解密(从 Enclave) - Amazon Key Management Service
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

解密(从 Enclave)

以下示例显示了 Nitro Enclaves 开发工具包中的 kms-decrypt 操作的 Amazon CloudTrail 日志条目。kms-decrypt API 调用 Amazon KMS Decrypt 操作,该操作包含一个包括 Enclave 中的签名证明文档的参数。

Amazon Nitro Enclaves 是一项 Amazon EC2 功能,可让您创建称为 enclave 的隔离计算环境,以保护和处理高度敏感的数据。有关 Amazon Nitro Enclaves 及其与 Amazon KMS 集成的更多信息,请参阅适用于 Linux 实例的 Amazon EC2 用户指南中的 Nitro Enclaves

当调用起源于 enclave 时,CloudTrail 日志将包含代表 enclave 测量值的收件人数据。

{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2020-07-27T22:58:24Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "userAgent": "Amazon Internal", "requestParameters": { "encryptionAlgorithm": "SYMMETRIC_DEFAULT", "keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, "responseElements": null, "additionalEventData": { "recipient": { "attestationDocumentModuleId": "i-123456789abcde123-enc123456789abcde12", "attestationDocumentEnclaveImageDigest": "ee0d451a2ff9aaaa9bccd07700b9cab123a0ac2386ef7e88ad5ea6c72ebabea840957328e2ec890b408c9b06cb8ebe6a", } }, "requestID": "b4a65126-30d5-4b28-98b9-9153da559963", "eventID": "e5a2f202-ba1a-467c-b4ba-f729d45ae521", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }