMK ID (p. 14) ARN (p. 14) ARN
Java
Java listAliases ()AWS SDK for JavaAPI
// List the aliases for one CMK // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
ListAliasesRequest req = new ListAliasesRequest().withKeyId(keyId); ListAliasesResult result = kmsClient.listAliases(req);
C#
https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/KeyManagementService/ MKeyManagementServiceListAliasesListAliasesRequest.html AWS SDK for .NETListAliases
// List the aliases for one CMK // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
ListAliasesRequest listAliasesRequest = new ListAliasesRequest() {
KeyId = keyId }; ListAliasesResponse listAliasesResponse = kmsClient.ListAliases(listAliasesRequest);
Python
list_aliases AWS SDK for Python (Boto3)
# List the aliases for one CMK
# Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
response = kms_client.list_aliases( KeyId=key_id
356
AWS Key Management Service
)
Ruby
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#list_aliasesinstance_method AWS SDK for Rubylist_aliases
# List the aliases for one CMK
# Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
response = kmsClient.list_aliases({ key_id: key_id
})
PHP
https://docs.aws.amazon.com/sdk-for-php/latest/reference/apikms-2014-11-01.html#listaliases AWS SDK for PHPList Aliases
// List the aliases for one CMK // // Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
$result = $KmsClient->listAliases([ 'KeyId' => $keyId,
]);
Node.js
listAliases as ()AWSSDK for JavaScript in Node.js Node.js
// List the aliases for one CMK // // Replace the following example key ARN with a valid key ID or key ARN const KeyId = 'arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; kmsClient.listAliases({ KeyId }, (err, data) => {
... });
PowerShell
CMK CMK KeyId KMSAliasList
# List the aliases for one CMK
# Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
$response = Get-KmsAliasList -KeyId $keyId
AWS KMSPowerShell AWS.Tools. AWS Tools for Windows PowerShell
357
AWS Key Management Service
CMK UpdateAlias
(p. 338) AWS KMS
Java
Java updateAlias es ()AWS SDK for JavaAPI
// Updating an alias // String aliasName = "alias/projectKey1"; // Replace the following example key ARN with a valid key ID or key ARN String targetKeyId = "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65baab0987654321";
UpdateAliasRequest req = new UpdateAliasRequest() .withAliasName(aliasName) .withTargetKeyId(targetKeyId);
kmsClient.updateAlias(req);
C#
https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/KeyManagementService/ MKeyManagementServiceUpdateAliasUpdateAliasRequest.html AWS SDK for .NETUpdateAlias
// Updating an alias // String aliasName = "alias/projectKey1"; // Replace the following example key ARN with a valid key ID or key ARN String targetKeyId = "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65baab0987654321";
UpdateAliasRequest updateAliasRequest = new UpdateAliasRequest() {
AliasName = aliasName, TargetKeyId = targetKeyId };
kmsClient.UpdateAlias(updateAliasRequest);
Python
update_alias AWS SDK for Python (Boto3)
# Updating an alias
alias_name = 'alias/projectKey1' # Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321'
response = kms_client.update_alias( AliasName=alias_name, TargetKeyID=key_id
)
358
AWS Key Management Service
Ruby
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/ Client.html#update_alias-instance_method AWS SDK for Rubyupdate_alias
# Updating an alias
alias_name = 'alias/projectKey1' # Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321'
response = kmsClient.update_alias({ alias_name: alias_name, target_key_id: key_id
})
PHP
https://docs.aws.amazon.com/sdk-for-php/latest/reference/apikms-2014-11-01.html#updatealias AWS SDK for PHPUpdateAlias
// Updating an alias // $aliasName = "alias/projectKey1";
// Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321';
$result = $KmsClient->updateAlias([ 'AliasName' => $aliasName, 'TargetKeyId' => $keyId,
]);
Node.js
updateAlias es ()AWSSDK for JavaScript in Node.js Node.js
// Updating an alias // const AliasName = 'alias/projectKey1';
// Replace the following example key ARN with a valid key ID or key ARN const TargetKeyId = 'arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65baab0987654321'; kmsClient.updateAlias({ AliasName, TargetKeyId }, (err, data) => {
... });
PowerShell
CMK Update-KMSAlias
Update-KMSAlias Get-KMSaliasList
# Updating an alias
359
AWS Key Management Service
$aliasName = 'alias/projectKey1' # Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321'
Update-KMSAlias -AliasName $aliasName -TargetKeyID $keyId
AWS KMSPowerShell AWS.Tools. AWS Tools for Windows PowerShell
DeleteAlias CMK
(p. 338) AWS KMS
Java
deleteAlias ()AWS SDK for JavaAPI
// Delete an alias for a CMK // String aliasName = "alias/projectKey1";
DeleteAliasRequest req = new DeleteAliasRequest().withAliasName(aliasName); kmsClient.deleteAlias(req);
C#
https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/KeyManagementService/ MKeyManagementServiceDeleteAliasDeleteAliasRequest.html AWS SDK for .NETDeleteAlias
// Delete an alias for a CMK // String aliasName = "alias/projectKey1";
DeleteAliasRequest deleteAliasRequest = new DeleteAliasRequest() {
AliasName = aliasName }; kmsClient.DeleteAlias(deleteAliasRequest);
Python
delete_alias AWS SDK for Python (Boto3)
# Delete an alias for a CMK
alias_name = 'alias/projectKey1'
response = kms_client.delete_alias( AliasName=alias_name
)
360
AWS Key Management Service
Ruby
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#delete_aliasinstance_method AWS SDK for Rubydelete_alias
# Delete an alias for a CMK
alias_name = 'alias/projectKey1'
response = kmsClient.delete_alias({ alias_name: alias_name
})
PHP
https://docs.aws.amazon.com/sdk-for-php/latest/reference/apikms-2014-11-01.html#deletealias AWS SDK for PHPDeleteAlias
// Delete an alias for a CMK // $aliasName = "alias/projectKey1";
$result = $KmsClient->deleteAlias([ 'AliasName' => $aliasName,
]);
Node.js
deleteAlias ) AWSSDK for JavaScript in Node.js Node.js
// Delete an alias for a CMK // const AliasName = 'alias/projectKey1'; kmsClient.deleteAlias({ AliasName }, (err, data) => {
... });
PowerShell
Remove-KMSAlias
PowerShell ConfirmImpact High ConfirmPreference Confirm -Confirm:$false (: $false)
Remove-KMSAlias Get-KMSaliasList
# Delete an alias for a CMK
$aliasName = 'alias/projectKey1' Remove-KMSAlias -AliasName $aliasName
AWS KMSPowerShell AWS.Tools. AWS Tools for Windows PowerShell
361
AWS Key Management Service
API EncryptDecryptReEncryptAWS KMS
(p. 5) AWS KMS (p. 3) (CMK) 4 KB (4096 bytes) RSA
AWS (AWS Encryption SDKAmazon S3
· (p. 362) · (p. 364) · (p. 367)
Encrypt CMK
(p. 338) AWS KMS
Java
()AWS SDK for JavaAPI
// Encrypt a data key // // Replace the following example key ARN with any valid key identfier String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; ByteBuffer plaintext = ByteBuffer.wrap(new byte[]{1,2,3,4,5,6,7,8,9,0});
EncryptRequest req = new EncryptRequest().withKeyId(keyId).withPlaintext(plaintext); ByteBuffer ciphertext = kmsClient.encrypt(req).getCiphertextBlob();
C#
https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/KeyManagementService/ MKeyManagementServiceEncryptEncryptRequest.html AWS SDK for .NETEncrypt
// Encrypt a data key // // Replace the following example key ARN with any valid key identfier String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; MemoryStream plaintext = new MemoryStream(); plaintext.Write(new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9, 0 }, 0, 10);
EncryptRequest encryptRequest = new EncryptRequest() {
362
AWS Key Management Service
KeyId = keyId, Plaintext = plaintext }; MemoryStream ciphertext = kmsClient.Encrypt(encryptRequest).CiphertextBlob;
Python
encryptAWS SDK for Python (Boto3)
# Encrypt a data key
# Replace the following example key ARN with any valid key identfier key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' plaintext = b'\x01\x02\x03\x04\x05\x06\x07\x08\x09\x00'
response = kms_client.encrypt( KeyId=key_id, Plaintext=plaintext
)
ciphertext = response['CiphertextBlob']
Ruby
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#encryptinstance_method AWS SDK for Rubyencrypt
# Encrypt a data key
# Replace the following example key ARN with any valid key identfier key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' plaintext = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x00"
response = kmsClient.encrypt({ key_id: key_id, plaintext: plaintext
})
ciphertext = response.ciphertext_blob
PHP
https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-kms-2014-11-01.html#encrypt AWS SDK for PHPEncrypt
// Encrypt a data key // // Replace the following example key ARN with any valid key identfier $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $message = pack('c*',1,2,3,4,5,6,7,8,9,0);
$result = $KmsClient->encrypt([ 'KeyId' => $keyId, 'Plaintext' => $message,
]);
$ciphertext = $result['CiphertextBlob'];
Node.js
()AWSSDK for JavaScript in Node.js Node.js
363
AWS Key Management Service
// Encrypt a data key // // Replace the following example key ARN with any valid key identfier const KeyId = 'arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; const Plaintext = Buffer.from([1, 2, 3, 4, 5, 6, 7, 8, 9, 0]); kmsClient.encrypt({ KeyId, Plaintext }, (err, data) => {
if (err) console.log(err, err.stack); // an error occurred else {
const { CiphertextBlob } = data; ...
} });
PowerShell
AWS KMS CMK Invoke-KMSEncrypt MemoryStream (System.IO.MemoryStream) MemoryStream Invoke-KMSDecrypt
AWS KMS MemoryStream MemoryStream
Invoke-KMSEncrypt Plaintext (byte[]) MemoryStream AWSPowerShell 4.0 MemoryStream AWSPowerShell MemoryStream FileInfo (System.IO.FileInfo) Invoke-KMSEncrypt
# Encrypt a data key
# Replace the following example key ARN with any valid key identfier $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
# Simulate a data key # Create a byte array
[byte[]] $bytes = 1, 2, 3, 4, 5, 6, 7, 8, 9, 0
# Create a MemoryStream $plaintext = [System.IO.MemoryStream]::new()
# Add the byte array to the MemoryStream $plaintext.Write($bytes, 0, $bytes.length)
# Encrypt the simulated data key $response = Invoke-KMSEncrypt -KeyId $keyId -Plaintext $plaintext
# Get the ciphertext from the response $ciphertext = $response.CiphertextBlob
AWS KMSPowerShell AWS.Tools. AWS Tools for Windows PowerShell
364
AWS Key Management Service
-ciphertextBlobCiphertextBlob GenerateDataKey,GenerateDataKeyWithoutPlaintext, Encrypt PrivateKeyCiphertextBlobGenerateDataKeyPair GenerateDataKeyPairWithoutPlaintextDecrypt CMK AWS KMS
-KeyIdCMKAWS KMS BLOB CMK CMK CMK CMK
(p. 338) AWS KMS
Java
()AWS SDK for JavaAPI
// Decrypt a data key // // Replace the following example key ARN with any valid key identfier String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
ByteBuffer ciphertextBlob = Place your ciphertext here;
DecryptRequest req = new DecryptRequest().withCiphertextBlob(ciphertextBlob).withKeyId(keyId);
ByteBuffer plainText = kmsClient.decrypt(req).getPlaintext();
C#
https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/KeyManagementService/ MKeyManagementServiceDecryptDecryptRequest.html AWS SDK for .NETDecrypt
// Decrypt a data key // // Replace the following example key ARN with any valid key identfier String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
MemoryStream ciphertextBlob = new MemoryStream(); // Write ciphertext to memory stream
DecryptRequest decryptRequest = new DecryptRequest() {
CiphertextBlob = ciphertextBlob, KeyId = keyId }; MemoryStream plainText = kmsClient.Decrypt(decryptRequest).Plaintext;
Python
decrypt AWS SDK for Python (Boto3)
# Decrypt a data key
# Replace the following example key ARN with any valid key identfier key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' ciphertext = 'Place your ciphertext here'
365
AWS Key Management Service
response = kms_client.decrypt( CiphertextBlob=ciphertext, KeyId=key_id
)
plaintext = response['Plaintext']
Ruby
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#decryptinstance_method AWS SDK for Rubydecrypt
# Decrypt a data key
# Replace the following example key ARN with any valid key identfier key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
ciphertext = 'Place your ciphertext here' ciphertext_packed = [ciphertext].pack("H*")
response = kmsClient.decrypt({ ciphertext_blob: ciphertext_packed, key_id: key_id
})
plaintext = response.plaintext
PHP
https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-kms-2014-11-01.html#decrypt AWS SDK for PHPDecrypt
// Decrypt a data key // // Replace the following example key ARN with any valid key identfier $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $ciphertext = 'Place your cipher text blob here';
$result = $KmsClient->decrypt([ 'CiphertextBlob' => $ciphertext, 'KeyId' => $keyId,
]);
$plaintext = $result['Plaintext'];
Node.js
()AWSSDK for JavaScript in Node.js Node.js
// Decrypt a data key // // Replace the following example key ARN with any valid key identfier const KeyId = 'arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; const CiphertextBlob = 'Place your cipher text blob here'; kmsClient.decrypt({ CiphertextBlob, KeyId }, (err, data) => {
if (err) console.log(err, err.stack); // an error occurred else {
const { Plaintext } = data; ... }
366
AWS Key Management Service
});
PowerShell
Invoke-KMSencrypt
MemoryStream (System.IO.MemoryStream) MemoryStream
AWS KMS CiphertextBlob MemoryStream Invoke-KMSDecrypt CiphertextBlob (byte[]) MemoryStream AWSPowerShell 4.0 MemoryStream AWSPowerShell MemoryStream FileInfo (System.IO.FileInfo) Invoke-KMSDecrypt
# Decrypt a data key # Replace the following example key ARN with any valid key identfier $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
[System.IO.MemoryStream]$ciphertext = Read-Host 'Place your cipher text blob here'
$response = Invoke-KMSDecrypt -CiphertextBlob $ciphertext -KeyId $keyId $plaintext = $response.Plaintext
AWS KMSPowerShell AWS.Tools. AWS Tools for Windows PowerShell
(CMK) ReEn crypt AWS KMS AWS KMS
-ciphertextBlobCiphertextBlob GenerateDataKey,GenerateDataKeyWithoutPlaintext, Encrypt PrivateKeyCiphertextBlobGenerateDataKeyPair GenerateDataKeyPairWithoutPlaintextReEncrypt CMK AWS KMS
-SourceKeyIdCMKAWS KMS BLOB CMK CMK CMK CMK
(p. 338) AWS KMS
Java
reEncrypt ()AWS SDK for JavaAPI
367
AWS Key Management Service
// Re-encrypt a data key
ByteBuffer sourceCiphertextBlob = Place your ciphertext here;
// Replace the following example key ARNs with valid key identfiers String sourceKeyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String destinationKeyId = "arn:aws:kms:uswest-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321";
ReEncryptRequest req = new ReEncryptRequest(); req.setCiphertextBlob(sourceCiphertextBlob); req.setSourceKeyId(sourceKeyId); req.setDestinationKeyId(destinationKeyId); ByteBuffer destinationCipherTextBlob = kmsClient.reEncrypt(req).getCiphertextBlob();
C#
https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/KeyManagementService/ MKeyManagementServiceReEncryptReEncryptRequest.html AWS SDK for .NETReEncrypt
// Re-encrypt a data key
MemoryStream sourceCiphertextBlob = new MemoryStream(); // Write ciphertext to memory stream
// Replace the following example key ARNs with valid key identfiers String sourceKeyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String destinationKeyId = "arn:aws:kms:uswest-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321";
ReEncryptRequest reEncryptRequest = new ReEncryptRequest() {
CiphertextBlob = sourceCiphertextBlob, SourceKeyId = sourceKeyId, DestinationKeyId = destinationKeyId }; MemoryStream destinationCipherTextBlob = kmsClient.ReEncrypt(reEncryptRequest).CiphertextBlob;
Python
re_encrypt AWS SDK for Python (Boto3)
# Re-encrypt a data key ciphertext = 'Place your ciphertext here'
# Replace the following example key ARNs with valid key identfiers source_key_id = 'arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' destination_key_id = 'arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65baab0987654321'
response = kms_client.re_encrypt( CiphertextBlob=ciphertext, SourceKeyId=source_key_id, DestinationKeyId=destination_key_id
)
368
AWS Key Management Service
destination_ciphertext_blob = response['CiphertextBlob']
Ruby
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#re_encryptinstance_method AWS SDK for Rubyre_encrypt
# Re-encrypt a data key
ciphertext = 'Place your ciphertext here' ciphertext_packed = [ciphertext].pack("H*")
# Replace the following example key ARNs with valid key identfiers source_key_id = 'arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' destination_key_id = 'arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65baab0987654321'
response = kmsClient.re_encrypt({ ciphertext_blob: ciphertext_packed, source_key_id: source_key_id, destination_key_id: destination_key_id
})
destination_ciphertext_blob = response.ciphertext_blob.unpack('H*')
PHP
https://docs.aws.amazon.com/aws-sdk-php/v3/api/apikms-2014-11-01.html#reencrypt AWS SDK for PHPReEncrypt
// Re-encrypt a data key
$ciphertextBlob = 'Place your ciphertext here';
// Replace the following example key ARNs with valid key identfiers $sourceKeyId = 'arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $destinationKeyId = 'arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65baab0987654321';
$result = $KmsClient->reEncrypt([ 'CiphertextBlob' => $ciphertextBlob, 'SourceKeyId' => $sourceKeyId, 'DestinationKeyId' => $destinationKeyId,
]);
Node.js
reEncrypt ()AWSSDK for JavaScript in Node.js Node.js
// Re-encrypt a data key const CiphertextBlob = 'Place your cipher text blob here'; // Replace the following example key ARNs with valid key identfiers const SourceKeyId = 'arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; const DestinationKeyId = 'arn:aws:kms:uswest-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321';
kmsClient.reEncrypt({ CiphertextBlob, SourceKeyId, DestinationKeyId }, (err, data) => { ...
369
AWS Key Management Service
});
PowerShell
CMK CMK Invoke-KMSReencrypt
AWS KMS CiphertextBlob MemoryStream Invoke-KMSReEncrypt CiphertextBlob (byte[]) MemoryStream AWSPowerShell 4.0 MemoryStream AWSPowerShell MemoryStream FileInfo (System.IO.FileInfo) Invoke-KMSReEncrypt
# Re-encrypt a data key
[System.IO.MemoryStream]$ciphertextBlob = Read-Host 'Place your cipher text blob here'
# Replace the following example key ARNs with valid key identfiers $sourceKeyId = 'arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' $destinationKeyId = 'arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65baab0987654321'
$response = Invoke-KMSReEncrypt -Ciphertext $ciphertextBlob -SourceKeyId $sourceKeyId DestinationKeyId $destinationKeyId $reEncryptedCiphertext = $response.CiphertextBlob
AWS KMSPowerShell AWS.Tools. AWS Tools for Windows PowerShell
AWS KMS API AWS KMS (CMK)
CMK IAM AWS KMS (p. 81)JSON IAM IAM JSON
· (p. 370) · (p. 372) · (p. 374)
ListKeyPolicies default
(p. 338) AWS KMS
370
AWS Key Management Service
Java
Java listKeyPolicies ()AWS SDK for JavaAPI
// List key policies // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
ListKeyPoliciesRequest req = new ListKeyPoliciesRequest().withKeyId(keyId); ListKeyPoliciesResult result = kmsClient.listKeyPolicies(req);
C#
https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/KeyManagementService/ MKeyManagementServiceListKeyPoliciesListKeyPoliciesRequest.html AWS SDK for .NETListKeyPolicies
// List key policies // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
ListKeyPoliciesRequest listKeyPoliciesRequest = new ListKeyPoliciesRequest() {
KeyId = keyId }; ListKeyPoliciesResponse listKeyPoliciesResponse =
kmsClient.ListKeyPolicies(listKeyPoliciesRequest);
Python
list_key_policies AWS SDK for Python (Boto3)
# List key policies
# Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
response = kms_client.list_key_policies( KeyId=key_id
)
Ruby
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/ Client.html#list_key_policies-instance_method AWS SDK for Rubylist_key_policies
# List key policies
# Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
response = kmsClient.list_key_policies({ key_id: key_id
})
371
AWS Key Management Service
PHP
https://docs.aws.amazon.com/aws-sdk-php/v3/api/apikms-2014-11-01.html#listkeypolicies AWS SDK for PHPListKeyPolicies
// List key policies // // Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
$result = $KmsClient->listKeyPolicies([ 'KeyId' => $keyId
]);
Node.js
listKeyPolicies ()AWSSDK for JavaScript in Node.js Node.js
// List key policies // // Replace the following example key ARN with a valid key ID or key ARN const KeyId = 'arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
kmsClient.listKeyPolicies({ KeyId }, (err, data) => { ...
