本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Decrypt
这些示例显示用于 Decrypt 操作的 Amazon CloudTrail 日志条目。
即使未在请求中指定加密算法,Decrypt
操作的 CloudTrail 日志条目也始终在 requestParameters
中包含 encryptionAlgorithm
。省略了请求中的密文和响应中的明文。
主题
使用标准对称加密密钥解密
以下是使用标准对称加密密钥的 Decrypt
操作的 CloudTrail 日志条目示例。
{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2020-07-27T22:58:24Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "userAgent": "Amazon Internal", "requestParameters": { "encryptionAlgorithm": "SYMMETRIC_DEFAULT", "keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "encryptionContext": { "Department": "Engineering", "Project": "Alpha" } }, "responseElements": null, "requestID": "12345126-30d5-4b28-98b9-9153da559963", "eventID": "abcde202-ba1a-467c-b4ba-f729d45ae521", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
使用标准对称加密密钥解密失败
以下 CloudTrail 日志条目示例记录了使用标准对称加密 KMS 密钥的失败的 Decrypt
操作。包含异常(errorCode
)和错误消息(errorMessage
),可帮助您解决错误。
在这种情况下,Decrypt
请求中指定的对称加密 KMS 密钥不是用于加密数据的对称加密 KMS 密钥。
{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2022-11-24T18:57:43Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "errorCode": "IncorrectKeyException" "errorMessage": "The key ID in the request does not identify a CMK that can perform this operation.", "requestParameters": { "encryptionAlgorithm": "SYMMETRIC_DEFAULT", "keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "encryptionContext": { "Department": "Engineering", "Project": "Alpha" } }, "responseElements": null, "requestID": "22345126-30d5-4b28-98b9-9153da559963", "eventID": "abcde202-ba1a-467c-b4ba-f729d45ae521", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
使用 Amazon CloudHSM 密钥存储中的 KMS 密钥解密
以下 CloudTrail 日志条目示例记录了 Amazon CloudHSM 密钥存储中的使用 KMS 密钥的 Decrypt
操作。使用自定义密钥存储中的 KMS 密钥进行加密操作的所有日志条目都包含带有 customKeyStoreId
和 backingKeyId
的 additionalEventData
字段。backingKeyId
字段中返回的值是 CloudHSM 密钥 id
属性。请求中未指定 additionalEventData
。
{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2021-10-26T23:41:27Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "requestParameters": { "encryptionAlgorithm": "SYMMETRIC_DEFAULT", "keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "encryptionContext": { "Department": "Development", "Purpose": "Test" } }, "responseElements": null, "additionalEventData": { "customKeyStoreId": "cks-1234567890abcdef0" }, "requestID": "e1b881f8-2048-41f8-b6cc-382b7857ec61", "eventID": "a79603d5-4cde-46fc-819c-a7cf547b9df4", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }
使用外部密钥存储中的 KMS 密钥解密
以下 CloudTrail 日志条目示例记录了外部密钥存储中的使用 KMS 密钥的 Decrypt
操作。除了 customKeyStoreId
,additionalEventData
字段包括外部密钥 ID(XksKeyId
)。请求中未指定 additionalEventData
。
{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2022-11-24T00:26:58Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-west-2", "sourceIPAddress": "AWS Internal", "requestParameters": { "encryptionAlgorithm": "SYMMETRIC_DEFAULT", "keyId": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", "encryptionContext": { "Department": "Engineering", "Purpose": "Test" } }, "responseElements": null, "additionalEventData": { "customKeyStoreId": "cks-9876543210fedcba9", "xksKeyId": "abc01234567890fe" }, "requestID": "f1b881f8-2048-41f8-b6cc-382b7857ec61", "eventID": "b79603d5-4cde-46fc-819c-a7cf547b9df4", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }
使用外部密钥存储中的 KMS 密钥解密失败
以下 CloudTrail 日志条目示例记录了外部密钥存储中的使用 KMS 密钥的 Decrypt
操作的失败请求。除了成功的请求,CloudWatch 日志还会记录失败的请求。在记录失败时,CloudTrail 日志条目包括异常(errorCode)和附带的错误消息(errorMessage)。
如果失败的请求到达了您的外部密钥存储代理(如本示例所示),则您可以使用 requestId
值将失败的请求与您的外部密钥存储代理日志的相应请求关联起来(如果您的代理提供了这些请求)。
如需帮助解决外部密钥存储中的 Decrypt
请求,请参阅 解密错误。
{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2022-11-24T00:26:58Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-west-2", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "errorCode": "KMSInvalidStateException", "errorMessage": "The external key store proxy rejected the request because the specified ciphertext or additional authenticated data is corrupted, missing, or otherwise invalid.", "requestParameters": { "encryptionAlgorithm": "SYMMETRIC_DEFAULT", "keyId": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", "encryptionContext": { "Department": "Engineering", "Purpose": "Test" } }, "responseElements": null, "additionalEventData": { "customKeyStoreId": "cks-9876543210fedcba9", "xksKeyId": "abc01234567890fe" }, "requestID": "f1b881f8-2048-41f8-b6cc-382b7857ec61", "eventID": "b79603d5-4cde-46fc-819c-a7cf547b9df4", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }