aws key修改_您需要了解的所有AWS Key Management Service

aws key修改

什么是AWS KMS？ (What Is AWS KMS?)

AWS Key Management Service (KMS) is a fully managed service to create, store, and control encryption keys in order to encrypt your data.

AWS Key Management Service(KMS)是一项完全托管的服务，用于创建，存储和控制加密密钥以加密您的数据。

Some important points:

一些要点：

1. KMS is a highly durable and available service.
   KMS是一项高度耐用且可用的服务。
2. KMS encryption keys are regional.
   KMS加密密钥是区域性的。

3. The service leverages Hardware Security Modules (HSM) under the hood, which in return guarantees the security and integrity of the generated keys.

   该服务利用内部的硬件安全模块(HSM) ，从而保证生成的密钥的安全性和完整性。

4. It offers easy key rotation and logs all events related to a key to AWS CloudTrail.
   它提供了轻松的密钥轮换功能，并将与密钥相关的所有事件记录到AWS CloudTrail。

关键概念 (Key Concepts)

客户主密钥(CMK) (Customer Master Keys (CMKs))

Customer master keys never leave the AWS KMS service unencrypted. They contain metadata like key id, creation date, etc. They can be used to encrypt/decrypt arbitrary chunks of data that are no greater than 4 KB.Typically, you use CMKs to generate, encrypt, and decrypt the data keys that you use outside of AWS KMS to encrypt your data. This is known as envelope encryption.

客户主密钥永远不会使AWS KMS服务保持未加密状态。 它们包含元数据，例如密钥ID，创建日期等。它们可用于加密/解密不超过4 KB的任意数据块。通常，您使用CMK生成，加密和解密使用的数据密钥在AWS KMS外部以加密您的数据。 这称为信封加密。

CMKs can be:

CMK可以是：

1. Customer-managed — These are created and managed by the AWS user. Access to it can be controlled using the AWS IAM service.
   客户管理-这些由AWS用户创建和管理。 可以使用AWS IAM服务控制对它的访问。
2. AWS-managed — These are created and managed by AWS on your behalf. They can be identified by the format aws/service-name.
   由AWS托管-这些由AWS代表您创建和管理。 可以通过aws / service-name格式识别它们。
3. AWS-owned — These are not in your AWS account. They are part of a collection of CMKs that AWS owns and manages for use in multiple AWS accounts. They cannot be viewed or managed by the user.
   由AWS拥有-这些不在您的AWS账户中。 它们是AWS拥有并管理用于多个AWS账户的CMK集合的一部分。 用户无法查看或管理它们。

数据键 (Data Keys)

These are symmetric keys generated by AWS KMS, which can encrypt/decrypt large amounts of data. AWS KMS does not store, manage, or track data keys, or perform cryptographic operations with data keys. You must use and manage data keys outside of AWS KMS.

这些是由AWS KMS生成的对称密钥，可以加密/解密大量数据。 AWS KMS不会存储，管理或跟踪数据密钥，也不会使用数据密钥执行加密操作。 您必须在AWS KMS之外使用和管理数据密钥。

使用AWS KMS的基本加密 (Basic Encryption Using AWS KMS)

It is a straightforward way of encrypting/decrypting your data using AWS CMKs.

这是使用AWS CMK加密/解密数据的直接方法。

DEV. DEV的照片。

Limitations:

局限性：

1. CMKs can encrypt/decrypt only up to 4 KB of data at a time.
   CMK一次只能加密/解密最多4 KB的数据。
2. It can be costly to send huge amounts of data to an Amazon service every time you need to encrypt/decrypt it. Also, it can involve security issues like man-in-the-middle attacks, etc.
   每次需要加密/解密时，将大量数据发送到Amazon服务可能会非常昂贵。 此外，它还可能涉及中间人攻击等安全问题。

信封加密 (Envelope Encryption)

This makes use of both data keys and CMKs. It uses data keys to encrypt plain text and CMKs to encrypt data keys.

这同时使用了数据密钥和CMK。 它使用数据密钥来加密纯文本，并使用CMK来加密数据密钥。

1. Generate a data key using AWS’s GenerateDataKey operation. AWS KMS uses CMKs to generate data keys. It will return a plaintext copy of the data key and a data key encrypted using CMK.

   使用AWS的GenerateDataKey操作生成数据密钥。 AWS KMS使用CMK生成数据密钥。 它将返回数据密钥的纯文本副本和使用CMK加密的数据密钥。

AWS Documentation. AWS文档中的照片。

2. Encrypt data with a plaintext data key. AWS KMS cannot encrypt data using data keys, but you can use data keys outside AWS KMS to encrypt/decrypt your data. After encrypting plaintext data using a plaintext copy of a data key, remove the data key from memory as soon as possible for security. The encrypted copy of the data key is stored for decryption.

2.使用明文数据密钥加密数据。 AWS KMS无法使用数据密钥来加密数据，但是您可以在AWS KMS之外使用数据密钥来加密/解密数据。 使用数据密钥的明文副本对明文数据进行加密后，为了安全起见，应尽快从内存中删除数据密钥。 数据密钥的加密副本存储用于解密。

AWS Documentation. AWS文档中的照片。

3. Decrypt data using an encrypted data key. To decrypt the data, use AWS KMS’s decrypt operation to decrypt an encrypted data key to get the plaintext copy of the data key (decrypted using CMK). Then use this plaintext data key to decrypt ciphertext outside AWS KMS.

3.使用加密的数据密钥解密数据。 要解密数据，请使用AWS KMS的解密操作解密加密的数据密钥，以获取数据密钥的纯文本副本(使用CMK解密)。 然后使用此明文数据密钥在AWS KMS外部解密密文。

AWS Documentation. AWS文档中的照片。

Here are the advantages of using envelope encryption:

这是使用信封加密的优点：

1. You don’t need to protect the data keys. You can simply store encrypted data keys along with encrypted data.
   您不需要保护数据密钥。 您可以简单地将加密数据密钥与加密数据一起存储。
2. It enables you to combine the strengths of both symmetric key encryption algorithms and public-key encryption algorithms.
   它使您能够结合对称密钥加密算法和公共密钥加密算法的优势。
3. You get a performance boost, as you don’t need to send large amounts of data to Amazon servers.
   由于不需要将大量数据发送到Amazon服务器，因此可以提高性能。
4. Instead of re-encrypting your raw data with multiple data keys, you can re-encrypt your data keys.
   不必使用多个数据密钥重新加密原始数据，而是可以重新加密数据密钥。

一些好的资源 (Some Good Resources)

翻译自: https://medium.com/better-programming/aws-key-management-service-all-you-need-to-know-8c6b0e17a2d0

aws key修改