});
PowerShell
Get-KMSKeyPolicyList
# List key policies
# Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' $response = Get-KMSKeyPolicyList -KeyId $keyId
AWS KMSPowerShell AWS.Tools. . AWS Tools for Windows PowerShell
GetKeyPolicy
GetKeyPolicy default
(p. 338) AWS KMS
Java
getKeyPolicy ()AWS SDK for JavaAPI
372
AWS Key Management Service
// Get the policy for a CMK // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String policyName = "default";
GetKeyPolicyRequest req = new GetKeyPolicyRequest().withKeyId(keyId).withPolicyName(policyName);
GetKeyPolicyResult result = kmsClient.getKeyPolicy(req);
C#
https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/KeyManagementService/ MKeyManagementServiceGetKeyPolicyGetKeyPolicyRequest.html AWS SDK for .NETGetKeyPolicy
// Get the policy for a CMK // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String policyName = "default";
GetKeyPolicyRequest getKeyPolicyRequest = new GetKeyPolicyRequest() {
KeyId = keyId, PolicyName = policyName }; GetKeyPolicyResponse getKeyPolicyResponse = kmsClient.GetKeyPolicy(getKeyPolicyRequest);
Python
get_key_policy AWS SDK for Python (Boto3)
# Get the policy for a CMK
# Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' policy_name = 'default'
response = kms_client.get_key_policy( KeyId=key_id, PolicyName=policy_name
)
Ruby
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/ Client.html#get_key_policy-instance_method AWS SDK for Rubyget_key_policy
# Get the policy for a CMK
# Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' policy_name = 'default'
response = kmsClient.get_key_policy({ key_id: key_id, policy_name: policy_name
373
AWS Key Management Service
})
PHP
https://docs.aws.amazon.com/aws-sdk-php/v3/api/apikms-2014-11-01.html#getkeypolicy AWS SDK for PHPGetKeyPolicy
// Get the policy for a CMK // // Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $policyName = "default";
$result = $KmsClient->getKeyPolicy([ 'KeyId' => $keyId, 'PolicyName' => $policyName
]);
Node.js
getKeyPolicy ()AWSSDK for JavaScript in Node.js Node.js
// Get the policy for a CMK // // Replace the following example key ARN with a valid key ID or key ARN const KeyId = 'arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; const PolicyName = 'default'; kmsClient.getKeyPolicy({ KeyId, PolicyName }, (err, data) => {
... });
PowerShell
CMK Get-KMSKeyPolicy (System.String) Write-KMSKeyPolicy (PutKeyPolicy) JSON PSCustomObject ConvertFrom-JSON
# Get the policy for a CMK
# Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' $policyName = 'default'
$response = Get-KMSKeyPolicy -KeyId $keyId -PolicyName $policyName
AWS KMSPowerShell AWS.Tools. . AWS Tools for Windows PowerShell
CMK PutKeyPolicy
PutKeyPolicy default
374
AWS Key Management Service
(p. 338) AWS KMS
Java
putKeyPolicy ()AWS SDK for JavaAPI
// Set a key policy for a CMK
//
// Replace the following example key ARN with a valid key ID or key ARN
String keyId = "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
String policyName = "default";
String policy = "{" +
" \"Version\": \"2012-10-17\"," +
" \"Statement\": [{" +
" \"Sid\": \"Allow access for ExampleUser\"," +
" \"Effect\": \"Allow\"," +
// Replace the following example user ARN with a valid one
" \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/
ExampleUser\"}," +
" \"Action\": [" +
"
\"kms:Encrypt\"," +
"
\"kms:GenerateDataKey*\"," +
"
\"kms:Decrypt\"," +
"
\"kms:DescribeKey\"," +
"
\"kms:ReEncrypt*\"" +
" ]," +
" \"Resource\": \"*\"" +
" }]" +
"}";
PutKeyPolicyRequest req = new PutKeyPolicyRequest().withKeyId(keyId).withPolicy(policy).withPolicyName(policyName);
kmsClient.putKeyPolicy(req);
C#
https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/KeyManagementService/ MKeyManagementServicePutKeyPolicyPutKeyPolicyRequest.html AWS SDK for .NETPutKeyPolicy
// Set a key policy for a CMK
//
// Replace the following example key ARN with a valid key ID or key ARN
String keyId = "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
String policyName = "default";
String policy = "{" +
" \"Version\": \"2012-10-17\"," +
" \"Statement\": [{" +
" \"Sid\": \"Allow access for ExampleUser\"," +
" \"Effect\": \"Allow\"," +
// Replace the following example user ARN with a valid one
" \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/
ExampleUser\"}," +
" \"Action\": [" +
"
\"kms:Encrypt\"," +
"
\"kms:GenerateDataKey*\"," +
"
\"kms:Decrypt\"," +
"
\"kms:DescribeKey\"," +
"
\"kms:ReEncrypt*\"" +
375
AWS Key Management Service
" ]," + " \"Resource\": \"*\"" + " }]" + "}";
PutKeyPolicyRequest putKeyPolicyRequest = new PutKeyPolicyRequest() {
KeyId = keyId, Policy = policy, PolicyName = policyName }; kmsClient.PutKeyPolicy(putKeyPolicyRequest);
Python
put_key_policy AWS SDK for Python (Boto3)
# Set a key policy for a CMK
# Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' policy_name = 'default' policy = """ {
"Version": "2012-10-17", "Statement": [{
"Sid": "Allow access for ExampleUser", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:user/ExampleUser"}, "Action": [
"kms:Encrypt", "kms:GenerateDataKey*", "kms:Decrypt", "kms:DescribeKey", "kms:ReEncrypt*" ], "Resource": "*" }] }"""
response = kms_client.put_key_policy( KeyId=key_id, Policy=policy, PolicyName=policy_name
)
Ruby
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/ Client.html#put_key_policy-instance_method AWS SDK for Rubyput_key_policy
# Set a key policy for a CMK
# Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' policy_name = 'default' policy = "{" +
" \"Version\": \"2012-10-17\"," + " \"Statement\": [{" + " \"Sid\": \"Allow access for ExampleUser\"," + " \"Effect\": \"Allow\"," + # Replace the following example user ARN with a valid one
376
AWS Key Management Service
" \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ExampleUser\"}," +
" \"Action\": [" +
"
\"kms:Encrypt\"," +
"
\"kms:GenerateDataKey*\"," +
"
\"kms:Decrypt\"," +
"
\"kms:DescribeKey\"," +
"
\"kms:ReEncrypt*\"" +
" ]," +
" \"Resource\": \"*\"" +
" }]" +
"}"
response = kmsClient.put_key_policy({ key_id: key_id, policy: policy, policy_name: policy_name
})
PHP
https://docs.aws.amazon.com/aws-sdk-php/v3/api/apikms-2014-11-01.html#putkeypolicy AWS SDK for PHPPutKeyPolicy
// Set a key policy for a CMK // // Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $policyName = "default";
$result = $KmsClient->putKeyPolicy([ 'KeyId' => $keyId, 'PolicyName' => $policyName, 'Policy' => '{ "Version": "2012-10-17", "Id": "custom-policy-2016-12-07", "Statement": [ { "Sid": "Enable IAM policies", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/root" }, "Action": [ "kms:*" ], "Resource": "*" }, { "Sid": "Enable IAM policies", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": [ "kms:Encrypt*", "kms:GenerateDataKey*", "kms:Decrypt*", "kms:DescribeKey*", "kms:ReEncrypt*" ], "Resource": "*" } ] } '
]);
Node.js putKeyPolicy ()AWSSDK for Node.js
// Set a key policy for a CMK
377
AWS Key Management Service
// // Replace the following example key ARN with a valid key ID or key ARN const KeyId = 'arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; const PolicyName = 'default'; const Policy = `{
"Version": "2012-10-17", "Id": "custom-policy-2016-12-07", "Statement": [
{ "Sid": "Enable IAM policies", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": "kms:*", "Resource": "*"
}, {
"Sid": "Enable IAM policies", "Effect": "Allow", "Principal": {
"AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": [
"kms:Encrypt*", "kms:GenerateDataKey*", "kms:Decrypt*", "kms:DescribeKey*", "kms:ReEncrypt*" ], "Resource": "*" } ] }`; // The key policy document
kmsClient.putKeyPolicy({ KeyId, Policy, PolicyName }, (err, data) => { ...
});
PowerShell
CMK Write-KMSKeyPolicy Get-KMSKeyPolicy
Policy
# Set a key policy for a CMK
# Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' $policyName = 'default' $policy = '{
"Version": "2012-10-17", "Statement": [
{ "Sid": "Enable IAM policies", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": "kms:*",
378
AWS Key Management Service
"Resource": "*" }, {
"Sid": "Enable IAM policies", "Effect": "Allow", "Principal": {
"AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": [
"kms:Encrypt*", "kms:GenerateDataKey*", "kms:Decrypt*", "kms:DescribeKey*", "kms:ReEncrypt*" ], "Resource": "*" }] }'
Write-KMSKeyPolicy -KeyId $keyId -PolicyName $policyName -Policy $policy
AWS KMSPowerShell AWS.Tools. . AWS Tools for Windows PowerShell
AWS KMS API AWS KMS (CMK) AWS KMS (p. 199)
· (p. 379) · (p. 382) · (p. 386) · (p. 388)
AWS KMS CreateGrant ID ListGrants (p. 382)
IAM Alice GenerateDataKey CMK KeyId
(p. 338) AWS KMS
Java
createGrant ()AWS SDK for JavaAPI
// Create a grant // // Replace the following example key ARN with a valid key ID or key ARN
379
AWS Key Management Service
String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String granteePrincipal = "arn:aws:iam::111122223333:user/Alice"; String operation = GrantOperation.GenerateDataKey.toString();
CreateGrantRequest request = new CreateGrantRequest() .withKeyId(keyId) .withGranteePrincipal(granteePrincipal) .withOperations(operation);
CreateGrantResult result = kmsClient.createGrant(request);
C#
https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/KeyManagementService/ MKeyManagementServiceCreateGrantCreateGrantRequest.html AWS SDK for .NETCreateGrant
// Create a grant // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String granteePrincipal = "arn:aws:iam::111122223333:user/Alice"; String operation = GrantOperation.GenerateDataKey;
CreateGrantRequest createGrantRequest = new CreateGrantRequest() {
KeyId = keyId, GranteePrincipal = granteePrincipal, Operations = new List<string>() { operation } };
CreateGrantResponse createGrantResult = kmsClient.CreateGrant(createGrantRequest);
Python
create_grant AWS SDK for Python (Boto3)
# Create a grant
# Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' grantee_principal = 'arn:aws:iam::111122223333:user/Alice' operation = ['GenerateDataKey']
response = kms_client.create_grant( KeyId=key_id, GranteePrincipal=grantee_principal, Operations=operation
)
Ruby
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/ Client.html#create_grant-instance_method AWS SDK for Rubycreate_grant
# Create a grant
# Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
380
AWS Key Management Service
grantee_principal = 'arn:aws:iam::111122223333:user/Alice' operation = ['GenerateDataKey']
response = kmsClient.create_grant({ key_id: key_id, grantee_principal: grantee_principal, operations: operation
})
PHP
https://docs.aws.amazon.com/aws-sdk-php/v3/api/apikms-2014-11-01.html#creategrant AWS SDK for PHPCreateGrant
// Create a grant // // Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $granteePrincipal = "arn:aws:iam::111122223333:user/Alice"; $operation = ['GenerateDataKey']
$result = $KmsClient->createGrant([ 'GranteePrincipal' => $granteePrincipal, 'KeyId' => $keyId, 'Operations' => $operation
]);
Node.js
createGrant ()AWSSDK for JavaScript in Node.js Node.js
// Create a grant // // Replace the following example key ARN with a valid key ID or key ARN const KeyId = 'arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; const GranteePrincipal = 'arn:aws:iam::111122223333:user/Alice'; const Operations: ["GenerateDataKey"]; kmsClient.createGrant({ KeyId, GranteePrincipal, Operations }, (err, data) => {
... });
PowerShell
New-KMSGrant
# Create a grant
# Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' $granteePrincipal = 'arn:aws:iam::111122223333:user/Alice' $operation = 'GenerateDataKey'
$response = New-KMSGrant -GranteePrincipal $granteePrincipal -KeyId $keyId -Operation $operation
AWS KMSPowerShell AWS.Tools. . AWS Tools for Windows PowerShell
381
AWS Key Management Service
AWS KMS ListGrants
Note
ListGrants GranteePrincipal AWS GranteePrincipal
(p. 338) AWS KMS
Limits
Java
Java listGrants ()AWS SDK for JavaAPI
// Listing grants on a CMK // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; Integer limit = 10;
ListGrantsRequest req = new ListGrantsRequest().withKeyId(keyId).withLimit(limit); ListGrantsResult result = kmsClient.listGrants(req);
C#
https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/KeyManagementService/ MKeyManagementServiceListGrantsListGrantsRequest.html AWS SDK for .NETListGrants
// Listing grants on a CMK // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; int limit = 10;
ListGrantsRequest listGrantsRequest = new ListGrantsRequest() {
KeyId = keyId, Limit = limit }; ListGrantsResponse listGrantsResponse = kmsClient.ListGrants(listGrantsRequest);
Python
list_grants AWS SDK for Python (Boto3)
# Listing grants on a CMK
# Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
382
AWS Key Management Service
response = kms_client.list_grants( KeyId=key_id, Limit=10
)
Ruby
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#list_grantsinstance_method AWS SDK for Rubylist_grants
# Listing grants on a CMK
# Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
response = kmsClient.list_grants({ key_id: key_id, limit: 10
})
PHP
https://docs.aws.amazon.com/aws-sdk-php/v3/api/apikms-2014-11-01.html#listgrants AWS SDK for PHPListGrants
// Listing grants on a CMK // // Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $limit = 10;
$result = $KmsClient->listGrants([ 'KeyId' => $keyId, 'Limit' => $limit,
]);
Node.js
listGrants ()AWSSDK for JavaScript in Node.js Node.js
// Listing grants on a CMK // // Replace the following example key ARN with a valid key ID or key ARN const KeyId = 'arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; const Limit = 10; kmsClient.listGrants({ KeyId, Limit }, (err, data) => {
... });
PowerShell
CMK AWS KMS Get-KMSGrantList
Limitlist AWS Tools for PowerShell AWS Tools for PowerShell
383
AWS Key Management Service
# Listing grants on a CMK
# Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' $limit = 10
$response = Get-KMSGrantList -KeyId $keyId | Select-Object -First $limit
AWS KMSPowerShell AWS.Tools. . AWS Tools for Windows PowerShell
CMK ListGrants. ID CMK test-engineer
Java
Java listGrants ()AWS SDK for JavaAPI
// Listing grants on a CMK // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String grantee = "arn:aws:iam::111122223333:role/test-engineer";
ListGrantsRequest req = new ListGrantsRequest().withKeyId(keyId).withGranteePrincipal(grantee);
ListGrantsResult result = kmsClient.listGrants(req);
C#
https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/KeyManagementService/ MKeyManagementServiceListGrantsListGrantsRequest.html AWS SDK for .NETListGrants
// Listing grants on a CMK // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String grantee = "arn:aws:iam::111122223333:role/test-engineer";
ListGrantsRequest listGrantsRequest = new ListGrantsRequest() {
KeyId = keyId, GranteePrincipal = grantee }; ListGrantsResponse listGrantsResponse = kmsClient.ListGrants(listGrantsRequest);
Python
list_grants AWS SDK for Python (Boto3)
# Listing grants on a CMK
# Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
384
AWS Key Management Service
grantee = 'arn:aws:iam::111122223333:role/test-engineer'
response = kms_client.list_grants( KeyId=key_id, GranteePrincipal=grantee
)
Ruby
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#list_grantsinstance_method AWS SDK for Rubylist_grants
# Listing grants on a CMK
# Replace the following example key ARN with a valid key ID or key ARN keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' grantee = 'arn:aws:iam::111122223333:role/test-engineer'
response = kmsClient.list_grants({ key_id: keyId, grantee_principal: grantee
})
PHP
https://docs.aws.amazon.com/aws-sdk-php/v3/api/apikms-2014-11-01.html#listgrants AWS SDK for PHPListGrants
// Listing grants on a CMK // // Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $grantee = 'arn:aws:iam::111122223333:role/test-engineer';
$result = $KmsClient->listGrants([ 'KeyId' => $keyId, 'GranteePrincipal' => $grantee,
]);
Node.js
listGrants ()AWSSDK for JavaScript in Node.js Node.js
// Listing grants on a CMK // // Replace the following example key ARN with a valid key ID or key ARN const KeyId = 'arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; const Grantee = 'arn:aws:iam::111122223333:role/test-engineer';
kmsClient.listGrants({ KeyId, Grantee }, (err, data) => { ...
});
PowerShell
CMK AWS KMS Get-KMSGrantList
# Listing grants on a CMK
385
AWS Key Management Service
# Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' $grantee = 'arn:aws:iam::111122223333:role/test-engineer' $response = Get-KMSGrantList -KeyId $keyId -GranteePrincipal $grantee
AWS KMSPowerShell AWS.Tools. . AWS Tools for Windows PowerShell
AWS KMS RetireGrant
ID CMK ID CMK ID CMK Amazon (ARN) (p. 42) CreateGrant ID CreateGrant ListGrants
RetireGrant ListGrants
(p. 338) AWS KMS
Java
retireGrant ()AWS SDK for JavaAPI
// Retire a grant // String grantToken = Place your grant token here;
RetireGrantRequest req = new RetireGrantRequest().withGrantToken(grantToken); kmsClient.retireGrant(req);
C#
https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/KeyManagementService/ MKeyManagementServiceRetireGrantRetireGrantRequest.html AWS SDK for .NETRetireGrant
// Retire a grant // String grantToken = "Place your grant token here";
RetireGrantRequest retireGrantRequest = new RetireGrantRequest() {
GrantToken = grantToken }; kmsClient.RetireGrant(retireGrantRequest);
Python
retire_grant AWS SDK for Python (Boto3)
# Retire a grant
386
AWS Key Management Service
grant_token = Place your grant token here
response = kms_client.retire_grant( GrantToken=grant_token
)
Ruby
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#retire_grantinstance_method AWS SDK for Rubyretire_grant
# Retire a grant
grant_token = Place your grant token here
response = kmsClient.retire_grant({ grant_token: grant_token
})
PHP
https://docs.aws.amazon.com/aws-sdk-php/v3/api/apikms-2014-11-01.html#retiregrant AWS SDK for PHPRetireGrant
// Retire a grant // $grantToken = 'Place your grant token here';
$result = $KmsClient->retireGrant([ 'GrantToken' => $grantToken,
]);
Node.js
retireGrant ()AWSSDK for JavaScript in Node.js Node.js
// Retire a grant // const GrantToken = 'Place your grant token here'; kmsClient.retireGrant({ GrantToken }, (err, data) => {
... });
PowerShell
Disable-KMSGrant New-KMSgrant GrantToken Read-Host
# Retire a grant
$grantToken = Read-Host -Message Place your grant token here Disable-KMSGrant -GrantToken $grantToken
AWS KMSPowerShell AWS.Tools. . AWS Tools for Windows PowerShell
387
AWS Key Management Service
AWS KMS RevokeGrant
(p. 338) AWS KMS
Java
revokeGrant ()AWS SDK for JavaAPI
// Revoke a grant on a CMK // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
// &fake-grant-id; String grantId = "grant1";
RevokeGrantRequest req = new RevokeGrantRequest().withKeyId(keyId).withGrantId(grantId);
kmsClient.revokeGrant(req);
C#
https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/KeyManagementService/ MKeyManagementServiceRevokeGrantRevokeGrantRequest.html AWS SDK for .NETRevokeGrant
// Revoke a grant on a CMK // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
// &fake-grant-id; String grantId = "grant1";
RevokeGrantRequest revokeGrantRequest = new RevokeGrantRequest() {
KeyId = keyId, GrantId = grantId }; kmsClient.RevokeGrant(revokeGrantRequest);
AWS KMSPowerShell AWS.Tools. . AWS Tools for Windows PowerShell Python
revoke_grant AWS SDK for Python (Boto3)
# Revoke a grant on a CMK
# Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
388
AWS Key Management Service
# &fake-grant-id; grant_id = 'grant1'
response = kms_client.revoke_grant( KeyId=key_id, GrantId=grant_id
)
Ruby
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/ Client.html#revoke_grant-instance_method AWS SDK for Rubyrevoke_grant
# Revoke a grant on a CMK
# Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
# &fake-grant-id; grant_id = 'grant1'
response = kmsClient.revoke_grant({ key_id: key_id, grant_id: grant_id
})
PHP
https://docs.aws.amazon.com/aws-sdk-php/v3/api/apikms-2014-11-01.html#revokegrant AWS SDK for PHPRevokeGrant
// Revoke a grant on a CMK // // Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
// Replace the following example grant ID with a valid one $grantId = "grant1";
$result = $KmsClient->revokeGrant([ 'KeyId' => $keyId, 'GrantId' => $grantId,
]);
Node.js
revokeGrant ()AWSSDK for JavaScript in Node.js Node.js
// Revoke a grant on a CMK // // Replace the following example key ARN with a valid key ID or key ARN const KeyId = 'arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
// Replace the following example grant ID with a valid one const GrantId = 'grant1'; kmsClient.revokeGrant({ GrantId, KeyId }, (err, data) => {
... });
389
AWS Key Management Service
PowerShell Revoke-KMSgrant
# Revoke a grant on a CMK # Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' # Replace the following example grant ID with a valid one $grantId = 'grant1' Revoke-KMSGrant -KeyId $keyId -GrantId $grantId
AWS KMSPowerShell AWS.Tools. . AWS Tools for Windows PowerShell
390
AWS Key Management Service AWS KMSAWS CloudFormation
AWS CloudFormation AWS KMS
AWS Key Management Service AWS AWS CloudFormation AWS (CMK) CMK () AWS CloudFormation AWS KMSCloudFormationKMS ()AWS CloudFormation
AWS CloudFormation AWS KMS AWS
AWS KMSAWS AWS CloudFormationJSON YAML AWS CloudFormation JSON YAML AWS CloudFormation Designer AWS CloudFormation AWS CloudFormation AWS CloudFormation Designer ?
AWS KMSAWS CloudFormation
AWS KMSAWS CloudFormation
· AWS::KMS::Key CMK (p. 3) CMK (p. 405) CMK (p. 421)
· AWS::KMS::Aliasalias (p. 62)CMK CMK
· AWS::KMS::ReplicaKey (p. 249) AWS::KMS::Key (p. 270) (p. 244)
CMK AWS CMK AWS KMS AWS KMSAPI CMK CMK
AWS CloudFormation CMK
AWS CloudFormation CMK CMK
391
AWS Key Management Service AWS CloudFormation
CMK CMK AWS KMSKMS ()AWS CloudFormation
AWS CloudFormation
AWS CloudFormation · AWS CloudFormation · AWS CloudFormation · AWS CloudFormation API · AWS CloudFormation
392
AWS Key Management Service
AWS Key Management Service (AWS KMS) CMK CMK CMK CMK CMK (p. 58) CMK CMK
CMK CMK AWS KMS CMK (p. 402)
AWS KMS CMK CMK ()
· CMK · CMK · CMK (p. 531) CMK
Note
AWS CMK CMK
AWS KMSAWS CloudTrail (p. 321) CMK CMK (p. 305)
(p. 273)
· (p. 393) · CMK (p. 394) · CMK (p. 394) · CMK AWS (p. 395) · (p. 395) · (p. 398) · Amazon CloudWatch (p. 399) · (p. 402)
CMK AWS KMS 7 30 30
393
AWS Key Management Service CMK
24 CMK DescribeKey. AWS KMS (p. 28)CMK (CMK )
CMK
· CMK (p. 12) · AWS KMS CMK (p. 284)
AWS KMSCMKAWS KMS
CMK CMK Amazon CloudWatch (p. 399) CMK AWS KMS CMK
CMK
(p. 398) CMK CMK CMK (p. 60)AWS KMS CMKENCRYPT_DECRYPT).
· CMK CMK [] CMK (p. 12)AWS KMS
· CMK AWS KMS
· CMK CMK AWS KMS
ENCRYPT_DECRYPT CMK CloudTrail AWS KMS CMK (p. 58)
CMK
(p. 398) AWS KMS (p. 273)
394
AWS Key Management Service CMK AWS
CMK AWS
AWS KMS AWS Amazon EBSAmazon Redshift (p. 3)(CMK) AWS KMS (p. 5)
CMK AWS CMK
1. EBS CMK Amazon EBS AWS KMSCMK Amazon EBS
2. EBS EC2 Amazon EC2 AWS KMSCMK EBS Amazon EC2 EBS I/O EBS EC2
3. CMK EC2 EBS Amazon EC2 CMK EBS I/O
AWS KMSCMK EC2 EBS Amazon EC2 CMK EC2 EBS 4. EBS EC2 Amazon EBS EBS EC2 Amazon EBS CMK
(CMK) AWS KMSAWS Management ConsoleAWS CLIAWS SDK for Java
(p. 273) Warning
AWS KMS CMK CMK (p. 58)
CMK AWS KMS CMK (p. 398)
AWS KMSAWS CloudTrail (p. 321) CMK CMK (p. 305)
395
AWS Key Management Service AWS Management Console
· () (p. 396) · (AWS CLI) (p. 396) · (AWS SDK for Java) (p. 397)
()
AWS Management Console CMK
1. AWS Management ConsoleAWS Key Management Service(AWS KMS) (https://console.aws.amazon.com/kms
2. AWS []
3. [Customer managed keys ()] 4. CMK 5. [Key actions ()][Schedule key deletion()]
6.
[()] 7. [Waiting period (in days) ( ())] 730 8. CMK 9. []
<number of days> 10. [Schedule deletion]
CMK [Pending deletion ()]
1. AWS KMShttps://console.aws.amazon.com/kms 2. AWS []
3. [Customer managed keys ()] 4. CMK 5. [Key actions ()][Cancel key deletion ()]
CMK [Pending deletion ()] [Disabled ()] CMK (p. 58)
(AWS CLI)
aws kms schedule-key-deletion AWS CLI
396
AWS Key Management Service AWS SDK for Java
$ aws kms schedule-key-deletion --key-id 1234abcd-12ab-34cd-56ef-1234567890ab --pendingwindow-in-days 10
AWS CLI
{ "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "DeletionDate": 1598304792.0, "KeyState": "PendingDeletion", "PendingWindowInDays": 10
}
aws kms cancel-key-deletion AWS CLI
$ aws kms cancel-key-deletion --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
AWS CLI
{ "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
CMK [Pending Deletion] [Disabled] CMK (p. 58)
(AWS SDK for Java)
AWS SDK for Java CMK AWSKMSClient kms
String KeyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
int PendingWindowInDays = 10;
ScheduleKeyDeletionRequest scheduleKeyDeletionRequest = new
ScheduleKeyDeletionRequest().withKeyId(KeyId).withPendingWindowInDays(PendingWindowInDays); kms.scheduleKeyDeletion(scheduleKeyDeletionRequest);
AWS SDK for Java AWSKMSClient kms
String KeyId = "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
CancelKeyDeletionRequest cancelKeyDeletionRequest = new CancelKeyDeletionRequest().withKeyId(KeyId); kms.cancelKeyDeletion(cancelKeyDeletionRequest);
CMK [Pending Deletion] [Disabled] CMK (p. 58)
397
AWS Key Management Service
IAM AWS KMS IAM AWS ("Action": "*") AWS KMS ("Action": "kms:*") AWS KMSCMKAWS KMS IAM CMK
()
AWS Management Console
1. AWS Management ConsoleAWS Key Management Service(AWS KMS) (https://console.aws.amazon.com/kms
2. AWS []
3. [Customer managed keys ()] 4. CMK ID 5. [] [ , ] [ ]
[ ]
Note
[Allow key administrators to delete this key ( )] AWS KMS API kms:ScheduleKeyDeletion kms:CancelKeyDeletion ("Sid": "Allow access for Key Administrators") []
(AWS CLI)
AWS Command Line Interface
1. aws kms get-key-policy
2. ("Sid": "Allow access for Key Administrators" ) kms:ScheduleKeyDeletion kms:CancelKeyDeletion 2
398
AWS Key Management Service Amazon CloudWatch
{ "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:user/KMSKeyAdmin"}, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*"
}
3. aws kms put-key-policy CMK
Amazon CloudWatch
AWS CloudTrailAmazon CloudWatch Logs Amazon Simple Notification Service (Amazon SNS) CMK CMK
AWS KMSAPI Key ARN is pending deletion CloudTrail (EncryptDecryptGenerateDataKeyGenerateDataKeyWithoutPlaintext ReEncrypt) CMK ListKeysCancelKeyDeletionPutKeyPolicy CMK API AWS KMS API : CMK (p. 288)
E CMK CloudTrail (p. 296) [OK] [] E CloudWatch Amazon CloudWatch Amazon CloudWatch
Warning
Amazon CloudWatch CMK AWS KMS CMK CMK (p. 394)
· CloudWatch (p. 400) · CloudWatch (p. 400)
399
AWS Key Management Service CloudWatch
CloudWatch
CloudWatch AWS CloudTrailCloudTrail Amazon CloudWatch Logs CloudTrail
1. CloudTrail
CloudTrail AWS AWS KMS 2. CloudWatch CloudTrail
CloudTrail CloudWatch CloudWatch Logs AWS KMS CMK API
CloudWatch
AWS KMSAPI CMK CloudWatch
CMK CloudWatch
1. AWS Management ConsoleCloudWatch https:// console.aws.amazon.com/cloudwatch/
2. AWS 3. [Logs] 4. [] [Create
Metric Filter] 5. [Filter Pattern]
{ $.eventSource = kms* && $.errorMessage = "* is pending deletion."}
[Assign Metric] 6. [Create Metric Filter and Assign a Metric]
a. [] CloudTrailLogMetrics b. [] KMSKeyPendingDeletionErrorCount c. [] [] 1
d. [Create Filter] 7. [Create Alarm] 8. [Create Alarm]
a. [] [] KMSKeyPendingDeletionErrorAlarm
b. [:] [:] [>=] 1 c. [1 out of n datapoints (n 1 )] 1 d. [] [] [ ()]
e. [] []
400
AWS Key Management Service CloudWatch
· Amazon SNS [ New list, ] KMSAlert[] E 1 E
· Amazon SNS f. [Create Alarm ()]
9. no-reply@sns.amazonaws.com AWS-E [Confirm subscription] E Note E E 401
AWS Key Management Service CMK
CloudWatch ALARM CMK CMK (p. 395)
(CMK) AWS KMS CMK CMK CMK
Warning
AWS AWS KMS AWS KMS CMK CMK CMK (p. 394)
· CMK (p. 402) · AWS CloudTrail (p. 402)
CMK
(CMK) CMK (CMK) AWS KMS (p. 212)
AWS CloudTrail
CMK CMK
AWS KMS API AWS CloudTrail CloudTrail CMKCloudTrail AWS KMS CMK API CloudTrail AWS KMS CloudTrail AWS CloudTrail AWS KMS API (p. 296)
CloudTrail AWS KMSCMK Amazon Simple Storage Service (Amazon S3) Amazon S3 AWS KMS (SSE-
402
AWS Key Management Service AWS CloudTrail
KMS) (p. 509)SSE-KMS Amazon S3 CMK Amazon S3 AWS KMS GenerateDataKey CloudTrail
{ "eventVersion": "1.02", "userIdentity": { "type": "AssumedRole", "principalId": "AROACKCEVSQ6C2EXAMPLE:example-user", "arn": "arn:aws:sts::111122223333:assumed-role/Admins/example-user", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2015-09-10T23:12:48Z" }, "sessionIssuer": { "type": "Role", "principalId": "AROACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::111122223333:role/Admins", "accountId": "111122223333", "userName": "Admins" } }, "invokedBy": "internal.amazonaws.com" }, "eventTime": "2015-09-10T23:58:18Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKey", "awsRegion": "us-west-2", "sourceIPAddress": "internal.amazonaws.com", "userAgent": "internal.amazonaws.com", "requestParameters": { "encryptionContext": {"aws:s3:arn": "arn:aws:s3:::example_bucket/example_object"}, "keySpec": "AES_256", "keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, "responseElements": null, "requestID": "cea04450-5817-11e5-85aa-97ce46071236", "eventID": "80721262-21a5-49b9-8b63-28740e7ce9c9", "readOnly": true, "resources": [{ "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333" }], "eventType": "AwsApiCall", "recipientAccountId": "111122223333"
}
Amazon S3 Amazon S3 Decrypt AWS KMS CMK CloudTrail
{ "eventVersion": "1.02", "userIdentity": { "type": "AssumedRole", "principalId": "AROACKCEVSQ6C2EXAMPLE:example-user", "arn": "arn:aws:sts::111122223333:assumed-role/Admins/example-user", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
403
AWS Key Management Service AWS CloudTrail
"sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2015-09-10T23:12:48Z" }, "sessionIssuer": { "type": "Role", "principalId": "AROACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::111122223333:role/Admins", "accountId": "111122223333", "userName": "Admins" }
}, "invokedBy": "internal.amazonaws.com" }, "eventTime": "2015-09-10T23:58:39Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-west-2", "sourceIPAddress": "internal.amazonaws.com", "userAgent": "internal.amazonaws.com", "requestParameters": { "encryptionContext": {"aws:s3:arn": "arn:aws:s3:::example_bucket/example_object"}}, "responseElements": null, "requestID": "db750745-5817-11e5-93a6-5b87e27d91a0", "eventID": "ae551b19-8a09-4cfc-a249-205ddba330e3", "readOnly": true, "resources": [{ "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333" }], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
AWS KMSAPI CloudTrail CMK CMK
AWS KMSCloudTrail API AWS CloudTrail AWS KMS API (p. 296)CloudTrail AWS CloudTrail
404
AWS Key Management Service
AWS Key Management Service (AWS KMS)
(p. 3) (CMK) CMK (p. 13)CMK (p. 21)( )AWS KMS CMK CMK CMK (BYOK)
Note AWS KMSdecrypting AWS KMSAWS KMS CMK CMK AWS KMS AWS KMS CMK CMK (p. 232) CMK (p. 421) AWS KMS ( ) · · AWS AWS KMS AWS · AWS (p. 418) (p. 393)7 30 CMK · AWS
CMK AWS KMS CMK (p. 406)
405
AWS Key Management Service
256
Topics
· (p. 406) · (p. 407) · (p. 408) · (p. 408) · CMK (p. 409)
AWS KMS
256
CMK CMK (p. 408) CMK CMK (p. 283) CMK (p. 286)
CMK
CMK CMK CMK AWS KMS
(p. 244) CMK (p. 271)
AWS KMSAWS KMSdecrypting AWS KMSAWS KMS CMK CMK AWS KMS
AWSAWS Encryption SDKAmazon S3 decrypt AWS KMS
AWS KMS AWS Encryption SDK AWS KMS
406
AWS Key Management Service
AWS KMS
· AWS KMS AWS KMS CMK AWS KMS
· (p. 418)AWS KMS CMK (p. 393)7 30 AWS KMS CMK
· ()AWS KMS AWS KMS CMK
CMK
CMK CMK kms:GetParametersForImport, kms:ImportKeyMaterial, kms:DeleteImportedKeyMaterial kms:ImportKeyMaterial
CMK
· KMS: (p. 111) IAM · CMK KMS: KeyOrigin (p. 181) EXTERNAL
{ "Version": "2012-10-17", "Statement": { "Sid": "IAM policy to create CMKs with no key material" "Effect": "Allow", "Resource": "*", "Principal": { "AWS": "arn:aws:iam::111122223333:role/KMSAdminRole" }, "Action": "kms:CreateKey", "Condition": { "StringEquals": { "kms:KeyOrigin": "EXTERNAL" } }
}
· KMS: IAM · KMS: WrappingAlgorithm (p. 195) KMS: WrappingKeySpec (p. 196)
· KMS: ImportKeyMaterial IAM
407
AWS Key Management Service
· KMS: ExpirationModel (p. 177) KMS: Validto (p. 190)
KMS: getParametersforImport KMS: ImportKeyMater ial
KMS: DeleteImportedKeyMaterial
AWS KMS
1. @@ CMK -- (p. 410) CMK EXTERNAL AWS KMS AWS KMS CMK CMK
2. (p. 412) -- 1 AWS KMS
3. (p. 416) -- 2
4. (p. 417) -- 3 2
AWS KMSAWS CloudTrailCMK (p. 301), (p. 315), (p. 316)AWS KMSAWS KMS (p. 304)
CMK
CMK CMK AWS KMS CMK
(p. 408)
· CMK CMK 1 (p. 410)
· CMK (p. 418)
CMK CMK (p. 412)
408
AWS Key Management Service CMK
()
CMK
CMK CMK Origin EXTERNAL AWS KMS
AWS KMS AWS KMS API CMK API
CMK ()
1. AWS KMS (https://console.aws.amazon.com/kms 2. AWS 3. CMK Origin
· CMK Origin [Settings ()] [Origin][Confirm ()] Origin EXTERNAL CMK
· CMK Origin CMK ID [ ] [ ]
4. [ ] CMK
CMK (AWS KMSAPI)
DescribeKey CMK Origin
$ aws kms describe-key --key-id 1234abcd-12ab-34cd-56ef-1234567890ab {
"KeyMetadata": { "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "Origin": "EXTERNAL", "ExpirationModel": "KEY_MATERIAL_EXPIRES" "ValidTo": 1568894400.0, "Arn": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "AWSAccountId": "111122223333", "CreationDate": 1568289600.0, "Enabled": false, "MultiRegion": false, "Description": "",
409
AWS Key Management Service 1: CMK
"KeyUsage": "ENCRYPT_DECRYPT", "KeyState": "PendingImport", "KeyManager": "CUSTOMER", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT" ] } }
1: AWS KMS CMK (CMK)
(CMK) AWS KMS CMK CMK 2 CMK AWS KMS CMK AWS_KMS CMK CMK AWS KMS EXTERNAL
CMK [] CMK CMK [] : CMK (p. 288)
AWS Management Console AWS KMS API CMK HTTP API AWSSDK,AWS Command Line InterfaceAWS Tools for PowerShell
AWS KMSAWS CloudTrailCMK , , AWS KMS AWS KMS
· CMK () (p. 410) · CMK (AWS KMSAPI) (p. 412)
(p. 270)
CMK ()
AWS Management Console CMK CMK [] Origin ( )
CMK 1 CMK 2: (p. 412)
1. AWS Management Console AWS Key Management Service (AWS KMS) (https://console.aws.amazon.com/kms)
2. AWS 3. [Customer managed keys ()] 4. []
410
AWS Key Management Service CMK ()
5. [] CMK 6. [Advanced options ()] 7. [] []
[ ] (p. 406) 8. (p. 270) 9. [Next] 10. CMK ()
[Next] 11. (). [] CMK
[Next] 12. [ ] CMK IAM
CMK (p. 88)
Note
IAM IAM CMK 13. IAM CMK
[Next] 14. IAM AWS
CMK (p. 12)CMK (p. 90)
Note
IAM CMK IAM 15. () AWS CMK [] [] AWS [] [] AWS ] [] AWS
Note
CMK IAM CMK (p. 120)
[] 16. 17. []
CMK [ ]
411
AWS Key Management Service CMK (AWS KMSAPI)
(p. 414)[ ]
: 2: (p. 412)
CMK (AWS KMSAPI)
AWS KMSAPI CMK CreateKeyOriginEXTERNALAWS Command Line Interface (AWS CLI)
$ aws kms create-key --origin EXTERNAL
CMK Origin EXTERNAL KeyState PendingImport
{ "KeyMetadata": { "Origin": "EXTERNAL", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "Description": "", "Enabled": false, "MultiRegion": false, "KeyUsage": "ENCRYPT_DECRYPT", "KeyState": "PendingImport", "CreationDate": 1568289600.0, "Arn": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "AWSAccountId": "111122223333", "KeyManager": "CUSTOMER", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ]
} }
CMK ID 2: (p. 412)
2:
(CMK) (p. 410)CMK AWS Management Console AWS KMS API 1
CMK
412
AWS Key Management Service 2:
raw AWS KMS AWS KMS AWS KMS AWS KMS 2048 RSA AWS
AWS KMS
(HSM) 3 1 RSA PKCS #1 AWS PKCS #1 2.1 7 · RSAES_OAEP_SHA_256 -- SHA -256
(OAEP) RSA · RSAES_OAEP_SHA_1 -- SHA-1 (OAEP)
RSA · RSAES_PKCS1_V1_5 -- PK CS #1 1.5 RSA
Note
OpenSSL (p. 416) 3 (p. 416) RSAES_OAEP_SHA_1
HSM RSAES_OAEP_SHA_256 RSAES_OAEP_SHA_1 OAEP RSAES_PKCS1_V1_5
24 24
AWS Management Console AWS KMS API API HTTP AWSSDK,AWS Command Line InterfaceAWS Tools for PowerShell
GetParametersForImport (p. 315) AWS CloudTrail GetParametersForImport CloudTrail AWS KMSAWS KMSAPI.
· (p. 414) · (AWS KMSAPI) (p. 415)
413
AWS Key Management Service
AWS Management Console
1. CMK (p. 410)[ ] Step 8
2. AWS Management Console AWS Key Management Service (AWS KMS) (https://console.aws.amazon.com/kms)
3. AWS 4. [Customer managed keys ()]
Tip
[] [EXTERNAL] CMK CMK []
( ]
) [] [
5. CMK ID
6. [ ] [ ]
CMK Origin () CMK AWS Key Management Service (AWS KMS) (p. 405)
7. [ ] [ ]
[ ] [ ] [ ] CMK
8. [] (p. 413)
OpenSSL (p. 416) 3 (p. 416) RSAES_OAEP_SHA_1
9. []
[] [] [] [] [X]
10. (ImportParameters.zip) .zip
· wrappingKey_CMK_key_ID_timestamp () ( wrappingKey_f44c4e20-f83c-48f4-adc6-a1ef38829760_0809092909) 2048 RSA
· importToken_CMK_key_ID_timestamp ( importToken_f44c4e20-f83c-48f4-adc6-a1ef38829760_0809092909)
· README_CMK_key_ID_timestamp.txt (README_f44c4e20f83c-48f4-adc6-a1ef38829760_0809092909.txt) ( ) ()
11. (p. 416)
414
AWS Key Management Service (AWS KMSAPI)
(AWS KMSAPI)
AWS KMS API CMK GetParametersForImport AWS CLI
RSAES_OAEP_SHA_1 RSAES_OAEP_SHA_1 RSAES_OAEP_SHA_256 RSAES_PKCS1_V1_5 1234abcd-12ab-34cd-56ef-1234567890ab CMK ID CMK ID Amazon (ARN)
Note
OpenSSL (p. 416) 3 (p. 416) RSAES_OAEP_SHA_1
$ aws kms get-parameters-for-import --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --wrapping-algorithm RSAES_OAEP_SHA_1 \ --wrapping-key-spec RSA_2048
{ "ParametersValidTo": 1568290320.0, "PublicKey": "public key base64 encoded data", "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "ImportToken": "import token base64 encoded data"
}
base64 base64
1. base64 ( base64 ) PublicKey.b64
2. base64 OpenSSL (PublicKey.b64) PublicKey.bin
$ openssl enc -d -base64 -A -in PublicKey.b64 -out PublicKey.bin
2 3: (p. 416)
415
AWS Key Management Service 3:
3:
(p. 412)
(HSM) HSM OpenSSL
(p. 412) (RSAES_OAEP_SHA_256RSAES_OAEP_SHA_RSAES_PKCS1_V1_5) #1
: OpenSSL
OpenSSL256 AWS KMS (CMK)
Important
( HSM ) RSAES_OAEP_SHA_1 2 (p. 412) RSAES_OAEP_SHA_1
AWS KMS OpenSSL
1. 256 PlaintextKeyMaterial.bin
$ openssl rand -out PlaintextKeyMaterial.bin 32
2. ( (AWS KMSAPI) (p. 415) ) EncryptedKeyMaterial.binPublicKey.bin wrappingKey_CMK_key_ID_timestamp ( wrappingKey_f44c4e20-f83c-48f4-adc6-a1ef38829760_0809092909)
$ openssl rsautl -encrypt \ -in PlaintextKeyMaterial.bin \ -oaep \ -inkey PublicKey.bin \ -keyform DER \ -pubin \ -out EncryptedKeyMaterial.bin
4: (p. 417)
416
AWS Key Management Service 4:
4:
(p. 416)AWS KMS (CMK) 3: (p. 416) 2: (p. 412) CMK
AWS KMS CMK CMK
CMK CMK
AWS Management Console AWS KMS API HTTP API HTTP API AWSSDK,AWS Command Line InterfaceAWS Tools for PowerShell
ImportKeyMaterial (p. 316) AWS CloudTrail ImportKeyMaterial CloudTrail AWS KMS AWS KMSAPI.
()
AWS Management Console
1. [] Step 8
2. AWS Management Console AWS Key Management Service (AWS KMS) (https://console.aws.amazon.com/kms)
3. AWS 4. [Customer managed keys ()] 5. CMK ID
6. [ ] CMK
CMK Origin () CMK AWS Key Management Service (AWS KMS) (p. 405) 7. [ ] [ ]
[ ] [ ] [ ] [ ] [ ] CMK 8. [Encrypted key material and import token ()] [Wrapped key material ()] [] ()
417
AWS Key Management Service (AWS KMSAPI)
9. [Encrypted key material and import token ()] [] [] (p. 414)
10. [] []
11. [] []
(AWS KMSAPI)
AWS KMS API ImportKeyMaterial AWS CLI
KEY_MATERIAL_EXPIRES KEY_MATERIAL_DOES_NOT_EXPIRE --valid-to
:
1. 1234abcd-12ab-34cd-56ef-1234567890ab CMK ID CMK ID ARN
2. EncryptedKeyMaterial.bin 3. ImportToken.bin
$ aws kms import-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --encrypted-key-material fileb://EncryptedKeyMaterial.bin \ --import-token fileb://ImportToken.bin \ --expiration-model KEY_MATERIAL_EXPIRES \ --valid-to 2019-09-17T12:00:00-08:00
AWS KMS (CMK) AWS KMS CMK (p. 288) [] CMK CMK
CMK CMK (p. 408) CMK (p. 393) AWS KMS CMK
AWS Management Console AWS KMS API HTTP HTTP API AWSSDKAWS Command Line Interface(AWS CLI) AWS Tools for PowerShell
AWS KMSAWS CloudTrailAWS KMS (p. 304)
418
AWS Key Management Service AWS KMS AWS
· AWS KMS AWS (p. 419) · () (p. 419) · (AWS KMSAPI) (p. 420)
AWS KMS AWS
CMK (p. 5)thatAWS CMK AWS
AWS KMS AWS Amazon EBSAmazon Redshift (p. 3)(CMK) AWS KMS (p. 5)
1. EBS CMK Amazon EBS AWS KMSCMK Amazon EBS
2. EBS EC2 Amazon EC2 AWS KMSCMK EBS Amazon EC2 EBS I/O EBS EC2
3. CMK EC2 EBS Amazon EC2 CMK I/O
4. EBS EC2 Amazon EBS EBS EC2 Amazon EBS CMK EBS CMK
()
AWS Management Console
1. AWS Management ConsoleAWS Key Management Service(AWS KMS) (https://console.aws.amazon.com/kms
2. AWS[] []
3. [Customer managed keys ()] 4.
· CMK [ ][]
419
AWS Key Management Service (AWS KMSAPI)
· CMK ID [ ] [ ]
5. [] (p. 288) CMK []
(AWS KMSAPI)
AWS KMS API DeleteImportedKeyMaterial AWS CLI 1234abcd-12ab-34cd-56ef-1234567890ab CMK ID CMK ID ARN
$ aws kms delete-imported-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
420
AWS Key Management Service
AWS KMS (p. 423)BackedAWS CloudHSM AWS KMS (p. 3) (CMK) AWS KMS AWS CloudHSM CMK CMK (p. 448) HSM AWS KMS AWS CloudHSM AWS AWS KMS API CMK CMK CMK CMK AWS CMK ? AWS KMSFIPS 140-2 · · · HSM FIPS 140-2 3
? AWS CloudHSM AWS AWS KMS AWS CloudHSM (p. 424) AWS KMS AWS CloudHSM HSM AWS KMS (CMK) AWS KMS CMK AWS CloudHSM
421
AWS Key Management Service
CMK (p. 442)AWS KMS AWS KMS CMK CMK IAM CMK CMK (p. 448)AWS KMS AWS HSM AWS CloudHSM AWS CloudHSM CMK AWS KMS CMK AWS KMS AWS CloudHSM 1. AWS CloudHSM AWS CloudHSM
2 HSM (CU) (p. 424) AWS KMS 2. EclipseAWS KMS, (p. 428)AWS CloudHSM AWS KMS (p. 431) 3. AWS CloudHSM (p. 436)AWS KMS 4. CMK (p. 442) CMK
422
AWS Key Management Service
(p. 453) AWS Key Management Service
AWS AWS CloudHSMAWS CloudHSM AWS AWS KMS CMK (p. 537)
Regions
AWS KMS AWS AWS KMSAWS CloudHSM AWS AWS Key Management Service AWS CloudHSM()Amazon Web Services
AWS KMSAWS KMS
· CMK (p. 231) · (p. 7) · CMK (p. 405) · (p. 283) · (p. 244)
· (p. 423) · (p. 425) · (p. 428) · (p. 431) · CMK (p. 442) · (p. 453)
AWS KMS
· AWS KMS (p. 423) · AWS CloudHSM (p. 424) · kmsuser Crypto User (p. 424) · CMK (p. 425)
AWS KMS
AWS KMS AWS KMS (CMK) FIPS 140-2
423
AWS Key Management Service AWS CloudHSM
(HSM) CMK
HSM FIPS 140-2 3 HSMAWS CloudHSM
AWS KMS AWS CloudHSM AWS KMS CMK AWS KMS AWS CloudHSM 256 AES (Advanced Encryption Standard) HSM CMK HSM
AWS KMS AWS CloudHSM AWS HSM HSM AWS KMS CMK AWS KMS API CMK AWS CloudHSM API
(p. 431) (p. 433), (p. 436)AWS CloudHSM (p. 440) CMK AWS KMS AWS CloudHSM
AWS CloudHSM
AWS KMS 1 AWS CloudHSM (CMK) AWS KMS CMK
AWS CloudHSM 1 AWS Region AWS KMS AWS KMS CMK 2 HSM 1 HSM
1 AWS CloudHSM HSM
AWS CloudHSM (p. 436) CMK CMK CMK CMK
kmsuser Crypto User
AWS CloudHSM AWS KMS AWS CloudHSM crypto user (CU) kmsuser kmsuser CU
424
AWS Key Management Service CMK
HSM CU
kmsuserCU (p. 428)AWS CloudHSM createUsercloudhsm_mgmt_util (p. 428)kmsuser AWS KMS (p. 436)AWS KMS kmsuser CU
AWS KMS kmsuser CU kmsuser CU (p. 452) kmsuser (p. 436)kmsuser kmsuser (p. 459)kmsuser
kmsuser CU kmsuser Crypto User (p. 428)
CMK
AWS Management Console AWS KMS API (p. 3) (CMK) AWS KMS CMK AWS CloudHSM
CMK (p. 442)AWS KMS AWS KMS CMK 256 AES (Advanced Encryption Standard) AWS CloudHSM AWS KMS AES
AWS KMS CMK ID DescribeKey ID AWS CloudHSM ID
CMK AWS KMS CMK CMK API CMK CMK IAM CMK CMK AWS (p. 475) CMK (p. 283) CMK (p. 405)
CMK (p. 453) AWS KMS AWS KMS CMK AWS CloudHSM CMK (p. 457)
IAM AWS KMSAWS CloudHSM IAM CMK
425
AWS Key Management Service
· (p. 426) · AWS KMSAWS CloudHSM Amazon EC2 (p. 426)
· API · cloudhsm:DescribeClusters · kms:CreateCustomKeyStore · kms:ConnectCustomKeyStore · kms:DisconnectCustomKeyStore · kms:UpdateCustomKeyStore · kms:DeleteCustomKeyStore · kms:DescribeCustomKeyStores · iam:CreateServiceLinkedRole
· AWS CloudHSM AWS CloudHSM Amazon EC2 HSM AWS CloudHSM()AWS CloudHSM
· (CMK) (p. 22) CMK AWS KMS CMK (p. 86)AWS KMS CMK (p. 114)(ABAC) CMK CMK
· CMK CMK (p. 448) ( KMS: Decrypt) IAM CMK
AWS KMSAWS CloudHSM Amazon EC2
AWS KMS AWS CloudHSM AWS CloudHSM AWS KMSAWSservicerOLE AWS iam:CreateServiceLinkedRole
· AWS KMS (p. 255)
426
AWS Key Management Service AWS KMSAWS CloudHSM Amazon EC2
· (p. 427) · (p. 427) · (p. 428)
AWS KMS
A1 IAM AWSAWS AWS IAM
AWS KMSAWSservicerOLE AWS
· cloudhsm:DescribeClusters · ec2:AuthorizeSecurityGroupIngress · ec2:CreateNetworkInterface · ec2:CreateSecurityGroup · ec2:DeleteSecurityGroup · ec2:DescribeSecurityGroups · ec2:RevokeSecurityGroupEgress
[AWSServiceRoleForKeyManagementServiceCustomKeyStores] cks.kms.amazonaws.com AWS KMS AWS KMS AWS CloudHSM AWS CloudHSM AWS KMS AWS KMS AWS CloudHSM HSM
Regions
AWSservicerOLE AWS AWS KMSAWS CloudHSM AWS AWS Key Management Service AWS CloudHSM()Amazon Web Services
AWS IAM
AWS KMSAWSservicerOLE AWS
AWSServiceRoleForKeyManagementServiceServiceCustomKeyStor es ()IAM
427
AWS Key Management Service
AWS KMSAWSservicerOLE AWS (p. 440) AWS KMS AWSServiceRoleForKeyManagementServiceCustomKeyStores
1 (p. 423) 1 AWS CloudHSM AWS (p. 428) (p. 436)AWS CloudHSM
Tip
(p. 436) (p. 432) (p. 436)
· (p. 428) · () (p. 430) · (API) (p. 430)
AWS KMS AWS CloudHSM AWS CloudHSM AWS KMS HSM (CU)
AWS CloudHSM
1 AWS CloudHSM (p. 424) (p. 3) (CMK) AWS KMS AWS KMS ID Amazon (ARN) CMK HSM AWS CloudHSM AWS KMS
AWS CloudHSM ID (p. 433)
AWS CloudHSM ·
428
AWS Key Management Service
AWS CloudHSM AWS CloudHSM · AWS KMS · AWS CloudHSM AWS CloudHSM DescribeClusters · ( 2 ) . AWS CloudHSM
Important
AWS CloudHSM AWS KMS (p. 436) SUBNET_NOT_FOUND (p. 454) · (cloudhsm-cluster-<cluster-id>-sg) 2223-22225 TCP Source Destination ID · 2 HSM HSM AWS CloudHSM DescribeClusters HSM
AWS CloudHSM AWS KMS AWS KMS
AWS CloudHSM , customerCA.crt AWS KMS kmsuser
AWS KMS kmsuser (p. 424) (CU) kmsuser CU AWS KMS kmsuser AWS KMS AWS CloudHSM kmsuser
Important
kmsuser CU 2FA AWS KMS AWS CloudHSM 2FA CU
429
AWS Key Management Service ()
kmsuser CU
1. cloudhsm_mgmt_mgmt_mgmt_mgmtcloudhsm_mgmt_mgmt_mgmt_ AWS CloudHSM
2. cloudhsm_mgmt_util cre ateUser CU kmsuser 732
kmsPswd kmsuser CU
aws-cloudhsm> createUser CU kmsuser kmsPswd
()
(p. 423)()AWS Management Console (p. 428)
1. AWS Management Console[AWS Key Management Service(AWS KMS) https://console.aws.amazon.com/kms
2. AWS []
3. [Custom key stores ()] 4. [Create key store ()] 5.
6. AWS CloudHSM (p. 424)
AWS CloudHSMAWS CloudHSM
(p. 428) 7. [] AWS CloudHSM customerCA.crt 8. kmsuser (p. 424) (CU) 9. [Create] ()
(p. 453)
: (CMK) (p. 436)AWS CloudHSM
(API)
-CreateCustomKeyStore (p. 423) AWS CloudHSM AWS Command Line Interface (AWS CLI)
430
AWS Key Management Service
CreateCustomKeyStore
· CustomKeystorename -- · CloudHsmClusterID -- (p. 428)
ID · KeyStorePassword -- kmsuser CU · TrustAnchorCertificate -- customerCA.crt
ID ID
$ aws kms create-custom-key-store --custom-key-store-name ExampleKeyStore \ --cloud-hsm-cluster-id cluster-1a23b4cdefg \ --key-store-password kmsPswd \ --trust-anchor-certificate <certificate-goes-here>
AWS CLI customerCA.crt
$ aws kms create-custom-key-store --custom-key-store-name ExampleKeyStore \ --cloud-hsm-cluster-id cluster-1a23b4cdefg \ --key-store-password kmsPswd \ --trust-anchor-certificate file://customerCA.crt
CreateCustomKeyStore ID
{ "CustomKeyStoreId": cks-1234567890abcdef0
}
(p. 453)
AWS CloudHSM (p. 436)
AWS Management Console AWS KMS API AWS CloudHSM
· (p. 432) · (p. 433) · (p. 436) · (p. 440)
431
AWS Key Management Service
AWS Management Console AWS KMS API
CMK CMK (p. 447)
· () (p. 432) · (API) (p. 432)
()
AWS Management Console
· · AWS CloudHSM ID · HSM ·
[Disconnected ()] AWS CloudHSM (p. 436) CMK AWS CloudHSM CMK (p. 454)
1. AWS Management Console[()AWS Key Management Service(AWS KMS) https://console.aws.amazon.com/kms
2. AWS []
3. [Custom key stores ()]
[Create key store ()]
(API)
DescribeCustomKeyStor es CustomKeyStoreId CustomKeyStoreName ( ) ID AWS CloudHSM ID
AWS Command Line Interface(AWS CLI)
Limit Marker
432
AWS Key Management Service
$ aws kms describe-custom-key-stores
CustomKeyStoreName ExampleKeyStore CustomKeyStoreName CustomKeyStoreId
AWS CloudHSM ConnectionState Status
$ aws kms describe-custom-key-stores --custom-key-store-name ExampleKeyStore {
"CustomKeyStores": [ { "CloudHsmClusterId": "cluster-1a23b4cdefg", "ConnectionState": "CONNECTED", "CreationDate": "1.499288695918E9", "CustomKeyStoreId": "cks-1234567890abcdef0", "CustomKeyStoreName": "ExampleKeyStore", "TrustAnchorCertificate": "<certificate appears here>" }
] }
Disconnected ConnectionState AWS CloudHSM (p. 436) CMK AWS CloudHSM CMK (p. 454)
ConnectionState FAILED DescribeCustomKeyStores ConnectionErrorCode
INVALID_CREDENTIALS kmsuser (p. 456) (p. 453)
$ aws kms describe-custom-key-stores --custom-key-store-id cks-1234567890abcdef0 {
"CustomKeyStores": [ { "CloudHsmClusterId": "cluster-1a23b4cdefg", "ConnectionErrorCode": "INVALID_CREDENTIALS" "ConnectionState": "FAILED", "CustomKeyStoreId": "cks-1234567890abcdef0", "CustomKeyStoreName": "ExampleKeyStore", "CreationDate": "1.499288695918E9", "TrustAnchorCertificate": "<certificate appears here>" }
] }
(p. 423) AWS CloudHSM
:
433
AWS Key Management Service
1. (p. 436)AWS CloudHSM (p. 3) (CMK) CMK (p. 448)
2. 1 3. (p. 436)AWS CloudHSM
AWS AWS CloudHSM ID
AWS CloudHSM AWS CloudHSM
[] AWS CloudHSM (p. 428) ( 2 HSM) DescribeClusters AWS CloudHSM kmsuser (p. 424) (CU)
AWS CloudHSM kmsuser CU AWS KMS AWS CloudHSM kmsuser CU
AWS CloudHSM kmsuser CU AWS KMS kmsuser AWS KMS
· () (p. 434) · (API) (p. 435)
()
1. AWS Management Console[()AWS Key Management Service(AWS KMS) https://console.aws.amazon.com/kms
2. AWS []
3. [Custom key stores ()] 4. 5. [] DISCONNECTED
[Key store actions ()] [Disconnect custom key store ()] 6. [Key store actions ()] [Edit custom key store ( )]
434
AWS Key Management Service
7.
· · AWS CloudHSM ID · AWS CloudHSM kmsuser
8. [Save]
(p. 453) 9. (p. 436)
CMK (p. 448) CMK
(API)
UpdateCustomKeyStore AWS KMSHTTP 200 JSON
AWS Command Line Interface(AWS CLI)
DisconnectCustomKeyStore (p. 436) AWS KMS ID cks-1234567890abcdef0 ID
$ aws kms disconnect-custom-key-store --custom-key-store-id cks-1234567890abcdef0
UpdateCustomKeyStore DevelopmentKeysCustomKeyStoreId CustomKeyStoreName
$ aws kms update-custom-key-store --custom-key-store-id cks-1234567890abcdef0 --new-customkey-store-name DevelopmentKeys
CustomKeyStoreId CloudHsmClusterId ID
$ aws kms update-custom-key-store --custom-key-store-id cks-1234567890abcdef0 --cloud-hsmcluster-id cluster-1a23b4cdefg
AWS KMS kmsuser ExamplePassword CustomKeyStoreId KeyStorePassword
$ aws kms update-custom-key-store --custom-key-store-id cks-1234567890abcdef0 --key-storepassword ExamplePassword
435
AWS Key Management Service
AWS KMS CMK (p. 448) CMK ID ID
$ aws kms connect-custom-key-store --custom-key-store-id cks-1234567890abcdef0
(CMK) AWS CloudHSM (p. 432)
Note
DISCONNECTED CONNECTEDAWS CloudHSM 1 HSM the section called "" (p. 453)
AWS KMSAWS CloudHSM AWS CloudHSMkmsuser (p. 424)(CU) kmsuserAWS KMSAWS CloudHSM
AWS KMSkms-<custom key store ID> (VPC) AWS KMS Elastic Network Interface (ENI) AWS KMS kms-<cluster ID> ENI ENI KMS managed ENI for cluster <cluster-ID>
( 20 )
· AWS CloudHSM 1 HSM HSM AWS CloudHSM DescribeClusters HSM
· kmsuser (p. 429) (CU) CU (p. 460)
· DISCONNECTING FAILED (p. 432) DescribeCustomKeyStores FAILED
CMK (p. 442) (p. 448) CMK
436
AWS Key Management Service
AWS KMS AWS CloudHSM AWS CloudHSM
(CMK) CMK DISCONNECTED CMK (p. 288)PendingDeletion Unavailable
Note
(CMK) CMK
CMK (p. 449) (p. 402)
· kmsuserAWS KMS AWS CloudHSM kmsuser
· CMK AWS CloudHSM AWS KMSkmsusercrypto (p. 424)AWS CloudHSM . kmsuser CU CMK
· CMK CMK CMK (p. 58)AWS Management Console DisableKey. CMK 1 CMK Unavailable
· ( FAILED)
· () (p. 437) · (API) (p. 438) · () (p. 439) · (API) (p. 439)
()
AWS Management Console [] 20
1. AWS Management Console[()AWS Key Management Service(AWS KMS) https://console.aws.amazon.com/kms
2. AWS []
437
AWS Key Management Service
3. [Custom key stores ()] 4. 5. [FAILED]
(p. 439) 6. [Key store actions ()] [Connect custom key store (
)]
AWS KMS AWS CloudHSM AWS CloudHSM kmsuser CU kmsuser [CONNECTED]
(p. 432)[FAILED] (p. 439) (p. 453)
: CMK (p. 442)
(API)
ConnectCustomKeyStore AWS CloudHSM 1 HSM FAILED
( 20 ) HTTP 200 JSON DescribeCustomKeyStores
AWS Command Line Interface(AWS CLI)
ID ID [ ] DescribeCustomKeyStores ID ID
$ aws kms connect-custom-key-store --custom-key-store-id cks-1234567890abcdef0
DescribeCustomKeyStores CustomKeyStoreId CustomKeyStoreName () CONNECTED ConnectionState AWS CloudHSM
$ aws kms describe-custom-key-stores --custom-key-store-id cks-1234567890abcdef0 {
"CustomKeyStores": [ "CustomKeyStoreId": "cks-1234567890abcdef0", "CustomKeyStoreName": "ExampleKeyStore", "CloudHsmClusterId": "cluster-1a23b4cdefg", "TrustAnchorCertificate": "<certificate string appears here>", "CreationDate": "1.499288695918E9", "ConnectionState": "CONNECTED"
438
AWS Key Management Service
], }
ConnectionState [FAILED] ConnectionErrorCode AWS KMS ID cluster-1a23b4cdefg AWS CloudHSM ID (p. 433)
$ aws kms describe-custom-key-stores --custom-key-store-id cks-1234567890abcdef0 {
"CustomKeyStores": [ "CustomKeyStoreId": "cks-1234567890abcdef0", "CustomKeyStoreName": "ExampleKeyStore", "CloudHsmClusterId": "cluster-1a23b4cdefg", "TrustAnchorCertificate": "<certificate string appears here>", "CreationDate": "1.499288695918E9", "ConnectionState": "FAILED" "ConnectionErrorCode": "CLUSTER_NOT_FOUND"
], }
: CMK (p. 442)
()
AWS Management Console []
1. AWS Management Console[()AWS Key Management Service(AWS KMS) https://console.aws.amazon.com/kms
2. AWS []
3. [Custom key stores ()] 4. 5. [Key store actions ()] [Disconnect custom key store (
)]
[DISCONNECTING] [DISCONNECTED] (p. 453)
(API)
DisconnectCustomKeyStore. AWS KMSHTTP 200 JSON
AWS Command Line Interface(AWS CLI)
ID ID
$ aws kms disconnect-custom-key-store --custom-key-store-id cks-1234567890abcdef0
439
AWS Key Management Service
DescribeCustomKeyStores CustomKeyStoreId CustomKeyStoreName () DISCONNECTED ConnectionState AWS CloudHSM
$ aws kms describe-custom-key-stores --custom-key-store-id cks-1234567890abcdef0 {
"CustomKeyStores": [ "CloudHsmClusterId": "cluster-1a23b4cdefg", "ConnectionState": "DISCONNECTED", "CreationDate": "1.499288695918E9", "CustomKeyStoreId": "cks-1234567890abcdef0", "CustomKeyStoreName": "ExampleKeyStore", "TrustAnchorCertificate": "<certificate string appears here>"
], }
AWS KMS AWS CloudHSM KMS AWS CloudHSM HSM
AWS KMS (CMK)
· (p. 448) CMK CMK (p. 453) CMK CMK (p. 449)
· CMK CMK CMK (p. 447)
· (p. 436)AWS KMS
(p. 436)AWS CloudHSM (CMK) CMK
AWS (p. 426)thatAWS KMS
· () (p. 440) · (API) (p. 441)
()
AWS Management Console
440
AWS Key Management Service
1. AWS Management Console[()AWS Key Management Service(AWS KMS) https://console.aws.amazon.com/kms
2. AWS []
3. [Custom key stores ()] 4.
[DISCONNECTED] (p. 436) 5. [Key store actions ()] [Delete custom key store ( )]
(p. 453)
(API)
Del eteCustomKeyStore AWS KMSHTTP 200 JSON
AWS KMS (CMK) CMK ListKeys DescribeKeyAWS KMSckks 1234567890abcdef0 ID CMK ScheduleKeyDeletion CMK
Bash
for key in $(aws kms list-keys --query 'Keys[*].KeyId' --output text) ; do aws kms describe-key --key-id $key | grep '"CustomKeyStoreId": "cks-1234567890abcdef0"' --context 100; done
PowerShell
PS C:\> (Get-KMSKeyList).KeyArn | foreach {Get-KMSKey -KeyId $_} | where CustomKeyStoreId -eq 'cks-1234567890abcdef0'
DisconnectCustomKeyStore AWS CloudHSM ID ID
Bash
$ aws kms disconnect-custom-key-store --custom-key-store-id cks-1234567890abcdef0
PowerShell
PS C:\> Disconnect-KMSCustomKeyStore -CustomKeyStoreId cks-1234567890abcdef0
DeleteCustomKeyStore
441
AWS Key Management Service CMK
Bash
$ aws kms delete-custom-key-store --custom-key-store-id cks-1234567890abcdef0
PowerShell
PS C:\> Remove-KMSCustomKeyStore -CustomKeyStoreId cks-1234567890abcdef0
CMK
(CMK) AWS KMS CMK CMK AWS KMS AWS CloudHSM CMK CMK (p. 448) HSM
Note
AWS KMS AWS CloudHSM CMK CMK (p. 405) AWS KMS CMK AWS CloudHSM
CMK
· IAM CMK (p. 81) · CMK (p. 49)CMK (p. 351) · (p. 12) CMK
· AWS KMS AWS (p. 475) CMK CMK
· CMK AWS CloudTrail (p. 296)Amazon CloudWatch
(p. 294)
CMK
· CMK (p. 442) · CMK (p. 447) · CMK (p. 448) · CMK (p. 449) · CMK (p. 453)
CMK
(p. 3) (CMK) CMK (p. 232)AWS KMS
442
AWS Key Management Service CMK
CMK (p. 232) CMK (p. 405) CMK
AWS KMS CMK CMK
· (p. 12) CMK · CMK IAM · CMK · CMK · CMK · CMK
CMK AWS CloudHSM (p. 436) 2 HSM HSM (p. 432)()AWS Management ConsoleAPI DescribeCustomKey Stores AWS CloudHSM DescribeClusters HSM
CMK AWS KMS AWS KMS CMK AWS CloudHSM CMK AWS KMS kmsuser CU (p. 428) 256 Advanced Encryption Standard (AES) AWS KMS CMK Amazon (ARN)
CMK (p. 288) Enabled AWS_CLOUDHSM CMK CMK DescribeKey ID ID AWS CloudHSM ID ( ) CMK (p. 447)
CMK (CustomKeyStoreInvalidStateException) AWS CloudHSM 2 HSM (CloudHsmClusterInvalidConfigurationException) (p. 453)
· CMK () (p. 443) · CMK (API) (p. 445)
CMK ()
(CMK)
1. AWS Management Console AWS Key Management Service (AWS KMS) (https://console.aws.amazon.com/kms)
2. AWS 3. [Customer managed keys ()]
443
AWS Key Management Service CMK
4. [] 5. []
CMK 6. [Advanced options ()] 7. [] [Custom key store (CloudHSM) ( (CloudHSM))]
8. [Next] 9. CMK
[Create custom key store ()]
[CONNECTED ()] AWS CloudHSM 2 HSM
(p. 436)HSM HSM ()AWS CloudHSM 10. [Next] 11. CMK 12. (). [] CMK
AWS AWS CMK CMK (p. 49) ABAC AWS KMS (p. 114) 13. [Next] 14. [] CMK IAM CMK (p. 88)
Note
IAM CMK IAM 15. () CMK [] 16. [Next] 17. IAM AWS CMK (p. 12) CMK (p. 90) Note
IAM CMK IAM 18. () AWS CMK [Other] AWS [Add another] () AWS AWS Note
AWS IAM CMK CMK (p. 120) 19. []
444
AWS Key Management Service CMK
20. 21. []
CMK CMK CMK (CloudHSM) IDAWS CloudHSM ID
Tip
CMK [Customer managed keys ()] [Custom key store ID ( ID)] [Custom key store ID ( ID)]
CMK (API)
(p. 3) (CMK) CreateKey CustomKeyStoreId AWS_CLOUDHSM Origin
Policy (PutKeyPolicy)
AWS Command Line Interface(AWS CLI)
DescribeCustomKeyStores AWS CloudHSM. CustomKeyStoreId CustomKeyStoreName ()
ID ID
$ aws kms describe-custom-key-stores --custom-key-store-id cks-1234567890abcdef0 {
"CustomKeyStores": [ "CustomKeyStoreId": "cks-1234567890abcdef0", "CustomKeyStoreName": "ExampleKeyStore", "CloudHsmClusterId": "cluster-1a23b4cdefg", "TrustAnchorCertificate": "<certificate string appears here>", "CreationDate": "1.499288695918E9", "ConnectionState": "CONNECTED"
], }
DescribeClustersAWS CloudHSM ExampleKeyStore(cluster-1a23b4cdefg) 2 HSM HSM 2 CreateKey
$ aws cloudhsmv2 describe-clusters {
"Clusters": [ { "SubnetMapping": { ... }, "CreateTimestamp": 1507133412.351, "ClusterId": "cluster-1a23b4cdefg", "SecurityGroup": "sg-865af2fb",
445
AWS Key Management Service CMK
"HsmType": "hsm1.medium", "VpcId": "vpc-1a2b3c4d", "BackupPolicy": "DEFAULT", "Certificates": {
"ClusterCertificate": "-----BEGIN CERTIFICATE-----\...\n-----END CERTIFICATE-----\n"
}, "Hsms": [
{ "AvailabilityZone": "us-west-2a", "EniIp": "10.0.1.11", "ClusterId": "cluster-1a23b4cdefg", "EniId": "eni-ea8647e1", "StateMessage": "HSM created.", "SubnetId": "subnet-a6b10bd1", "HsmId": "hsm-abcdefghijk", "State": "ACTIVE"
}, {
"AvailabilityZone": "us-west-2b", "EniIp": "10.0.0.2", "ClusterId": "cluster-1a23b4cdefg", "EniId": "eni-ea8647e1", "StateMessage": "HSM created.", "SubnetId": "subnet-b6b10bd2", "HsmId": "hsm-zyxwvutsrqp", "State": "ACTIVE" }, ], "State": "ACTIVE" } ] }
CreateKey CMK CMK ID AWS_CLOUDHSM Origin
AWS CloudHSM ID
ID ID
$ aws kms create-key --origin AWS_CLOUDHSM --custom-key-store-id cks-1234567890abcdef0 {
"KeyMetadata": { "AWSAccountId": "111122223333", "Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1.499288695918E9, "Description": "Example key", "Enabled": true, "MultiRegion": false, "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", "Origin": "AWS_CLOUDHSM" "CloudHsmClusterId": "cluster-1a23b4cdefg", "CustomKeyStoreId": "cks-1234567890abcdef0" "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ]
} }
446
AWS Key Management Service CMK
CMK
(CMK) AWS KMS CMK (p. 3) (p. 28)CMK AWS CloudHSM CMK (p. 449)
AWS Management Console CMK CMK AWS .
CMK
· CMK ID · AWS CloudHSM ID · API AWS Management Console AWS_CLOUDHSM CloudHSM Origin · (p. 288) Unavailable
CMK (p. 453)
CMK ()
1. AWS KMS (https://console.aws.amazon.com/kms) 2. AWS 3. [Customer managed keys ()] 4. [ ID] [] []
5. CMK Origin ()CLOUDHSM
CMK [ ID] 6. CMK ID
Amazon (ARN)CMK 7. [ ] [ ]
CMK
CMK (API)
AWS KMSAPI CMK ListKeys,DescribeKey, GetKeyPolicyAWS CLI describe-key CMK CMK ID ID
$ aws kms describe-key --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
{ "KeyMetadata": { "AWSAccountId": "111122223333", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1537582718.431, "Enabled": true, "MultiRegion": false, "KeyManager": "CUSTOMER", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", "Origin": "AWS_CLOUDHSM",
447
AWS Key Management Service CMK
"CloudHsmClusterId": "cluster-1a23b4cdefg", "CustomKeyStoreId": "cks-1234567890abcdef0", "Description": "CMK in custom key store" "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT" ] } }
CMK CMK AWS CloudHSM CMK (p. 449)
CMK
CMK (p. 442)
· · · GenerateDataKey · GenerateDataKeyWithoutPlaintext · ReEncrypt
CMK CMK ( , , GetPublicKey) ( GenerateDataKeyPair GenerateDataKeyPairWithoutPlaintext, )
CMK ID CMK AWS CloudHSM CMK
CMK AWS CloudHSM CMK
· CMK (p. 288) Enabled [] [AWS Management Console (p. 447)KeyState [] [DescribeKey.
· AWS CloudHSM ()AWS Management Console (p. 432)ConnectionState()DescribeCustomKeyStores CONNECTED
· AWS CloudHSM 1 HSM HSM AWS KMS (p. 432)AWS CloudHSM DescribeClusters
· AWS CloudHSM CMK HSM
AWS KMS KMSInvalidStateException (p. 436)
448
AWS Key Management Service CMK
CMK (p. 454)
CMK CMK 1 (p. 537) AWS KMS ThrottlingException AWS CloudHSM ThrottlingException ThrottlingException (p. 537)
CMK
CMK
· AWS CloudTrail CMK · CMK · CMK
CMK AWS CloudHSM AWS KMS CMK AWS CloudHSM HSM HSM CMK HSM
CMK kmsuser (p. 424) (CU) AWS KMS CMK Amazon (ARN) AWS CloudHSM
CMK
· CMK (p. 449) -- 1 CMK
· (p. 450) -- CMK
· CMK (p. 452) -- CMK
· CMK (p. 451) -- CMK
CMK
CMK AWS CloudTrail CMK CMK CMK
CMK ()
CMK [Customer Managed Keys ()] [Custom Key Store Name ()] [Custom Key Store ID ( ID)] CMK Origin ()CloudHSM
449
AWS Key Management Service CMK
CMK (API)
CMK ListKey s DescribeKey CustomKeyStoreId ID
Bash CMK CMK ID
for key in $(aws kms list-keys --query 'Keys[*].KeyId' --output text) ; do aws kms describe-key --key-id $key | grep '"CustomKeyStoreId": "cks-1234567890abcdef0"' --context 100; done
CMK cks- CustomKeyStoreId
for key in $(aws kms list-keys --query 'Keys[*].KeyId' --output text) ; do aws kms describe-key --key-id $key | grep '"CustomKeyStoreId": "cks-"' --context 100; done
PowerShell CMK Get-KMSKeyList Get-KMSkey CMK ID
PS C:\> (Get-KMSKeyList).KeyArn | foreach {Get-KMSKey -KeyId $_} | where CustomKeyStoreId -eq 'cks-1234567890abcdef0'
CMK -like cks-
PS C:\> (Get-KMSKeyList).KeyArn | foreach {Get-KMSKey -KeyId $_} | where CustomKeyStoreId -like 'cks*'
AWS CloudHSM cloudhsm_mgmt_util FindAlKey s kmsuser kmsuser AWS KMS kmsuser AWS KMS CMK Crypto Officer
1. cloudhsm_mgmt_util cloudhsm_mgmt_util
2. (CO) cloudhsm_mgmt_util 3. listUsers kmsuser ID
kmsuser ID 3
aws-cloudhsm> listUsers
450
AWS Key Management Service CMK
Users on server 0(10.0.0.1): Number of users found:3
User Id
User Type
User Name
MofnPubKey
LoginFailureCnt
2FA
1
PCO
admin
NO
0
NO
2
AU
app_user
NO
0
NO
3
CU
kmsuser
NO
0
NO
4. FindalKeys kmsuser ID kmsuser ID
HSM kmsuser 89 262162
aws-cloudhsm> findAllKeys 3 0 Keys on server 0(10.0.0.1): Number of keys found 3 number of keys matched from start index 0::6 8,9,262162 findAllKeys success on server 0(10.0.0.1)
Keys on server 1(10.0.0.2): Number of keys found 6 number of keys matched from start index 0::6 8,9,262162 findAllKeys success on server 1(10.0.0.2)
CMK
kmsuser CMK
AWS KMS CMK AWS CloudHSM CMK Amazon (ARN) key_mgmt_util cloudhsm_mgmt_util g etAttribute CMK
kmsuser CU
Note
(CMK) CMK
1. kmsuser, key_mgmt_util (p. 459)
2. getAttributekey_mgmt_utilcloudhsm_mgmt_util OBJ_ATTR_LABEL3
cloudhsm_mgmt_util getAttribute 262162 (3) ARN CMK 262162 arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
451
AWS Key Management Service CMK
listAttributes()AWS CloudHSM
aws-cloudhsm> getAttribute 262162 3
Attribute Value on server 0(10.0.1.10): OBJ_ATTR_LABEL arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
3. key_mgmt_util cloudhsm_mgmt_util (p. 460)
CMK
CMK CMK ID AWS CloudHSM
AWS KMS CMK AWS CloudHSM CMK Amazon (ARN) key_mgmt_util FindKe y CMK kmsuser CU
Note
(CMK) CMK
1. key_mgmt_util (p. 459) kmsuser,
2. key_mgmt_util FindKe y CMK ARN -l (label L) CMK ARN CMK ARN
CMK ARN arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 262162 CMK ARN key_mgmt_util
Command: findKey -l arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab Total number of keys present 1
number of keys matched from start index 0::1 262162
Cluster Error Status Node id 1 and err state 0x00000000 : HSM Return: SUCCESS Node id 0 and err state 0x00000000 : HSM Return: SUCCESS
Cfm3FindKey returned: 0x00 : HSM Return: SUCCESS
3. key_mgmt_util (p. 460)
452
AWS Key Management Service CMK
CMK
(CMK) CMK (p. 393)AWS KMS CMK AWS KMS AWS CloudHSM
Warning
CMK CMK CMK CMK (p. 402) CMK Amazon CloudWatch (p. 399) CMK CMK (p. 58)
CMK (p. 288) [ ] CMK CMK (p. 436) CMK
AWS KMSCMK AWS KMSAWS KMS AWS CloudHSM AWS KMS AWS KMS (p. 457)
AWS KMS AWS KMS CMK AWS CloudHSM CMK (p. 447)
· CMK (p. 453) · CMK (p. 454) · (p. 454) · (p. 456) · kmsuser (p. 456) · (p. 457) · CMK (p. 458) · kmsuser (p. 459)
CMK
(CMK) (p. 288) Enabled CMK CMK CMK CMK (p. 288)Unavailable
453
AWS Key Management Service CMK
Unavailable CMK AWS CloudHSM (p. 436)CMK CMK (p. 448)
CMK [Customer managed keys ()] CMK [Status ()] DescribeKey KeyState (p. 28)
CMK Unavailable PendingDeletion AWS CloudHSM CMK Pending Deletion
CMK (p. 436) CMK Enabled Disabled CMK PendingDeletion CMK (p. 58)
(p. 454)
CMK
CMK AWS CloudHSM CMK
AWS CloudHSM CMK Unavailable CMK CustomKeyStoreInvalidStateException KMSInvalidStateException (p. 436)
CMK (p. 448)Enabled Connected
· CMK AWS CloudHSM CMK (p. 447) (p. 458)
· HSM AWS CloudHSM CMK AWS CloudHSM 1 HSM AWS CloudHSM HSM AWS CloudHSM DescribeClusters HSM AWS CloudHSM CreateHsm
· AWS CloudHSM ID (p. 433)CMK (p. 458)
(p. 436) AWS CloudHSM FAILED
454
AWS Key Management Service
AWS Management ConsoleConnectionStateDescribeCustomKeyStores
[] ConnectionState DISCONNECTED (p. 428) (p. 433)
FAILED, DescribeCustomKeyStor es ConnectionErrorCode
Note
FAILED (p. 436)FAILED
· CLUSTER_NOT_FOUND AWS KMS ID AWS CloudHSM ID API AWS CloudHSM DescribeClusters ID (p. 436) (p. 433) ID (p. 436)
· INSUFFICIENT_CLOUDHSM_HSMS AWS CloudHSM HSM 1 HSM HSM DescribeClusters 1 HSM HSM
· INTERNAL_ERROR AWS KMS ConnectCustomKeyStore
· INVALID_CREDENTIALS kmsuser AWS KMS AWS CloudHSM kmsuser (p. 456)
· NETWORK_ERRORS (p. 436)
· SUBNET_NOT_FOUND AWS CloudHSM 1 AWS KMS AWS CloudHSM
AWS CloudHSM (VPC ) (p. 428) ID (p. 436) ID ID (p. 433)
Tip
kmsuser (p. 456)AWS CloudHSM · USER_LOCKED_OUT kmsuser Crypto User (CU) (p. 424) AWS CloudHSM kmsuser (p. 456)
455
AWS Key Management Service
(p. 436) cloudhsm_mgmt_util changePSwd kmsuser kmsuser (p. 433) kmsuser (p. 456) · USER_LOGGED_IN kmsuser CU AWS CloudHSM AWS KMS kmsuser kmsuser CU kmsuser (p. 460) · USER_NOT_FOUND AWS KMS AWS CloudHSM kmsuser CU kmsuser CU (p. 429) (p. 433) kmsuser (p. 456)
CMK
KMSInvalidStateException: KMS cannot communicate with your CloudHSM cluster
HTTPS 400 VPC
kmsuser
(p. 436)AWS KMS AWS CloudHSM kmsuser (p. 424) (CU) DescribeCustomKeyStor es ConnectionState INVALID_CREDENTIALS, FAILED ConnectionErrorCode
kmsuser AWS KMS kmsuser CU AWS CloudHSM DescribeCustomKeyStores INVALID_CREDENTIALS FAILED ConnectionErrorCode ConnectionState
$ aws kms describe-custom-key-stores --custom-key-store-name ExampleKeyStore {
"CustomKeyStores": [ "CloudHsmClusterId": "cluster-1a23b4cdefg", "ConnectionErrorCode": "INVALID_CREDENTIALS" "CustomKeyStoreId": "cks-1234567890abcdef0", "CustomKeyStoreName": "ExampleKeyStore", "TrustAnchorCertificate": "<certificate string appears here>", "CreationDate": "1.499288695918E9", "ConnectionState": "FAILED"
456
AWS Key Management Service
], }
5 AWS CloudHSM
AWS KMS kmsuser CU DescribeCustomKeyStor es USER_LOCKED_OUT, FAILED ConnectionErrorCode ConnectionState
$ aws kms describe-custom-key-stores --custom-key-store-name ExampleKeyStore {
"CustomKeyStores": [ "CloudHsmClusterId": "cluster-1a23b4cdefg", "ConnectionErrorCode": "USER_LOCKED_OUT" "CustomKeyStoreId": "cks-1234567890abcdef0", "CustomKeyStoreName": "ExampleKeyStore", "TrustAnchorCertificate": "<certificate string appears here>", "CreationDate": "1.499288695918E9", "ConnectionState": "FAILED"
], }
1. (p. 436) 2. DescribeCustomKeyStor es ConnectionErrorCode
· ConnectionErrorCode INVALID_CREDENTIALS kmsuser cloudhsm_mgmt_util changePSwd
· ConnectionErrorCode USER_LOCKED_OUT, cloudhsm_mgmt_util changePSwd kmsuser
3. kmsuser (p. 433) kmsuser AWS KMS kmsuser
4. (p. 436)
CMK
CMK AWS KMS AWS KMS CMK AWS CloudHSM CMK AWS KMS CMK AWS KMS AWS KMS
AWS KMSAWS KMSAWS CloudTrailCMK IDAWS CloudHSM ID
457
AWS Key Management Service CMK
AWS CloudHSM AWS CLI AWS CloudHSM CLI AWS Management Console
1. key_mgmt_util (p. 459)
2. HSM key_mgmt_util Delete Key
HSM 262162 CloudTrail
Command: deleteKey -k 262162
Cfm3DeleteKey returned: 0x00 : HSM Return: SUCCESS
Cluster Error Status Node id 0 and err state 0x00000000 : HSM Return: SUCCESS Node id 1 and err state 0x00000000 : HSM Return: SUCCESS Node id 2 and err state 0x00000000 : HSM Return: SUCCESS
3. key_mgmt_util (p. 460)
CMK
CMK CMK CMK AWS CloudHSM
(CMK) AWS KMS AWS CloudHSM CMK CU HSM
CMK HSM CMK UNAVAILABLE CMK KMSInvalidStateException CMK
1
1.
DescribeBackup s Filters
$ aws cloudhsmv2 describe-backups --filters clusterIds=<cluster ID> {
"Backups": [
458
AWS Key Management Service kmsuser
{ "ClusterId": "cluster-1a23b4cdefg", "BackupId": "backup-9g87f6edcba", "CreateTimestamp": 1536667238.328, "BackupState": "READY"
}, ...
] }
2.
3. (p. 436) 4. ID (p. 433)
ID ID 5. (p. 436)
kmsuser
AWS CloudHSM AWS KMS kmsuser (CU) (p. 424) kmsuser CU (p. 428) AWS KMS
AWS KMS kmsuser kmsuser CU cloudhsm_mgmt_util key_mgmt_util
Note
(CMK) CMK
(p. 459)kmsuser AWS CloudHSM (p. 460)
· (p. 459) · (p. 460)
kmsuser CU
1. AWS Management Console AWS KMS API
AWS KMS kmsuser kmsuser kmsuser
DisconnectCustomKeyStore ID ID
459
AWS Key Management Service kmsuser
$ aws kms disconnect-custom-key-store --custom-key-store-id cks-1234567890abcdef0
2. cloudhsm_mgmt_util cloudhsm_mgmt_util AWS CloudHSM
3. cloudhsm_mgmt_util AWS CloudHSM(CO)
admin CO CO
aws-cloudhsm>loginHSM CO admin <password> loginHSM success on server 0(10.0.2.9) loginHSM success on server 1(10.0.3.11) loginHSM success on server 2(10.0.1.12)
4. changePswd kmsuser (AWS KMS ) 732
kmsuser tempPassword
aws-cloudhsm>changePswd CU kmsuser tempPassword
*************************CAUTION******************************** This is a CRITICAL operation, should be done on all nodes in the cluster. Cav server does NOT synchronize these changes with the nodes on which this operation is not executed or failed, please ensure this operation is executed on all nodes in the cluster. ****************************************************************
Do you want to continue(y/n)?y Changing password for kmsuser(CU) on 3 nodes
5. key_mgmt_util cloudhsm_mgmt_util kmsuser cloudhsm_mgmt_util key_mgmt_util
key_mgmt_util
Command: loginHSM -u CU -s kmsuser -p tempPassword Cfm3LoginHSM returned: 0x00 : HSM Return: SUCCESS
Cluster Error Status Node id 0 and err state 0x00000000 : HSM Return: SUCCESS Node id 1 and err state 0x00000000 : HSM Return: SUCCESS Node id 2 and err state 0x00000000 : HSM Return: SUCCESS
1.
Command: logoutHSM Cfm3LogoutHSM returned: 0x00 : HSM Return: SUCCESS
Cluster Error Status Node id 0 and err state 0x00000000 : HSM Return: SUCCESS
460
AWS Key Management Service kmsuser
Node id 1 and err state 0x00000000 : HSM Return: SUCCESS
2. kmsuser (p. 433) kmsuser AWS KMS AWS KMS kmsuser AWS Management ConsoleKeyStorePassword UpdateCustomKeyStore. tempPassword AWS KMS
$ aws kms update-custom-key-store --custom-key-store-id cks-1234567890abcdef0 --keystore-password tempPassword
3. AWS KMS ID ID AWS KMS kmsuser ConnectCustomKeyStore
$ aws kms connect-custom-key-store --custom-key-store-id cks-1234567890abcdef0
4. DescribeCustomKey Stores ID ID
$ aws kms describe-custom-key-stores --custom-key-storeid cks-1234567890abcdef0 {
"CustomKeyStores": [ "CustomKeyStoreId": "cks-1234567890abcdef0", "CustomKeyStoreName": "ExampleKeyStore", "CloudHsmClusterId": "cluster-1a23b4cdefg", "TrustAnchorCertificate": "<certificate string appears here>", "CreationDate": "1.499288695918E9", "ConnectionState": "CONNECTED"
], }
461
AWS Key Management Service AWS KMS VPC
VPC AWS KMS
VPC AWS KMS VPC VPC AWS KMS AWS
AWS KMS Amazon Virtual Private Cloud(Amazon VPC) AWSPrivateLink VPC VPC IP 1 Elastic Network Interfaces ENI
VPC VPC AWS KMS NAT VPN AWS Direct Connect VPC IP AWS KMS
AWS
AWS KMSVPC AWS Amazon VPCAWS KMS
· AWS KMS VPC (p. 462) · AWS KMS VPC (p. 462) · AWS KMS VPC (p. 463) · VPC (p. 463) · VPC (p. 466) · VPC (p. 468)
AWS KMS VPC
VPC AWS KMS( Amazon VPC
AWS KMS VPC
· VPC VPC AWS KMS API
· AWS KMS AWS KMS FIPS VPC
· AWS CloudTrailAWS KMS (CMK) VPC VPC (p. 468)
AWS KMS VPC
VPC AWS KMS(Amazon VPC Amazon VPC API) Amazon VPC
462
AWS Key Management Service VPC
AWS KMS VPC
com.amazonaws.region.kms
us-west-2
com.amazonaws.us-west-2.kms
VPC VPC DNS [ DNS ] AWS KMS DNS (https://kms.<region>.amazonaws.com) VPC
VPC AWS SDK AWS CLI AWS KMS DNS VPC URL
Amazon VPC
AWS KMS VPC
AWS SDKAWS CLI AWS Tools for PowerShell VPC AWS KMS VPC DNS
list-keys endpoint-url VPC VPC ID
$ aws kms list-keys --endpoint-url https://vpce-1234abcdf5678c90a-09p7654s-useast-1a.ec2.us-east-1.vpce.amazonaws.com
VPC CLI VPC URL AWS KMS DNS (https://kms.<region>.amazonaws.com) VPC AWS CLI SDK VPC
VPC enableDnsHostnames enableDnsSupport true ModifyVpcattribute
VPC
AWS KMS VPC VPC VPC VPC AWS KMS AWS KMS
VPC VPC VPC CreateVPcendPoint ModifyVPcendPoint AWS CloudFormation VPC VPC
463
AWS Key Management Service VPC
()Amazon VPC
Note
AWS KMS 2020 7 VPC AWS KMS VPC VPC (p. 464)
JSON IAM IAM JSON
· VPC (p. 464) · VPC (p. 464) · VPC (p. 465) · VPC (p. 466)
VPC
VPC AWS KMS 2
· (p. 85), IAM (p. 104), CMK (p. 199)
· VPC
CMK Decrypt VPC CMK Decrypt
VPC CMK DisableKey IAM
VPC
VPC VPC
AWS KMS (p. 85),IAM (p. 104), grant (p. 199)
{ "Statement": [ { "Action": "*", "Effect": "Allow", "Principal": "*", "Resource": "*" } ]
464
AWS Key Management Service VPC
}
VPC VPC (p. 465)
VPC
VPC VPC AWS KMS (p. 85),IAM (p. 104), grant (p. 199)
VPC
· · ·
VPC VPC Amazon VPC VPC
AWS KMS VPC VPC VPC ExampleUser CMK ARN (p. 14)
{ "Statement":[ { "Sid": "AllowDecryptAndView", "Principal": {"AWS": "arn:aws:iam::111122223333:user/ExampleUser"}, "Effect":"Allow", "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:ListAliases", "kms:ListKeys" ], "Resource": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }
] }
AWS CloudTrail VPC CloudTrail CMK
VPC AWS KMS
AWS: PrincipalAccount CMK ID
{ "Statement": [
465
AWS Key Management Service VPC
{ "Sid": "AccessForASpecificAccount", "Principal": {"AWS": "*"}, "Action": "kms:*", "Effect": "Deny", "Resource": "arn:aws:kms:*:111122223333:key/*", "Condition": { "StringNotEquals": { "aws:PrincipalAccount": "111122223333" } }
} ] }
VPC
VPC VPC DescribeVpcendPoint s
AWS CLI VPC ID
ID
$ aws ec2 describe-vpc-endpoints \ --query 'VpcEndpoints[?VpcEndpointId==`vpce-1234abcdf5678c90a`].[PolicyDocument]' --output text
VPC
VPC VPC AWS KMS (p. 85)IAM (p. 104)
· aws:sourceVpce VPC
· aws:sourceVpc VPC
Note
VPC IAM VPC VPC AWS KMS AWS AWS KMS VPC (p. 159) aws:sourceIPAmazon VPC VPC aws:sourceVpce aws:sourceVpc Amazon VPC VPC -
466
AWS Key Management Service VPC
(CMK) CreateKey
VPC CMK AWS KMS VPC ID aws:sourceVpce
AWS ID VPC ID
{ "Id": "example-key-1", "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM policies", "Effect": "Allow", "Principal": {"AWS":["111122223333"]}, "Action": ["kms:*"], "Resource": "*" }, { "Sid": "Restrict usage to my VPC endpoint", "Effect": "Deny", "Principal": "*", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-1234abcdf5678c90a" } } }
] }
aws:sourceVpc VPC VPC CMK
CMK vpc-12345678 CMK vpc-2b2b2b2b VPC 2 VPC
AWS ID VPC ID
{ "Id": "example-key-2", "Version": "2012-10-17", "Statement": [ { "Sid": "Allow administrative actions from vpc-12345678", "Effect": "Allow",
467
AWS Key Management Service VPC
"Principal": {"AWS": "111122223333"}, "Action": [
"kms:Create*","kms:Enable*","kms:Put*","kms:Update*", "kms:Revoke*","kms:Disable*","kms:Delete*", "kms:TagResource", "kms:UntagResource" ], "Resource": "*", "Condition": { "StringEquals": {
"aws:sourceVpc": "vpc-12345678" } } }, { "Sid": "Allow key usage from vpc-2b2b2b2b", "Effect": "Allow", "Principal": {"AWS": "111122223333"}, "Action": [ "kms:Encrypt","kms:Decrypt","kms:GenerateDataKey*" ], "Resource": "*", "Condition": { "StringEquals": {
"aws:sourceVpc": "vpc-2b2b2b2b" } } }, { "Sid": "Allow read actions from everywhere", "Effect": "Allow", "Principal": {"AWS": "111122223333"}, "Action": [ "kms:Describe*","kms:List*","kms:Get*" ], "Resource": "*", } ] }
VPC
AWS CloudTrail VPC AWS KMS VPC VPC ID AWS CloudTrail (p. 296) ID AWS KMS VPC
CloudTrail AWS KMS CMK VPC VPC (p. 463) AWS CloudTrail (p. 296)
VPC GenerateDataKey vpcEndpointId
{ "eventVersion":"1.05", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accessKeyId": "EXAMPLE_KEY_ID",
468
AWS Key Management Service VPC
"accountId": "111122223333", "userName": "Alice" }, "eventTime":"2018-01-16T05:46:57Z", "eventSource":"kms.amazonaws.com", "eventName":"GenerateDataKey", "awsRegion":"eu-west-1", "sourceIPAddress":"172.01.01.001", "userAgent":"aws-cli/1.14.23 Python/2.7.12 Linux/4.9.75-25.55.amzn1.x86_64 botocore/1.8.27", "requestParameters":{ "keyId":"1234abcd-12ab-34cd-56ef-1234567890ab", "numberOfBytes":128 }, "responseElements":null, "requestID":"a9fff0bf-fa80-11e7-a13c-afcabff2f04c", "eventID":"77274901-88bc-4e3f-9bb6-acf1c16f6a7c", "readOnly":true, "resources":[{ "ARN":"arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId":"111122223333", "type":"AWS::KMS::Key" }], "eventType":"AwsApiCall", "recipientAccountId":"111122223333", "vpcEndpointId": "vpce-1234abcdf5678c90a" }
469
AWS Key Management Service
AWS KMS TLS
AWS Key Management Service(AWS KMS) Transport Layer Security (TLS) TLS AWS KMSAPI AWS KMS TLS
AWS Key Management Service (AWS KMS) Transport Layer Security (TLS) AWS KMS TLS TLS TLS AWS
AWS AWS KMS TLS
Most AWS (p. 470) AWS KMS API (p. 473)
TLS
· [] aws-kms-- GitHub
· GitHub s2n s2n
· TLS AWS KMS()aws-kms-pq-tls-GitHub HTTP AWS KMS()aws-kms-pq-tlsexamplerepository.
AWS
TLS AWS KMS AWS AWSGovCloud ( )AWSGovCloud () () ()
470
AWS Key Management Service TLS
AWS KMS AWS AWS Key Management Service()Amazon Web Services FIPS AWS()Amazon Web Services ..
TLS
AWS KMS AWS SDK for Java 2.xAWSLinux HTTP (CRT) HTTP AWS KMS
HTTPTLS s2n, s2n pq-crypto
s2n
s2nECDH TLS, . 2 s2n HTTP Kyber ECDH
Kyber ECDH National Institute for Standards and Technology (NIST)
AWS KMS TLS
AWS KMS TLS HTTP
s2n AWS KMS AWS KMS (CMK)
AWS KMS CMK 256 Advanced Encryption Standard in Galois Counter Mode (AES-GCM) 256 AES-GCM 128 AWS KMS
471
AWS Key Management Service
s2n Linux AWS (AWS SDK for Java 2.x TLS (p. 472)
AWS KMS
AWS KMS s2n AWS KMS FIPS 140-2
s2n HTTP AWS KMS FIPS 140-2 s2n
AWS KMS AWS AWS Key Management Service()Amazon Web Services FIPS AWS()Amazon Web Services
s2n TLS CPU 2 TLS AWS KMS
TLS
Maven AWS HTTP HTTP AWS KMSHTTP
AWS KMS TLS aws-kms-pq-tlsexample
1. AWSMaven
Maven AWS 2.14.13-PREVIEW
<dependency> <groupId>software.amazon.awssdk</groupId> <artifactId>aws-crt-client</artifactId> <version>2.14.13-PREVIEW</version>
</dependency>
2. AWS SDK for Java 2.x
HTTP TLS_CIPHER_PREF_KMS_PQ_TLSv1_0_2020_07Kyber ECDH HTTP AWS KMS
472
AWS Key Management Service
AWS KMS KmsAsyncClient AWS KMS KmsAsyncClient Javadoc
AWS KMSAPIAWS KMS TLS
// Check platform support if(!TLS_CIPHER_PREF_KMS_PQ_TLSv1_0_2020_07.isSupported()){
throw new RuntimeException("Hybrid post-quantum cipher suites are not supported on this platform"); }
// Configure HTTP client SdkAsyncHttpClient awsCrtHttpClient = AwsCrtAsyncHttpClient.builder()
.tlsCipherPreference(TLS_CIPHER_PREF_KMS_PQ_TLSv1_0_2020_07) .build();
// Create the AWS KMS async client KmsAsyncClient kmsAsync = KmsAsyncClient.builder()
.httpClient(awsCrtHttpClient) .build();
3. AWS KMS TLS
AWS KMS AWS KMS API TLS AWS KMS AWS KMSAPI (ListKeys
ListKeysReponse keys = kmsAsync.listKeys().get();
AWS KMS TLS
AWS KMS
· AWS Lambda
· (DPI) TLS ClientHello IT TLS
AWS KMS TLS
AWS KMS TLS
473
AWS Key Management Service
· TLS AWS KMS 2 TLS AWS KMS
· AWS HTTP AWS HTTP AWSJava SDK for Java
· AWS SDK for Java 2.xAWS SDK for Java 2.x AWS SDK for Java 2.x
· s2n TLS s2n s2n
· National Institute for Standards and Technology (NIST) Post-Quantum Cryptography
· TLS Hybrid Post-Quantum Key Encapsulation Methods (PQ KEM) for Transport Layer Security 1.2 (TLS)
474
AWS Key Management Service AWS CloudTrail
AWS AWS KMS
AWS AWS KMS AWSAWS KMS (CMK) AWSAWS KMSAWS
AWS KMS CMK CMK
Important
AWS KMS AWS CMK CMK CMK CMK CMK (p. 46)
· AWS CloudTrail AWS KMS (p. 475) · Amazon DynamoDB AWS KMS (p. 480) · Amazon Elastic Block Store (Amazon EBS) AWS KMS (p. 490) · Amazon Elastic Transcoder AWS KMS (p. 493) · Amazon EMR AWS KMS (p. 497) · AWSNitro AWS KMS (p. 501) · Amazon Redshift AWS KMS (p. 503) · Amazon Relational Database ServiceAmazon RDSAWS KMS (p. 504) · AWS Secrets Manager AWS KMS (p. 505) · Amazon Simple Email Service (Amazon SES) AWS KMS (p. 506) · Amazon Simple Storage Service (Amazon S3) AWS KMS (p. 508) · AWS Systems ManagerAWS KMS (p. 510) · Amazon WorkMail AWS KMS (p. 519) · WorkSpacesAWS KMS (p. 526)
AWS CloudTrail AWS KMS
AWS CloudTrailAWSAPI AWS Amazon Simple Storage Service (Amazon S3) CloudTrail S3 Amazon S3 SSE-S3 AWS KMS (SSE-KMS) CloudTrail AWS KMS CloudTrail AWS KMS-- (SSE-KMS)()AWS CloudTrail
Important
AWS CloudTrail Amazon S3 (p. 232)CMK CMK (p. 232) CloudTrail
475
AWS Key Management Service CMK
CMK CMK CMK (p. 46)
· CMK (p. 476) · CMK (p. 480)
CMK
CloudTrail AWS KMS Amazon S3 AWS KMS (SSE-KMS) SSE-KMS Amazon Simple Storage Service (Amazon S3) AWS KMS (p. 508) AWS KMS-- (SSE-KMS)()Amazon Simple Storage Service
AWS CloudTrailSSE-KMS CloudTrail Amazon S3 CMK CMK
CloudTrail Amazon S3 CMK · CMK CloudTrail (p. 476) · CloudTrail S3 (p. 477) · S3 (p. 479)
CMK CloudTrail
CMK CloudTrail CloudTrail GenerateDataKey AWS KMSCMK CloudTrail CloudTrail
GenerateDataKey (p. 17)
· CloudTrail Amazon ARN · S3 ARN CloudTrail
GenerateDataKey CloudTrail CloudTrail ( ) AWS KMS( )GenerateDataKey ( ) ( ).AWS KMS CMK ( ).
Note
{ "eventVersion": "1.02",
476
AWS Key Management Service CMK
"userIdentity": { "type": "IAMUser", "principalId": "AIDACKCEVSQ6C2EXAMPLE",
"arn": "arn:aws:iam::086441151436:user/AWSCloudTrail", "accountId": "086441151436", "accessKeyId": "AKIAI44QH8DHBEXAMPLE", "userName": "AWSCloudTrail", "sessionContext": {"attributes": {
"mfaAuthenticated": "false", "creationDate": "2015-11-11T21:15:33Z" }}, "invokedBy": "internal.amazonaws.com" }, "eventTime": "2015-11-11T21:15:33Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKey", "awsRegion": "us-west-2", "sourceIPAddress": "internal.amazonaws.com", "userAgent": "internal.amazonaws.com", "requestParameters": {
"keyId": "arn:aws:kms:us-west-2:111122223333:alias/ExampleAliasForCloudTrailCMK", "encryptionContext": {
"aws:cloudtrail:arn": "arn:aws:cloudtrail:us-west-2:111122223333:trail/Default", "aws:s3:arn": "arn:aws:s3:::example-bucket-for-CT-logs/AWSLogs/111122223333/" }, "keySpec": "AES_256" }, "responseElements": null, "requestID": "581f1f11-88b9-11e5-9c9c-595a1fb59ac0", "eventID": "3cdb2457-c035-4890-93b6-181832b9e766", "readOnly": true, "resources": [{ "ARN": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333"
}], "eventType": "AwsServiceEvent", "recipientAccountId": "111122223333" }
CloudTrail S3
CloudTrail S3 Amazon S3 GenerateDataKey AWS KMS CloudTrail AWS KMS 2 Amazon S3 1 1 CMK Amazon S3 CloudTrail Amazon S3 CloudTrail
GenerateDataKey (p. 17)
· CloudTrail Amazon ARN · S3 ARNCloudTrail
GenerateDataKey CloudTrail
CloudTrail ( ) AWS
477
AWS Key Management Service CMK
KMS( )GenerateDataKey ( ) ( )
( ).AWS KMS CMK ( ) 2
Note
{ "eventVersion": "1.02", "userIdentity": { "type": "AssumedRole", "principalId": "AROACKCEVSQ6C2EXAMPLE:i-34755b85",
"arn": "arn:aws:sts::086441151436:assumed-role/AWSCloudTrail/i-34755b85", "accountId": "086441151436", "accessKeyId": "AKIAI44QH8DHBEXAMPLE", "sessionContext": {
"attributes": { "mfaAuthenticated": "false", "creationDate": "2015-11-11T20:45:25Z"
}, "sessionIssuer": {
"type": "Role", "principalId": "AROACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::086441151436:role/AWSCloudTrail", "accountId": "086441151436", "userName": "AWSCloudTrail" } }, "invokedBy": "internal.amazonaws.com" }, "eventTime": "2015-11-11T21:15:58Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKey", "awsRegion": "us-west-2", "sourceIPAddress": "internal.amazonaws.com", "userAgent": "internal.amazonaws.com", "requestParameters": {
"encryptionContext": {
"aws:cloudtrail:arn": "arn:aws:cloudtrail:us-west-2:111122223333:trail/Default", "aws:s3:arn": "arn:aws:s3:::example-bucket-for-CT-logs/ AWSLogs/111122223333/CloudTrail/us-west-2/2015/11/11/111122223333_CloudTrail_us-
west-2_20151111T2115Z_7JREEBimdK8d2nC9.json.gz" }, "keyId": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "keySpec": "AES_256"
}, "responseElements": null, "requestID": "66f3f74a-88b9-11e5-b7fb-63d925c72ffe", "eventID": "7738554f-92ab-4e27-83e3-03354b1aa898", "readOnly": true, "resources": [{
"ARN": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333"
}], "eventType": "AwsServiceEvent", "recipientAccountId": "111122223333"
478
AWS Key Management Service CMK
}
S3
S3 CloudTrail Amazon S3 Decrypt AWS KMS AWS KMS CMK Amazon S3 Amazon S3 CloudTrail
Decrypt (p. 17)
· CloudTrail Amazon ARN · S3 ARNCloudTrail
Decrypt CloudTrail IAM AWS ( ) AWS KMS( )Decrypt ( ) ( ) ( ).AWS KMS CMK ( ).
Note
{ "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "AIDACKCEVSQ6C2EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/cloudtrail-admin", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "cloudtrail-admin", "sessionContext": {"attributes": {
"mfaAuthenticated": "false", "creationDate": "2015-11-11T20:48:04Z" }}, "invokedBy": "signin.amazonaws.com" }, "eventTime": "2015-11-11T21:20:52Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt", "awsRegion": "us-west-2", "sourceIPAddress": "internal.amazonaws.com", "userAgent": "internal.amazonaws.com", "requestParameters": {
"encryptionContext": {
"aws:cloudtrail:arn": "arn:aws:cloudtrail:us-west-2:111122223333:trail/Default", "aws:s3:arn": "arn:aws:s3:::example-bucket-for-CT-logs/ AWSLogs/111122223333/CloudTrail/us-west-2/2015/11/11/111122223333_CloudTrail_us-
west-2_20151111T2115Z_7JREEBimdK8d2nC9.json.gz" }
}, "responseElements": null,
479
AWS Key Management Service CMK
"requestID": "16a0590a-88ba-11e5-b406-436f15c3ac01", "eventID": "9525bee7-5145-42b0-bed5-ab7196a16daa", "readOnly": true, "resources": [{
"ARN": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333"
}], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
CMK
AWSCloudTrail CMK AWS KMS API AWS Key Management Service
CloudTrail AWS KMS (SSE-KMS)CloudTrail S3 (p. 477)AWS KMSAPI CloudTrail 5 1 S3 288 AWS KMS1 AWS
· 2 AWS , 576AWS KMS1 API 2 x 288
· 3 2 AWS , 1,728AWS KMS1 API 6 x 288
PUT AWS KMS AWS KMSGETS3
Amazon DynamoDB AWS KMS
Amazon DynamoDB NoSQL DynamoDB AWS Key Management Service(AWS KMS)
, DynamoDB , DynamoDB ( ) DynamoDB
DynamoDB , ,
DynamoDB AWS (p. 5)(CMK) DynamoDB CMK (p. 4)AWS CMK (p. 4) DynamoDB DynamoDB
480
AWS Key Management Service DynamoDB
Note
2018 11 AWSDynamoDB CMK DynamoDB AWS CMK AWS Management ConsoleUpdateTable CMK AWS CMK
DynamoDB
AWS Amazon DynamoDB DynamoDB HTTPS DynamoDB DynamoDB DynamoDB
DynamoDB DynamoDB Amazon DynamoDB
· CMK (p. 481) · CMK (p. 483) · DynamoDB (p. 486) · DynamoDB AWS KMS (p. 487)
CMK
DynamoDB AWS KMS (CMK) DynamoDB DynamoDB
(CMK)
DynamoDB AWS KMS (CMK) DynamoDB AWS CMK (p. 5)DynamoDB DynamoDB CMK (p. 4) AWS CMK (p. 4)DynamoDB (aws/dynamodb) AWS CMK CMK
CMK CMK DynamoDB UpdateTable
Important
DynamoDB CMK (p. 232) CMK (p. 232) DynamoDB CMK CMK CMK (p. 46)
CMK · CMK CMK
(p. 85), IAM (p. 104) (p. 199) CMK
481
AWS Key Management Service CMK
(p. 58) (p. 283) CMK (p. 393) · CMK (p. 405) (p. 421) CMK · DynamoDB DynamoDB API AWS KMSAWS CloudTrail (p. 487) AWS CMK · CMK (p. 28) (p. 97)( ) · DynamoDB DynamoDB API AWS KMSAWS CloudTrail (p. 487) AWS CMK AWS KMS (p. 530) CMK AWS CMK API CMK AWS KMS DynamoDB CMK (p. 5) ( ) DynamoDB DynamoDB
DynamoDB AWS KMSCMK
482
AWS Key Management Service CMK
DynamoDB AWS KMS Advanced Encryption Standard (AES) 256
CMK DynamoDB
AWS KMSDynamoDB DynamoDB DynamoDB 5 AWS KMS CMK AWS KMSAWS Identity and Access Management(IAM)
CMK
CMK (p. 4)AWS CMK (p. 4)DynamoDB CMK DynamoDB AWSDynamoDB CMK
CMK AWS CMK AWS
DynamoDB AWS CMK (p. 3) DynamoDB AWS
· AWS CMK (p. 483) · CMK (p. 484) · DynamoDB (p. 486)
AWS CMK
DynamoDB AWS CMK (p. 4)DynamoDB (aws/dynamodb) DynamoDB AWS CMK AWS CMK DynamoDB -ViaService (p. 191)AWS CMK DynamoDB
AWS AWS (p. 97)
· AWSDynamoDB CMK DynamoDB CMK (p. 486)
483
AWS Key Management Service CMK
· IAM ID AWSDynamoDB CMK DynamoDB CMK DynamoDB (p. 486)
· DynamoDB AWS CMK
{ "Version" : "2012-10-17", "Id" : "auto-dynamodb-1", "Statement" : [ { "Sid" : "Allow access through Amazon DynamoDB for all principals in the account that
are authorized to use Amazon DynamoDB", "Effect" : "Allow", "Principal" : { "AWS" : "*" }, "Action" : [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*",
"kms:CreateGrant", "kms:DescribeKey" ], "Resource" : "*", "Condition" : { "StringEquals" : { "kms:CallerAccount" : "111122223333", "kms:ViaService" : "dynamodb.us-west-2.amazonaws.com" } }
}, { "Sid" : "Allow direct access to key metadata to the account", "Effect" : "Allow", "Principal" : { "AWS" : "arn:aws:iam::111122223333:root" }, "Action" : [ "kms:Describe*", "kms:Get*", "kms:List*", "kms:RevokeGrant" ], "Resource" : "*"
}, { "Sid" : "Allow DynamoDB Service with service principal name dynamodb.amazonaws.com to
describe the key directly", "Effect" : "Allow", "Principal" : { "Service" : "dynamodb.amazonaws.com" }, "Action" : [ "kms:Describe*", "kms:Get*", "kms:List*" ], "Resource" : "*"
} ] }
CMK
CMK (p. 4) DynamoDB DynamoDB CMK DynamoDB CMK (p. 85), IAM (p. 104), (p. 199)
DynamoDB CMK
· kms:Encrypt
· kms:Decrypt
· KMS: *KMS: KMS:
· KMS: * ( KMS: KMS: )
484
AWS Key Management Service CMK
· kms:DescribeKey
· kms:CreateGrant
· DynamoDB CMK DynamoDB DynamoDB DynamoDB
· KMS: viaService (p. 191) DynamoDB kms:ViaService dynamodb.*.amazonaws.com, Region (*) DynamoDB AWS DynamoDB
· CMK ( db-team ) CMK DynamoDB (p. 486)
· DynamoDB CMK DynamoDB
AWS
{ "Id": "key-policy-dynamodb", "Version":"2012-10-17", "Statement": [ { "Sid" : "Allow access through Amazon DynamoDB for all principals in the account that
are authorized to use Amazon DynamoDB", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:user/db-lead"}, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey", "kms:CreateGrant" ], "Resource": "*", "Condition": { "StringLike": { "kms:ViaService" : "dynamodb.*.amazonaws.com" } }
}, {
"Sid": "Allow administrators to view the CMK and revoke grants", "Effect": "Allow", "Principal": {
"AWS": "arn:aws:iam::111122223333:role/db-team" }, "Action": [
"kms:Describe*", "kms:Get*", "kms:List*",
485
AWS Key Management Service DynamoDB
"kms:RevokeGrant" ], "Resource": "*" }, { "Sid": "Allow DynamoDB to get information about the CMK", "Effect": "Allow", "Principal": {
"Service":["dynamodb.amazonaws.com"] }, "Action": [
"kms:Describe*", "kms:Get*", "kms:List*" ], "Resource": "*" } ] }
DynamoDB
DynamoDB CMK AWSDynamoDB CMK (aws/dynamoDB) CMK ListGrants DynamoDB AWS CMK (p. 5)
DynamoDB (p. 481)
CMK DynamoDB (p. 486)( AWS ID
DynamoDB CreateGrant AWS CMK DynamoDB kms:CreateGrant (p. 483) CreateGrantCMK DynamoDB
CMK DynamoDB
DynamoDB
(p. 17) AWS KMS
DynamoDB AWS KMS CMK (p. 4)AWS CMK (p. 4)DynamoDB CMK AWS CloudTrailAmazon CloudWatch
DynamoDB (p. 486) CMK CMK AWS CMK
486
AWS Key Management Service DynamoDB AWS KMS
AWS KMSDynamoDB 2
"encryptionContextSubset": { "aws:dynamodb:tableName": "Books" "aws:dynamodb:subscriberId": "111122223333"
}
· -- DynamoDB aws:dynamodb:tableName
"aws:dynamodb:tableName": "<table-name>"
:
"aws:dynamodb:tableName": "Books"
· -- 2 AWS aws:dynamodb:subscriberId ID
"aws:dynamodb:subscriberId": "<account-id>"
:
"aws:dynamodb:subscriberId": "111122223333"
DynamoDB AWS KMS
CMK (p. 4)AWS CMK (p. 4) DynamoDB AWS CloudTrailDynamoDB AWS KMS
GenerateDataKeyDecrypt CreateGrant DynamoDB DescribeKey CMK RetireGrant
GenerateDataKey
DynamoDB GenerateDataKey AWS KMS CMK
GenerateDataKey DynamoDB CMK Amazon (ARN)256 (p. 486) AWS
{ "eventVersion": "1.05", "userIdentity": { "type": "AWSService", "invokedBy": "dynamodb.amazonaws.com" }, "eventTime": "2018-02-14T00:15:17Z",
487
AWS Key Management Service DynamoDB AWS KMS
"eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKey", "awsRegion": "us-west-2", "sourceIPAddress": "dynamodb.amazonaws.com", "userAgent": "dynamodb.amazonaws.com", "requestParameters": {
"encryptionContext": { "aws:dynamodb:tableName": "Services", "aws:dynamodb:subscriberId": "111122223333"
}, "keySpec": "AES_256", "keyId": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, "responseElements": null, "requestID": "229386c1-111c-11e8-9e21-c11ed5a52190", "eventID": "e3c436e9-ebca-494e-9457-8123a1f5e979", "readOnly": true, "resources": [ {
"ARN": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"accountId": "111122223333", "type": "AWS::KMS::Key" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333", "sharedEventID": "bf915fa6-6ceb-4659-8912-e36b69846aad" }
DynamoDB DynamoDB DynamoDB Decrypt AWS KMS CMK
Decrypt AWS ( blob ) (p. 486) AWS AWS KMS CMK ID
{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "AROAIGDTESTANDEXAMPLE:user01", "arn": "arn:aws:sts::111122223333:assumed-role/Admin/user01", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2018-02-14T16:42:15Z" }, "sessionIssuer": { "type": "Role", "principalId": "AROAIGDT3HGFQZX4RY6RU", "arn": "arn:aws:iam::111122223333:role/Admin", "accountId": "111122223333", "userName": "Admin" } },
488
AWS Key Management Service DynamoDB AWS KMS
"invokedBy": "dynamodb.amazonaws.com" }, "eventTime": "2018-02-14T16:42:39Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-west-2", "sourceIPAddress": "dynamodb.amazonaws.com", "userAgent": "dynamodb.amazonaws.com", "requestParameters": {
"encryptionContext": {
"aws:dynamodb:tableName": "Books", "aws:dynamodb:subscriberId": "111122223333" } }, "responseElements": null, "requestID": "11cab293-11a6-11e8-8386-13160d3e5db5", "eventID": "b7d16574-e887-4b5b-a064-bf92f8ec9ad3", "readOnly": true, "resources": [ { "ARN": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333", "type": "AWS::KMS::Key" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
CreateGrant
CMK (p. 4)AWS CMK (p. 4) DynamoDB DynamoDB (p. 486) AWS CMK (p. 5)
DynamoDB CreateGrant
CreateGrant CMK Amazon ARN DynamoDB (p. 486)
{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "AROAIGDTESTANDEXAMPLE:user01", "arn": "arn:aws:sts::111122223333:assumed-role/Admin/user01", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2018-02-14T00:12:02Z" }, "sessionIssuer": {
489
AWS Key Management Service Amazon Elastic Block Store (Amazon EBS)
"type": "Role", "principalId": "AROAIGDTESTANDEXAMPLE", "arn": "arn:aws:iam::111122223333:role/Admin", "accountId": "111122223333", "userName": "Admin" } }, "invokedBy": "dynamodb.amazonaws.com" }, "eventTime": "2018-02-14T00:15:15Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateGrant", "awsRegion": "us-west-2", "sourceIPAddress": "dynamodb.amazonaws.com", "userAgent": "dynamodb.amazonaws.com", "requestParameters": { "keyId": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "retiringPrincipal": "dynamodb.us-west-2.amazonaws.com", "constraints": { "encryptionContextSubset": { "aws:dynamodb:tableName": "Books", "aws:dynamodb:subscriberId": "111122223333" } }, "granteePrincipal": "dynamodb.us-west-2.amazonaws.com", "operations": [ "DescribeKey", "GenerateDataKey", "Decrypt", "Encrypt", "ReEncryptFrom", "ReEncryptTo", "RetireGrant" ] }, "responseElements": { "grantId": "5c5cd4a3d68e65e77795f5ccc2516dff057308172b0cd107c85b5215c6e48bde" }, "requestID": "2192b82a-111c-11e8-a528-f398979205d8", "eventID": "a03d65c3-9fee-4111-9816-8bf96b73df01", "readOnly": false, "resources": [ { "ARN": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333", "type": "AWS::KMS::Key" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
Amazon Elastic Block Store (Amazon EBS) AWS KMS
Amazon Elastic Block Store (Amazon EBS) AWS KMSAmazon EBS Amazon EBS
490
AWS Key Management Service Amazon EBS
· Amazon EBS (p. 491) · CMK (p. 491) · Amazon EBS (p. 492) · Amazon EBS (p. 492) · AWS CloudFormation Amazon EBS (p. 493)
Amazon EBS
Amazon EBS Amazon Elastic Compute CloudAmazon EC2, I/O Amazon EC2
Amazon EBS EC2
EBS
Amazon EBS EBS AWS ()Linux Amazon EC2 Windows Amazon EC2
CMK
Amazon EBS AWS KMS (CMK)Amazon EBS AWS CMK (p. 4) Amazon EBS (aws/ebs). CMK (p. 4)
CMK CMK Amazon EBS IAM ()Linux Amazon EC2 Windows Amazon EC2
Important
Amazon EBS CMK (p. 232) CMK (p. 232) Amazon EBS CMK CMK CMK (p. 46)
Amazon EBS AWS KMS CMK Amazon EBS Amazon EC2 Amazon EBS AWS KMS Amazon EBS I/O EBS
491
AWS Key Management Service Amazon EBS
()Linux Amazon EC2 Windows Amazon EC2
Amazon EBS
GenerateDataKeyWithoutPlaintextDecryptAWS KMSAmazon EBS
(p. 17) AWS KMS
Amazon EBS CreateSnapshot Amazon EBS ID CloudTrail requestParameters
"encryptionContext": { "aws:ebs:id": "vol-0cfb133e847d28be9"
}
Amazon EC2 CopySnapshot Amazon EBS ID CloudTrail requestParameters
"encryptionContext": { "aws:ebs:id": "snap-069a655b568de654f"
}
Amazon EBS
EBS EC2 Amazon EBS Amazon EC2 EBS CMK CMK (p. 288) Enabled
Amazon EBS Amazon CloudWatch CloudWatch Amazon EBS Amazon CloudWatch Events()Linux Amazon EC2
· ·
EBS CMK CMK (p. 28) (AWS Management Console).
· CMK (p. 58) · CMK
(p. 408)
492
AWS Key Management Service AWS CloudFormation Amazon EBS
· CMK (p. 395)
AWS CloudFormation Amazon EBS
AWS CloudFormation Amazon EBS AWS::EC2::Volume()AWS CloudFormation
Amazon Elastic Transcoder AWS KMS
Amazon Elastic Transcoder Amazon S3 AWS KMS
· (p. 493) · (p. 494) · (p. 495) · HLS (p. 496) · Elastic (p. 496)
Elastic Transcoder Amazon S3 AES Amazon S3
AES Amazon S3 Elastic Transcoder (p. 232)AWS KMS (p. 3) (CMK) AES
Amazon S3 3 Amazon S3
· Amazon S3 Amazon S3 AWS
· -AWS CMK (p. 4)Amazon S3 CMK CMKAWS
· (p. 232) CMK (p. 4) AWS KMS
Important
Elastic Transcoder CMK (p. 232) CMK (p. 232) Elastic Transcoder
493
AWS Key Management Service
CMK CMK CMK (p. 46)
Amazon S3 Amazon S3 API Amazon S3 ()Amazon Simple Storage Service
AWS Amazon S3 CMK CMKAmazon S3 AWS KMS
1. Amazon S3 CMK
2. AWS KMS CMK Amazon S3
3. Amazon S3 Amazon S3
4. Amazon S3
Amazon S3 Elastic Transcoder Elastic Transcoder Amazon S3
S3 S3-AWS-KMS
S3-AWS-KMS
AWS KMS
(ARN )
Amazon S3
Amazon S3 AWS Amazon S3 CMK
Amazon S3 CMK
S3-AWS-KMSAmazon S3 AWS KMS
1. Amazon S3 AWS KMS 2. AWS KMS CMK Amazon S3
3. Amazon S3
494
AWS Key Management Service
AES Elastic Transcoder Amazon S3 Elastic Transcoder CMK AES AES
Elastic Transcoder
S3 S3-AWS-KMS S3-AWS-KMS
AES-
AES-
AWS KMS (ARN )
(ARN )
Amazon S3
Amazon S3 AWS KMS AWSAmazon S3 CMK
Amazon S3 ARN CMK
Elastic Transcoder AWS Amazon S3 CMK AES
Elastic Transcoder ARN CMK AES
AWS Amazon S3 CMK CMK Amazon S3 AWS KMS
1. Amazon S3 CMK
2. AWS KMSCMK Amazon S3
3. Amazon S3 Amazon S3
4. Amazon S3
AES AES AWS KMSElastic TranscoderAWS KMS
1. AES EncryptAWS KMSAPI.AWS KMS CMK CMK
495
AWS Key Management Service HLS
2. Elastic Transcoder AES 3. Elastic Transcoder DecryptAWS KMSAPI
4. Elastic Transcoder AES
AES 5. AES
Important
AWS
HLS
HTTP Live Streaming (HLS) Elastic Transcoder HLS Elastic Transcoder
HLS 128 AES
AWS KMS CMK 2 CMK Elastic Transcoder AES-128 Elastic Transcoder
CMK
· Elastic Transcoder · Elastic Transcoder Elastic Transcoder
CMK
· Elastic Transcoder
· Elastic Transcoder
HLS ()Amazon Elastic Transcoder
Elastic
(p. 17) AWS KMS
496
AWS Key Management Service Amazon EMR
Elastic Transcoder AWS KMS API
"service" : "elastictranscoder.amazonaws.com"
CloudTrail AWS KMSCMKCloudTrail requestParameters
"encryptionContext": { "service" : "elastictranscoder.amazonaws.com"
}
1 Elastic Transcoder ()Amazon Elastic Transcoder
Amazon EMR AWS KMS
Amazon EMR EMR (EMRFS) AWS KMS (CMK) Amazon EMR CMK
Important
Amazon EMR CMK (p. 232) CMK (p. 232) Amazon EMR CMK CMK CMK (p. 46)
Amazon EMR , CMK ()Amazon EMR
Amazon EMR ()Amazon EMR
· EMR (EMRFS) (p. 497) · (p. 499) · (p. 500)
EMR (EMRFS)
Amazon EMR 2
· Hadoop Distributed File System (HDFS) HDFS AWS KMS CMK · EMR (EMRFS) EMRFS HDFS Amazon EMR Amazon
Simple Storage ServiceAmazon S3EMRFS 4 2 AWS KMS CMK 4
497
AWS Key Management Service EMR (EMRFS)
EMRFS ()Amazon EMR
CMK 2 EMRFS Amazon S3
· AWS KMS (SSE-KMS) SSE-KMS Amazon EMR Amazon S3 Amazon S3 CMK S3 SSE-KMS EMRFS (p. 498)
· AWS KMS (CSE-KMS)CSE-KMS Amazon EMR CMK Amazon S3 CSE-KMS EMRFS (p. 499)
SSE-KMS CSE-KMS EMRFS Amazon EMR AWS KMS Amazon S3 Amazon EMR SSE-KMS AWSAmazon S3 CMK aws/s3 CMK CSE-KMS CMK CMK Amazon EMR CMK AWS KMS (CMK)()Amazon EMR
SSE-KMS CSE-KMS CMK (p. 17) () AWS KMS CMK 1 S3
· SSE-KMS EMRFS (p. 498) · CSE-KMS EMRFS (p. 499)
SSE-KMS EMRFS
SSE-KMS Amazon EMR
1. S3 Amazon S3 2. Amazon S3 GenerateDataKeyAWS KMSSSE-KMS
CMK ID (p. 500) 3. AWS KMS 2 Amazon S3 () CMK 4. Amazon S3 1 5. Amazon S3 1 S3
1. S3
498
AWS Key Management Service
2. Amazon S3 S3 AWS KMSDecrypt. (p. 17)
3. AWS KMS CMK Amazon S3
4. Amazon S3
5. Amazon S3
CSE-KMS EMRFS
CSE-KMS Amazon EMR
1. Amazon S3 GenerateDataKeyAWS KMSCSE-KMS CMK ID (p. 500)
2. AWS KMS ( ) 2 () CMK
3.
4. 1
5. Amazon S3
1. S3 2. Amazon S3 3.
AWS KMSDecrypt. (p. 17) 4. AWS KMS CMK
() 5.
Amazon EMR Amazon Elastic Amazon EC2 Amazon Elastic Block StoreAmazon EBS 2 Linux Unified Key Setup (LUKS) ( )
AWS KMS CMK LUKS CMK (p. 4) AWS CMK (p. 4) CMK Amazon
499
AWS Key Management Service
EMR CMK AWS KMS (CMK)()Amazon EMR
CMK
1. GenerateDataKey AWS KMS CMK ID
2. AWS KMS ( ) 2 () CMK
3. LUKS base64
4. AWS KMSDecrypt .
5. AWS KMS CMK ()
6. LUKS base64
EARAWSAWS KMS (p. 17)AWS KMS AWS KMS AWS CloudTrail CMK
CMK Amazon EMR
SSE-KMS EMRFS
SSE-KMS Amazon EMR Amazon S3 Amazon S3 CMK S3 Amazon S3 S3 Amazon ARNGenerateDataKey DecryptAWS KMSAmazon S3 JSON
{ "aws:s3:arn" : "arn:aws:s3:::S3_bucket_name/S3_object_key" }
CSE-KMS EMRFS
CSE-KMS Amazon EMR CMK Amazon S3 CMK Amazon (ARN) GenerateDataKeyDecryptAWS KMS JSON
{ "kms_cmk_id" : "arn:aws:kms:useast-2:111122223333:key/0987ab65-43cd-21ef-09ab-87654321cdef" }
500
AWS Key Management Service AWSNitro
LUKS
Amazon EMR LUKS GenerateDataKeyDecryptAWS KMS
AWSNitro AWS KMS
AWSNitro Enclaves Amazon EC2 Amazon EC2
AWSAWSNitro AWS KMS Decrypt,GenerateDataKey, GenerateRandom. Nitro Enclaves SDK AWS KMSAPI AWS KMS
AWSNitro ,AWS KMSRecipient RecipientInfoCiphertextForRecipient enclave API AWSNitro .AWS KMS
AWS KMS AWS KMS AWS KMSAWSNitro (p. 196)
AWSAWSNitro ()AWSNitro AWS KMS
Recipient
"Recipient": { "AttestationDocument": blob, "KeyEncryptionAlgorithm": "string"
}
RSAES_OAEP_SHA_256
AWSNitro .
Type:
RecipientInfo
API
501
AWS Key Management Service CiphertextForRecipient
AWS KMS
Type: Base64
: 1 262144
:
AWS KMS RSAES_OAEP_SHA_256 Type:
: RSAES_OAEP_SHA_256
:
CiphertextForRecipient
{ "CiphertextForRecipient": blob
}
Recipient Plaintext Null Type: Base64
: 1 6144
AWS KMSAWSNitro
AWS KMS AWSNitro Recipient Recipient CiphertextForRecipient
Decrypt
DecryptkmsAWSNitro .
AWS KMS Blob Decrypt CiphertextForRecipient -Plaintext Null
GenerateDataKey
GenerateDataKeykms- AWSNitro .
502
AWS Key Management Service Amazon Redshift
GenerateDataKey 1 AWS KMSCiphertextBlob CiphertextForRecipient -Plaintext Null
2 GenerateDataKey
· CiphertextForRecipient 2 GenerateDataKey(kms-generate-data-key)
· CiphertextForRecipient CiphertextForRecipient
CiphertextBlob AWS KMSDecrypt(kms-decrypt)
CiphertextBlobkmsdecrypt(Decrypt) AWSNitro . AWS KMS AWS KMS
GenerateRandom
GenerateRandomkms-- AWSNitro .
GenerateRandom CiphertextForRecipient-Plaintext Null
Amazon Redshift AWS KMS
Amazon Redshift AWS KMS
· Amazon Redshift (p. 503) · (p. 504)
Amazon Redshift
Amazon Redshift Amazon Redshift 1
Amazon Redshift 4
503
AWS Key Management Service
AES-256
AES-256 Amazon Redshift
Amazon Redshift AWS KMSAWS CloudHSM (HSM) Amazon Redshift
AWS KMS (p. 3)(CMK) Amazon Redshift Amazon Redshift CMK (p. 4) CMK Amazon Redshift CMK AWS CMK (p. 4) Amazon Redshift
Important
Amazon Redshift CMK Amazon Redshift CMK CMK CMK CMK (p. 46)
AWS KMS (p. 17)(AAD) AWS KMS Amazon Redshift ID CloudTrail requestParameters
"encryptionContext": { "aws:redshift:arn": "arn:aws:redshift:region:account_ID:cluster:cluster_name", "aws:redshift:createtime": "20150206T1832Z"
},
CloudTrail (CMK)
Amazon Relational Database ServiceAmazon RDSAWS KMS
Amazon Amazon RDS Amazon RDS DB (p. 3)(CMK)AWS KMSAmazon RDS AWS KMSCMK Amazon RDS ()Amazon RDS
504
AWS Key Management Service Amazon RDS
Important
Amazon RDS CMK (p. 232) CMK (p. 232) Amazon RDS CMK CMK CMK (p. 46)
Amazon RDS Amazon Elastic Block StoreAmazon EBS Amazon EBS AWS KMS Amazon Elastic Block Store (Amazon EBS) AWS KMS (p. 490)
Amazon RDS DB Amazon RDS EBS DB CMK
Amazon RDS
Amazon RDS CMK Amazon EBS Amazon RDS CMK (p. 17)(AAD) AWS KMS AWS CloudTrail CMK CloudTrail CMK
Amazon RDS JSON DB ID
{ "aws:rds:db-id": "db-CQYSMDPBRZ7BPMH7Y3RTDG5QY" }
CMK DB
CMK DB EBS JSON DB ID EBS ID
{ "aws:rds:db-id": "db-BRG7VYS3SVIFQW7234EJQOM5RQ", "aws:ebs:id": "vol-ad8c6542"
}
AWS Secrets Manager AWS KMS
AWS Secrets Manager AWS () Secrets Manager
505
AWS Key Management Service Amazon Simple Email Service (Amazon SES)
Secrets Manager AWS Key Management Service(AWS KMS (p. 5)AWS KMS (p. 3)(CMK)AWS KMS CMK
Secrets Manager AWS KMS CMK ()AWS Secrets Manager
Amazon Simple Email Service (Amazon SES) AWS KMS
Amazon Simple Email ServiceAmazon SES E E Amazon Simple Storage ServiceAmazon S3 E Amazon SES AWS KMS (p. 3)(CMK) Amazon SES AWS CMK (p. 4)(aws/ses CMK (p. 4)AWS KMS
Important
Amazon SES CMK (p. 232) CMK (p. 232) Amazon SES E CMK CMK CMK (p. 46)
Amazon SES E Amazon SES E ()Amazon Simple Email Service
· Amazon SES AWS KMS (p. 506) · Amazon SES (p. 507) · Amazon SES AWS KMS (CMK) (p. 507) · E (p. 508)
Amazon SES AWS KMS
S3 E E Amazon SES
1. Amazon SES S3 S3 CMK
2. Amazon SES E 3. Amazon SES CMK
4. AWS KMS CMK
Amazon SES 5. Amazon SES E
6. Amazon SES E S3
E
506
AWS Key Management Service Amazon SES
Step 3 (p. 506)Step 6 (p. 506)Amazon SES AWS-- Amazon S3 Amazon S3 E E (p. 508)
Amazon SES
Amazon SES E Step 3 (p. 506) Amazon SES AWS KMS (p. 506) (p. 17) AWS KMS (AAD) AWS CloudTrail (CMK) Amazon SES
· ID AWS E Amazon SES · E S3 Amazon SES · E Amazon SES ID
Amazon SES JSON
{ "aws:ses:source-account": "111122223333", "aws:ses:rule-name": "example-receipt-rule-name", "aws:ses:message-id": "d6iitobk75ur44p8kdnnp7g2n800"
}
Amazon SES AWS KMS (CMK)
AWS (CMK) (p. 4) Amazon SES (aws/ses CMK (p. 4) Amazon SES AWS CMK S3 Amazon SES CMK CMK E Amazon SES
CMK Amazon SES CMK (p. 85)
{ "Sid": "Allow SES to encrypt messages using this CMK", "Effect": "Allow", "Principal": {"Service": "ses.amazonaws.com"}, "Action": [ "kms:Encrypt", "kms:GenerateDataKey*" ], "Resource": "*", "Condition": { "Null": { "kms:EncryptionContext:aws:ses:rule-name": false, "kms:EncryptionContext:aws:ses:message-id": false }, "StringEquals": {"kms:EncryptionContext:aws:ses:source-account": "ACCOUNT-ID-WITHOUT-
HYPHENS"} }
}
507
AWS Key Management Service E
ACCOUNT-ID-WITHOUT-HYPHENS 12 ID AWS E Amazon SES CMK
· Amazon SES aws:ses:rule-nameaws:ses:messageid()EncryptionContextAWS KMSAPI
· Amazon SES aws:ses:source-account()EncryptionContextAWS KMSAPI aws:ses:source-account AWS ID
Amazon SES E Amazon SES (p. 507)AWS KMS (p. 17)
E
Amazon SES E Amazon S3 E Amazon S3 AWSSDK Amazon S3
· AWS SDK for Java-- :AmazonS3EncryptionClient()AWS SDK for JavaAPI · AWS SDK for Ruby-- :Aws::S3::Encryption::Client()AWS SDK for RubyAPI · AWS SDK for .NET-- :AmazonS3EncryptionClient()AWS SDK for .NETAPI · AWS SDK for Go-- :s3crypto()AWS SDK for GoAPI
Amazon S3 E Amazon S3 AWS KMSE Amazon SES AWS KMS(Step 3 (p. 506)() Amazon SES AWS KMS (p. 506)). Amazon S3
Amazon S3 AWS SDK for Java
· CMK AWS KMS()Amazon Simple Storage Service · Amazon S3 AWS Key Management ServiceAWS.
Amazon Simple Storage Service (Amazon S3) AWS KMS
Amazon S3 AWS KMSAWS KMS (CMK) Amazon S3 Amazon S3 AWS KMSCMK.
· : SSE-KMS (p. 509) · Amazon S3 (p. 510) · (p. 510)
508
AWS Key Management Service : SSE-KMS
: SSE-KMS
Amazon S3 3 SSE-S3SSE-C SSE-K MS
· SSE-S3 Amazon S3 SSE-S3 Amazon S3 (SSE-S3)
· SSE-C SSE-C (SSE-C)
· SSE-KMS AWS (p. 3)(CMK)AWS KMS
AWS KMS (SSE-KMS)
Amazon S3 API CMK CMK Amazon S3 API GET PUT CMK AWS KMS- (SSE-KMS)
Important
Amazon S3 CMK (p. 232) CMK (p. 232)Amazon S3 CMK CMK CMK (p. 46)
CMK (p. 4)AWS CMK (p. 4) Amazon S3 AWS KMS Amazon S3
· Amazon S3 (p. 5) CMK
· AWS KMSCMK Amazon S3
· Amazon S3
· Amazon S3
Amazon S3 AWS KMS
· Amazon S3 AWS KMS · AWS KMS CMK Amazon S3
· Amazon S3
S3 S3 AWS KMS
· Amazon S3 AWS KMS CMK AWS KMS
509
AWS Key Management Service Amazon S3
· Amazon S3 Amazon S3 AWS KMSAmazon S3
S3 Amazon S3 SSE-KMS Amazon Simple Storage Service
Amazon S3
Amazon S3 ()AWSSDK Amazon S3 Amazon S3 Amazon S3
Amazon S3 AWS KMS AWS KMS (p. 3) (CMK) CMK Amazon S3 Amazon S3
AWS KMS (p. 17)(AAD) AWS KMS
Amazon S3
Amazon S3 aws:s3:arn
SSE-KMS Amazon S3 requestParameters
"encryptionContext": { "aws:s3:arn": "arn:aws:s3:::bucket_name/file_name"
}
SSE-KMS S3 ARN
"encryptionContext": { "aws:s3:arn": "arn:aws:s3:::bucket_name"
}
AWS Systems Manager AWS KMS
AWS Systems ManagerSecure String AWS KMS
510
AWS Key Management Service Secure String
Parameter Store Parameter Store 1 Parameter Store
AWS KMS (CMK) CMK AWS CMK (p. 4)Parameter Store CMK (p. 4)
Important
CMK (p. 232) CMK (p. 232) CMK CMK CMK (p. 46)
Parameter Store 2 4096 CMK Parameter Store AWS Encryption SDK Systems Manager ()AWS Systems Manager
· Secure String (p. 511) · Secure String (p. 513) · (p. 516) · (p. 517) · CMK (p. 519)
Secure String
AWS KMSSecure String Parameter Store AWS KMS Encrypt. AWS KMSCMK CMK (p. 5)
CMK CMK AWSSystems Manager CMK CMK aws/ssm
aws/ssm CMK API DescribeKeyAWS KMS aws/ssm AWS Command Line Interface (AWS CLI) describe-key
aws kms describe-key --key-id alias/aws/ssm
API PutParameter Tier Standard SecureString Type AWS KMS CMK KeyId AWS CMK aws/ssm
511
AWS Key Management Service Secure String
AWS KMS EncryptCMK AWS KMS Parameter Store
Systems Managerput---typeAWS CLI Secure String --tier--key-id AWS CMK
aws ssm put-parameter --name MyParameter --value "secret_value" --type SecureString
--key-id CMK (p. 4) CMK ID CMK CMK ID Tier (--tier) Parameter Store
aws ssm put-parameter --name param1 --value "secret" --type SecureString --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
Parameter Store API GetParameter
Systems Managerget-AWS CLIMyParameter
$ aws ssm get-parameter --name MyParameter
{ "Parameter": { "Type": "SecureString", "Name": "MyParameter", "Value":
"AQECAHgnOkMROh5LaLXkA4j0+vYi6tmM17Lg/9E464VRo68cvwAAAG8wbQYJKoZIhvcNAQcGoGAwXgIBADBZBgkqhkiG9w0BBwEwH }
}
GetParameter WithDecryption true WithDecryptionAWS KMS DecryptGetParameter
$ aws ssm get-parameter --name MyParameter --with-decryption
{ "Parameter": { "Type": "SecureString", "Name": "MyParameter", "Value": "secret_value" }
}
AWS KMSCMK
1. PutParameter Secure String Encrypt AWS KMS CMK
512
AWS Key Management Service Secure String
(p. 517)AWS KMS Transport Layer Security (TLS) 2. AWS KMS CMK Parameter Store Parameter Store
1. WithDecryptionGetParameter DecryptAWS KMSSecure String (p. 517)
2. AWS KMS CMK TLS
3. Parameter Store GetParameter
Secure String
PutParameter Parameter Store AWS Encryption SDKAWS KMS (CMK) AWS KMS CMK AWS CMK (p. 4)(aws/ssm) CMK AWS Encryption SDK GitHub
513
AWS Key Management Service Secure String
Parameter Store AWS Encryption SDK AWS KMS (GenerateDataKey). -AWS Encryption SDK Parameter Store Parameter Store AWS Encryption SDKAWS KMS
API PutParameter Tier Advanced SecureString Type AWS KMS CMK KeyId AWS CMK aws/ssm
aws ssm put-parameter --name MyParameter --value "secret_value" --type SecureString --tier Advanced
--key-id CMK (p. 4) CMK Amazon (ARN) CMK ID
aws ssm put-parameter --name MyParameter --value "secret_value" --type SecureString --tier Advanced --key-id arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Parameter Store AWS Encryption SDK API GetParameter
Systems Manager GetParameter MyParameter
$ aws ssm get-parameter --name MyParameter
{ "Parameter": { "Type": "SecureString", "Name": "MyParameter", "Value":
"AQECAHgnOkMROh5LaLXkA4j0+vYi6tmM17Lg/9E464VRo68cvwAAAG8wbQYJKoZIhvcNAQcGoGAwXgIBADBZBgkqhkiG9w0BBwEwH }
}
GetParameter WithDecryption true WithDecryptionAWS KMS DecryptGetParameter
$ aws ssm get-parameter --name MyParameter --with-decryption
{ "Parameter": { "Type": "SecureString", "Name": "MyParameter", "Value": "secret_value" }
}
514
AWS Key Management Service Secure String
Overwrite PutParameter Type SecureString Tier Advanced CMK KeyId AWS CMK CMK CMK OverwriteAWS Encryption SDK Parameter Store
$ aws ssm put-parameter --name myStdParameter --value "secret_value" --type SecureString --tier Advanced --key-id 1234abcd-12ab-34cd-56ef-1234567890ab --overwrite
AWS KMSCMK
1. PutParameter Parameter Store AWS Encryption SDKAWS KMS AWS Encryption SDKAWS KMSCMK (p. 517)
2. -AWS Encryption SDKGenerateDataKeyAWS KMS CMK AWS KMS 2 1 1 CMK
3. AWS Encryption SDK Parameter Store
4. Parameter Store
515
AWS Key Management Service
1. GetParameter WithDecryption AWS Encryption SDK
2. -AWS Encryption SDKAWS KMS Decrypt. Parameter Store
3. AWS KMSCMK () AWS Encryption SDK
4. AWS Encryption SDK
5. Parameter Store GetParameter
kms:Encrypt kms:GenerateDataKey kms:Decrypt
IAM PutParameter GetParameter
CMK IAM aws/ ssm CMK CMK AWS KMS (p. 81)
IAM FinancialParameters Systems Manager PutParameter CMK AWS KMS Encrypt
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:PutParameter" ], "Resource": "arn:aws:ssm:us-west-2:111122223333:parameter/FinancialParameters/
*" }, { "Effect": "Allow", "Action": [ "kms:Encrypt" ], "Resource": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }
]
516
AWS Key Management Service
}
IAM ReservedParameters Systems Manager PutParameter CMK AWS KMS GenerateDataKey
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:PutParameter" ], "Resource": "arn:aws:ssm:us-west-2:111122223333:parameter/ReservedParameters/*" }, { "Effect": "Allow", "Action": [ "kms:GenerateDataKey" ], "Resource": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }
] }
IAM ITParameters Systems Manager GetParameter () CMK AWS KMS Decrypt
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetParameter*" ], "Resource": "arn:aws:ssm:us-west-2:111122223333:parameter/ITParameters/*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }
] }
AWS KMS
517
AWS Key Management Service
AWS CloudTrail
-AWS Encryption SDKParameter Store AWS Encryption SDK AWS KMS AWS Encryption SDK AWS Encryption SDK Parameter Store
· : PARAMETER_ARN · : Amazon (ARN)
"PARAMETER_ARN":"arn:aws:ssm:<REGION_NAME>:<ACCOUNT_ID>:parameter/<parameter-name>"
Parameter Store MyParameter AWS
"PARAMETER_ARN":"arn:aws:ssm:us-west-2:111122223333:parameter/MyParameter"
Parameter Store MyParameter/ ReadableParameters AWS
"PARAMETER_ARN":"arn:aws:ssm:us-west-2:111122223333:parameter/ReadableParameters/ MyParameter"
AWS KMS Decrypt Systems Manager GetParameter GetParameter Parameter Store WithDecryption
IAM 1
IAM MyParameter get CMK CMK GetParameter
ARN
{ "Version": "2012-10-17", "Statement": [ {
518
AWS Key Management Service CMK
"Effect": "Allow", "Action": [
"ssm:GetParameter*" ], "Resource": "arn:aws:ssm:us-west-2:111122223333:parameter/MyParameter", }, { "Effect": "Allow", "Action": [
"kms:Decrypt" ], "Resource": "arn:aws:kms:uswest-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Condition": {
"StringEquals": { "kms:EncryptionContext:PARAMETER_ARN":"arn:aws:ssm:us-
west-2:111122223333:parameter/MyParameter" }
} } ] }
CMK
Parameter Store AWS KMS CMKCMK
· CMK
IAM AWS KMS IAM AWS KMS (p. 81) · CMK
CMK CMK (p. 42) · CMK InvalidKeyId AWS KMSCMK Disabled (p. 58)Pending Import (p. 405) Pending Deletion (p. 395) CMK
(p. 288) CMK AWS KMSAWS (p. 28)AWS KMS API CMK DescribeKey
Amazon WorkMail AWS KMS
Amazon WorkMail AWS KMSE
· Amazon (p. 520)
519
AWS Key Management Service Amazon
· Amazon (p. 520) · CMK (p. 523) · Amazon WorkMail (p. 524) · Amazon WorkMail AWS KMS (p. 525)
Amazon
Amazon WorkMail E E Amazon WorkMail 1 E Amazon WorkMail Amazon WorkMail Amazon WorkMail AWS Key Management Service(AWS KMS). Amazon WorkMail E AWS KMS
Amazon
Amazon WorkMail 1 E Amazon WorkMail Amazon WorkMail AWS KMS (CMK) AWS KMS AWS KMS CMK
520
AWS Key Management Service Amazon
CMK
Amazon WorkMail AWS KMS (CMK) CMK Amazon WorkMail AWS CMK (p. 3)Amazon WorkMail (aws/workmail) AWS AWS CMK (Amazon WorkMail ) CMK (p. 3). CMK CMK CMK
Important Amazon WorkMail CMK Amazon WorkMail CMK CMK CMK CMK (p. 46) CMK AWS KMS AWS CloudTrail
Amazon WorkMail 256 (AES) AWS KMSAmazon WorkMail
521
AWS Key Management Service Amazon
Amazon WorkMail AWS KMS CMK
Note
Amazon WorkMail Amazon WorkMail CMK
Amazon WorkMail 256 AES AWS KMS Amazon WorkMail CMK
Amazon WorkMail
· Amazon WorkMail 256 AES AWS KMS
· Amazon WorkMail AWS KMS Encrypt. (CMK) AWS KMS CMK
· Amazon WorkMail
Amazon WorkMail
1. Amazon WorkMail 256 AES Advanced Encryption Standard (AES) AWS KMS
2. Amazon WorkMail
Amazon WorkMail AWS KMS Decrypt AWS KMS CMK Amazon WorkMail 3. Amazon WorkMail AES AWS KMS 4. Amazon WorkMail
Amazon WorkMail
522
AWS Key Management Service CMK
1. Amazon WorkMail AWS KMS Decrypt AWS KMS CMK Amazon WorkMail
2. Amazon WorkMail AES AWS KMS
3. Amazon WorkMail
AWS KMSAmazon WorkMail 1 Amazon WorkMail AWS KMS
CMK
Amazon WorkMail (CMK)
AWS KMS (CMK) IAM
· kms:Encrypt · kms:Decrypt · kms:CreateGrant
Amazon WorkMail CMK kms:ViaService (p. 191)workmail.<region>.amazonaws.com.
CMK (p. 524) IAM
AWS CMK
AWSAmazon WorkMail CMK Amazon WorkMail CMK CMK
AWS (p. 97)
· CMK Amazon WorkMail kms:ViaService
· AWS CMK IAM
AWSAmazon WorkMail CMK
523
AWS Key Management Service Amazon WorkMail
{ "Version" : "2012-10-17", "Id" : "auto-workmail-1", "Statement" : [ { "Sid" : "Allow access through WorkMail for all principals in the account that are
authorized to use WorkMail", "Effect" : "Allow", "Principal" : { "AWS" : "*" }, "Action" : [ "kms:Decrypt", "kms:CreateGrant", "kms:ReEncrypt*", "kms:DescribeKey",
"kms:Encrypt" ], "Resource" : "*", "Condition" : { "StringEquals" : { "kms:ViaService" : "workmail.us-east-1.amazonaws.com", "kms:CallerAccount" : "111122223333" } }
}, { "Sid" : "Allow direct access to key metadata to the account", "Effect" : "Allow", "Principal" : { "AWS" : "arn:aws:iam::111122223333:root" }, "Action" : [ "kms:Describe*", "kms:List*", "kms:Get*", "kms:RevokeGrant" ], "Resource" : "*"
} ] }
Amazon WorkMail
Amazon WorkMail CMK CMK ListGrants
Amazon WorkMail CMK
· Amazon WorkMail kms:Encrypt
· Amazon WorkMail CMK kms:Decrypt Amazon WorkMail AWS Amazon WorkMail CMK
Amazon WorkMail CreateGrant Amazon WorkMail CMK CreateGrant
AWS Amazon WorkMail
Amazon WorkMail
(p. 17) AWS KMS
524
AWS Key Management Service Amazon WorkMail AWS KMS
Amazon WorkMail AWS KMS AWS CloudTrail
EncryptDecryptAWS KMSAmazon WorkMail aws:workmail:arn Amazon (ARN)
"aws:workmail:arn":"arn:aws:workmail:region:account ID:organization/organization ID"
us-east-2 ARN
"aws:workmail:arn":"arn:aws:workmail:us-east-2:111122223333:organization/ m-68755160c4cb4e29a2b2f8fb58f359d7"
Amazon WorkMail AWS KMS
AWS CloudTrail Amazon CloudWatch Logs Amazon WorkMail AWS KMS
Encrypt
Amazon WorkMail AWS KMS Amazon WorkMail EncryptAWS KMS Amazon WorkMail CMK
Encrypt Amazon WorkMail CMK ID (keyId) Amazon WorkMail Amazon WorkMail CloudTrail
{ "eventVersion": "1.05", "userIdentity": { "type": "AWSService", "invokedBy": "workmail.eu-west-1.amazonaws.com" }, "eventTime": "2019-02-19T10:01:09Z", "eventSource": "kms.amazonaws.com", "eventName": "Encrypt", "awsRegion": "eu-west-1", "sourceIPAddress": "workmail.eu-west-1.amazonaws.com", "userAgent": "workmail.eu-west-1.amazonaws.com", "requestParameters": { "encryptionContext": { "aws:workmail:arn": "arn:aws:workmail:eu-west-1:111122223333:organization/m-
c6981ff7642446fa8772ba99c690e455" }, "keyId": "arn:aws:kms:eu-
west-1:111122223333:key/1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d" }, "responseElements": null, "requestID": "76e96b96-7e24-4faf-a2d6-08ded2eaf63c", "eventID": "d5a59c18-128a-4082-aa5b-729f7734626a", "readOnly": true, "resources": [ { "ARN": "arn:aws:kms:eu-
west-1:111122223333:key/1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d",
525
AWS Key Management Service WorkSpaces
"accountId": "111122223333", "type": "AWS::KMS::Key" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333", "sharedEventID": "d08e60f1-097e-4a00-b7e9-10bc3872d50c" }
Decrypt
Amazon WorkMail AWS KMS Amazon WorkMail DecryptAWS KMS Amazon WorkMail CMK
Decrypt Amazon WorkMail BLOBAmazon WorkMail AWS KMS CMK ID
{ "eventVersion": "1.05", "userIdentity": { "type": "AWSService", "invokedBy": "workmail.eu-west-1.amazonaws.com" }, "eventTime": "2019-02-20T11:51:10Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "eu-west-1", "sourceIPAddress": "workmail.eu-west-1.amazonaws.com", "userAgent": "workmail.eu-west-1.amazonaws.com", "requestParameters": { "encryptionContext": { "aws:workmail:arn": "arn:aws:workmail:eu-west-1:111122223333:organization/m-
c6981ff7642446fa8772ba99c690e455" }
}, "responseElements": null, "requestID": "4a32dda1-34d9-4100-9718-674b8e0782c9", "eventID": "ea9fd966-98e9-4b7b-b377-6e5a397a71de", "readOnly": true, "resources": [
{ "ARN": "arn:aws:kms:eu-
west-1:111122223333:key/1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d", "accountId": "111122223333", "type": "AWS::KMS::Key"
} ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333", "sharedEventID": "241e1e5b-ff64-427a-a5b3-7949164d0214" }
WorkSpacesAWS KMS
WorkSpaces (WorkSpace) WorkSpace
526
AWS Key Management Service WorkSpaces AWS KMS
AWS KMS (p. 3) (CMK) AWS CMK (p. 4)WorkSpaces (aws/workspaces) CMK (p. 4)
Important
WorkSpaces CMK CMK WorkSpaces CMK CMK CMK (p. 46)
WorkSpaces WorkSpace ()Amazon WorkSpaces
· WorkSpaces AWS KMS (p. 527) · WorkSpaces (p. 528) · CMK WorkSpaces (p. 528)
WorkSpaces AWS KMS
WorkSpaces WorkSpaces Amazon Elastic Block Store (Amazon EBS) (CMK) EBS
· Amazon Elastic Block Store (Amazon EBS) AWS KMS (p. 490) · Amazon EBS ()Windows Amazon EC2
WorkSpace
1. CMK WorkSpace grant (p. 199)WorkSpaces CMK WorkSpaces WorkSpace
2. WorkSpaces WorkSpace EBS CMK (Step 1 (p. 527)). Amazon EBS CMK WorkSpace WorkSpace (p. 199)
3. Amazon EBS CMK WorkSpace ID Sid ID ID
4. AWS KMS CMK Amazon EBS
5. WorkSpaces Amazon EBS WorkSpace Amazon EBS AWS KMSDecrypt WorkSpace Sid ID ID ( (p. 528)
6. AWS KMS CMK Amazon EBS
7. Amazon EBS Amazon EBS WorkSpace
8. WorkSpace Amazon EBS (Step 4 (p. 527) )
527
AWS Key Management Service WorkSpaces
9. AWS Management Console WorkSpace ( TerminateWorkspacesWorkSpaces Amazon EBS WorkSpace CMK
WorkSpaces
WorkSpaces (CMK) (Encrypt,Decrypt,GenerateDataKeyWorkSpaces AWS KMS (p. 17)Amazon EBS WorkSpace ( WorkSpaces AWS KMS (p. 527) Step 3 (p. 527)) (Step 5 (p. 527)) AWS KMS (AAD) AWS CloudTrail (CMK) Amazon EBS
· WorkSpace AWS Directory Service sid · WorkSpace AWS Directory Service ID · ID
Amazon EBS JSON
{ "aws:workspaces:sid-directoryid":
"[S-1-5-21-277731876-1789304096-451871588-1107]@[d-1234abcd01]", "aws:ebs:id": "vol-1234abcd"
}
CMK WorkSpaces
AWSWorkSpaces CMKaws/workspaces) CMK CMK WorkSpaces CMK WorkSpaces -AWSWorkSpaces CMK
CMK WorkSpaces
1. WorkSpace CMK (p. 528) 2. WorkSpaces IAM (p. 529)
WorkSpaces WorkSpaces WorkSpaces ()Amazon WorkSpaces
1: CMK WorkSpaces
WorkSpaces AWS Management ConsoleAWS KMSAPI.
CMK WorkSpace ()
1. AWS Management Console AWS Key Management Service (AWS KMS) (https://console.aws.amazon.com/kms)
528
AWS Key Management Service CMK WorkSpaces
2. AWS 3. [Customer managed keys ()] 4. CMK ID 5. [] [Key users] () [Add] () 6. IAM WorkSpaces [
Attach]
CMK WorkSpaces (AWS KMSAPI)
1. GetKeyPolicy
2. WorkSpace IAM (p. 90)
3. PutKeyPolicy CMK
2: WorkSpaces
CMK WorkSpaces (p. 86)WorkSpaces (p. 199)CMK AWS Management Console WorkSpace WorkSpace IAM ()IAM
WorkSpaces IAM WorkSpaces IAM CMK ARN (arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab) WorkSpaces () WorkSpaces API "kms:ListAliases""kms:ListKeys"
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": "arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, { "Effect": "Allow", "Action": [ "kms:ListAliases", "kms:ListKeys" ], "Resource": "*" }
] }
529
AWS Key Management Service
Quotas
AWS KMS AWS KMS 2 AWS
Important
RequestServiceQuota ()Service Quotas Service QuotasAWS KMS AWS AWS Support AWS KMS AWS KMS (p. 538)
· (p. 530): AWS KMS · (p. 532): AWS KMSAPI
AWS KMS AWS AWS AWS CMK (p. 5)
LimitExceededException
AWS KMS AWS RequestServiceQuota ()Service Quotas Service Quotas AWS KMS AWS AWS Support
AWS KMS AWS KMS (p. 538)
(CMK) (p. 531)
CMK (p. 531)
CMK (p. 531)
(p. 531)
10,000
50
50,000 32 KB (32,768 )
Applies to CMK
CMK CMK AWS CMK
530
AWS Key Management Service (CMK): 10,000
AWS KMS the section called "" (p. 532)
(CMK): 10,000
10,000 CMK (p. 4) AWS (p. 232) (p. 232) CMK (p. 288) CMK 1 AWS CMK (p. 4)AWS CMK (p. 5)
CMK : 50
50 (p. 62)For Each CMK (p. 4)AWSAWS CMK (p. 4) (p. 65) (p. 70)
Note
-KMS: (p. 187)CMK CMK kms:ResourceAliasesCMK (p. 119)
CMK AWS AWS KMS
CMK : 50,000
Each CMK (p. 4) 50,000 (p. 199)AWS AWS KMSAWS CMK (p. 4) AWS CMK (p. 5)
1 CMK 50,000 CMK Amazon Elastic Block StoreAmazon EBS Amazon Elastic Compute CloudAmazon EC2 Amazon EBS Amazon EBS CMK 50,000
AWS KMSCMK
: 32 KB
(p. 85)32 KB (32,768 ) CMK
AWS KMSService Quotas AWS Support (p. 199)
(p. 101) (p. 101)()AWS Management ConsolePutKeyPolicy . (p. 101)()AWS KMSJSON
531
AWS Key Management Service
AWS KMS 1 API API AWS CMK API AWS KMS (p. 538)
Note
RequestServiceQuota ()Service Quotas Service QuotasAWS KMS AWS AWS Support AWS KMS AWS KMS (p. 538) GenerateDataKey AWS Encryption SDK AWS KMS
AWS KMS (p. 530)
· AWS KMSAPI (p. 532) · (p. 536) · (p. 536) · API (p. 537) · (p. 537) · (p. 537)
AWS KMSAPI
AWS KMS
Note
Cryptographic operations (symmetric) request rate
..
· Decrypt · Encrypt · GenerateDataKey · GenerateDataKeyWithoutPlaintext · GenerateRandom
(1 )
AWS CMK
· 5,500 () · 10,000:
· ()us-east-2 · ap-
southeast-1
532
AWS Key Management Service AWS KMSAPI
· ReEncrypt
(1 )
· apsoutheast-2
· ap-norteast-1 · eu-Central-1 · -2 · 50,000: · ()us-east-1 · ()us-west-2 · eu-west-1
( CMK):
· 1,800 () (p. 537)
Cryptographic operations (RSA) request RSA CMK 500 rate
..
· Decrypt · Encrypt · ReEncrypt · Sign · Verify
Cryptographic operations (ECC) request (ECC) CMK 300 () rate
..
· Sign · Verify
CancelKeyDeletion request rate
5
ConnectCustomKeyStore request rate
5
CreateAlias request rate
5
CreateCustomKeyStore request rate
5
CreateGrant request rate
50
CreateKey request rate
5
DeleteAlias request rate
15
DeleteCustomKeyStore request rate
5
DeleteImportedKeyMaterial request rate 5
DescribeCustomKeyStores request rate 5
533
AWS Key Management Service AWS KMSAPI
(1 )
DescribeKey request rate DisableKey request rate DisableKeyRotation request rate DisconnectCustomKeyStore request rate EnableKey request rate EnableKeyRotation request rate GenerateDataKeyPair (ECC_NIST_P256) request rate
2000 5 5 5 5 15 25
..
· GenerateDataKeyPair · GenerateDataKeyPairWithoutPlaintext
GenerateDataKeyPair (ECC_NIST_P384)
10
request rate
..
· GenerateDataKeyPair · GenerateDataKeyPairWithoutPlaintext
GenerateDataKeyPair (ECC_NIST_P521)
5
request rate
..
· GenerateDataKeyPair · GenerateDataKeyPairWithoutPlaintext
GenerateDataKeyPair (ECC_SECG_P256K1) 25 request rate
..
· GenerateDataKeyPair · GenerateDataKeyPairWithoutPlaintext
GenerateDataKeyPair (RSA_2048) request 1 rate
..
· GenerateDataKeyPair · GenerateDataKeyPairWithoutPlaintext
534
AWS Key Management Service AWS KMSAPI
(1 )
GenerateDataKeyPair (RSA_3072) request 0.5 (2 1 ) rate
..
· GenerateDataKeyPair · GenerateDataKeyPairWithoutPlaintext
GenerateDataKeyPair (RSA_4096) request 0.1 (10 1 ) rate
..
· GenerateDataKeyPair · GenerateDataKeyPairWithoutPlaintext GetKeyPolicy request rate GetKeyRotationStatus request rate GetParametersForImport request rate GetPublicKey request rate ImportKeyMaterial request rate ListAliases request rate ListGrants request rate ListKeyPolicies request rate ListKeys request rate ListResourceTags request rate ListRetirableGrants request rate PutKeyPolicy request rate ReplicateKey request rate
1000 1000 0.25 (4 1 ) 2000 5 500 100 100 500 2000 100 15 5
AReplicateKey 1 ReplicateKey 2 CreateKey 1 CreateKey
RetireGrant request rate
30
RevokeGrant request rate
30
ScheduleKeyDeletion request rate
15
TagResource request rate
10
UntagResource request rate
5
535
AWS Key Management Service
(1 )
UpdateAlias request rate
5
UpdateCustomKeyStore request rate
5
UpdateKeyDescription request rate
5
UpdatePrimaryRegion request rate
5
UpdatePrimaryRegion 2 UpdatePrimaryRegion 2 1
· CMK (p. 4)AWS CMK (p. 4)AWS CMK (p. 5) AWS
· FIPS FIPS AWS KMSAWS Key Management Service()AWS
· CMK AWS AWS
· CreateKey CreateAlias CreateAlias CreateKey
· Encryp t Decrypt EnableKey CMK 10,000 1 5 EnableKey
AWS KMS (p. 12)CMK CMK GenerateDataKeyPair GenerateDataKeyPairWithoutPlaintext
CMK AWS 1
· () CMK
CMK (p. 232) AWS 1 10,000 7,000 GenerateDataKey 2,000
536
AWS Key Management Service API
Decrypt AWS KMS 9,500 GenerateDataKey 1,000 Encrypt AWS KMS · (RSA) RSA CMK (p. 236)
1 500 RSA CMK200 100 50 150 RSA CMK · (ECC) (ECC) CMK (p. 239)
1 300 RSA CMK 100 200
CMK CMK CMK 1 10,000 RSA CMK 500 ECC CMK 1 300
API
API AWS API AWS KMS
Amazon S3 AWS KMS(SSE-KMS) SSE-KMS S3 Amazon S3 GenerateDataKeyDecrypt( ) AWS KMS AWS KMS5,500 10,000 30,000 AWS ) SSE-KMS S3 1
1 AWS CMK AWS KMS CMK A B CMK CMK A
AWS KMS CMK CMK (p. 421) 1 1,800 GenerateDataKeyGenerateDataKeyWithoutPlaintext GenerateRandom EncryptDecrypt ReEncrypt 1 3
Encrypt Decrypt 1 1,800 GenerateDataKey 1 600 GenerateDataKey Decrypt
537
AWS Key Management Service ThrottlingAWS KMS
1 1,200
AWS KMS Service Quotas AWS Support
Note
AWS CloudHSM AWS KMS ThrottlingException AWS KMS AWS CloudHSM
ThrottlingAWS KMS
AWS KMS API API
ThrottlingAWS KMS ThrottlingException
You have exceeded the rate at which you may call KMS. Reduce the frequency of your calls. (Service: AWSKMS; Status Code: 400; Error Code: ThrottlingException; Request ID: <ID>
AWS KMS
· 1 AWS KMS (p. 532) .
1000DescribeKey 1 AWS KMS DescribeKey 2
HTTP 400 AWSSDK. · CMK
EnableKeyDisableKey CMK AWS KMS 1 EnableKeyDisableKey.
AWS KMS
AWS KMS (p. 531) (p. 537)
RequestServiceQuota ()Service Quotas Service Quotas AWS KMS AWS AWS Support
538
AWS Key Management Service
AWS KMSService Quotas ()Service Quotas
1. [AWS Key Management Service (AWS KMS)] 2.
AWS KMS AWS KMS (p. 530) (p. 532)
CMK [Cryptographic operations (symmetric) request rate ( () )] 3. [Request quota increase ()]
Service Quotas API
AWS KMSService Quotas API RequestServiceQuotaIncrease
1. AWS KMS (p. 530) (p. 532)
2. AWS KMS ListServiceQuotas
ServiceCode kms
QuotaName QuotaCode
Cryptographic operations (RSA) request rate AWS Command Line Interface (AWS CLI) query
$ aws service-quotas list-service-quotas \ --service-code kms \ --query 'Quotas[?QuotaName==`Cryptographic operations (RSA) request rate`]'
{ "Quotas": [ { "ServiceCode": "kms", "ServiceName": "AWS Key Management Service (AWS KMS)", "QuotaArn": "arn:aws:servicequotas:us-east-2:111122223333:kms/L-2AC98190", "QuotaCode": "L-2AC98190", "QuotaName": "Cryptographic operations (RSA) request rate", "Value": 500, "Unit": "None", "Adjustable": true, "GlobalQuota": false } ]
}
539
AWS Key Management Service Service Quotas API
3. AWS KMS RequestServiceQuotaIncrease Cryptographic operations (RSA) request rate 1 700 L-2AC98190 Status GetRequestedServiceQuotachangeListRequ, estedServiceQuotachangeListRequ estedServiceQuotachangeHistoryBy Quota
$ aws service-quotas request-service-quota-increase \ --service-code kms \ --quota-code L-2AC98190 \ --desired-value 700
{ "RequestedQuota": { "Id": "a12345", "ServiceCode": "kms", "ServiceName": "AWS Key Management Service (AWS KMS)", "QuotaCode": "L-2AC98190", "QuotaName": "Cryptographic operations (RSA) request rate", "DesiredValue": 700, "Status": "PENDING", "Created": 1580446904.067, "Requester": "{\"accountId\":\"111122223333\",\"callerArn\":
\"arn:aws:iam::111122223333:root\"}", "QuotaArn": "arn:aws:servicequotas:us-east-2:111122223333:kms/L-2AC98190", "GlobalQuota": false, "Unit": "None"
} }
540
AWS Key Management Service
AWS Key Management Service
· (p. 541) · (p. 542)
2018 1 RSS
API : 2014-11-01
ID
2021 6 8
(ABAC) AWS KMS
2020 12 17
VPC 2020 7 9
AWS KMS 2020 6 18
2019 11 25
AWS CMK AWS KMS CMK
2019 11 15
TLS AWS KMS
2019 11 4
541
AWS Key Management Service
New console
CMK API 2019 9 18
(CMK) CMK
2019 3 27
(CMK) 1
2019 3 7
AWS KMS AWS CloudHSM
2018 11 26
[] AWS KMS IAM
2018 11 7
2018 8 21
AWS Secrets Manager AWS KMS
2018 7 13
exabDynamoDB AWS KMS
2018 5 23
VPC AWS KMS
2018 1 22
AWS Key Management Service2018
542
AWS Key Management Service
(p. 49) 2017 2 15
(p. 294) Amazon CloudWatch (p. 333)
2016 8 31
(p. 405)
2016 8 11
(p. 82)IAM (p. 104)AWS KMS API (p. 126) (p. 157)
2016 7 5
(p. 81)
2016 7 5
Quotas (p. 530)
2016 5 31
Quotas (p. 530) (p. 201)
2016 4 11
IAM CMK (p. 102) IP (p. 158)
2016 2 17
AWS KMS (p. 85) (p. 100)
2016 2 17
(p. 21)
2016 1 5
AWS CloudTrail AWS KMS 2015 11 18 (p. 475)
543
AWS Key Management Service
(p. 100) 2015 11 18
Amazon Relational Database ServiceAmazon RDSAWS KMS (p. 504)
2015 11 18
WorkSpacesAWS KMS (p. 526)
2015 11 6
[AWS KMS (p. 85)]
2014 10 22
(p. 393) (Amazon CloudWatch (p. 399) (p. 402) )
2014 10 15
AWS KMS (p. 212)
2014 10 15
: CMK (p. 288) 2014 10 15
Amazon Simple Email Service (Amazon SES) AWS KMS (p. 506)
2014 10 1
Quotas (p. 530)
2015 8 31
AWS KMS AWS KMS (p. 2)
2015 8 14
AWS KMS 2015 6 11 Quotas (p. 530)
UpdateAlias Java (p. 358)
2015 6 1
544
AWS Key Management Service
AWS Key Management 2015 5 29 ServiceAWS
Amazon EMR AWS KMS (p. 497)
2015 1 28
Amazon WorkMail AWS KMS (p. 519)
2015 1 28
Amazon Relational Database ServiceAmazon RDSAWS KMS (p. 504)
2015 1 6
Amazon Elastic Transcoder 2014 11 24 AWS KMS (p. 493)
AWS Key Management Service
2014 11 12
545
AWS Key Management Service
dxlvi
Apache FOP Version 2.1