堆栈内存溢出
  简体   繁体   English

如何安全地存储 Amazon KMS 的亚马逊访问令牌

[英]How to securely store the amazon access token for Amazon KMS

 原文  2020-01-31 04:59:30       amazon-web-services/ encryption/ aws-kms/ key-management

问题描述

I am exploring the amazon KMS managed service and it seems secure for storing the Master key and Data key.我正在探索亚马逊 KMS 托管服务,存储主密钥和数据密钥似乎是安全的。 I am able to decrypt the data key as plain text from encrypted data key using AWS KMS API / CLI.我能够使用 AWS KMS API / CLI 从加密数据密钥中将数据密钥解密为纯文本。

But I have one concern, to access the amazon KMS for decrypting the data key, I need to pass the access token and encrypted data key.但我有一个顾虑,要访问亚马逊 KMS 以解密数据密钥,我需要传递访问令牌和加密的数据密钥。

so Where can I securely store the amazon access token and encrypted data key?那么我在哪里可以安全地存储亚马逊访问令牌和加密数据密钥?

Any thoughts are appreciated.任何想法表示赞赏。

Thanks,谢谢,
Harry哈利

1 个解决方案

解决方案1
 1 已采纳  2020-02-03 09:33:06

I need to pass the access token and encrypted data key.我需要传递访问令牌和加密数据密钥。

Indeed, you need authenticate and authorize the client before calling any AWS service.实际上,在调用任何 AWS 服务之前,您需要对客户端进行身份验证和授权。

Maybe you could elaborate what you mean by amazon access token .也许您可以详细说明amazon access token 的含义。 Actually you need to store access key and access secret and optionally a (temporary) session token to properly authorize the service.实际上,您需要存储访问密钥和访问机密以及可选的(临时)会话令牌以正确授权服务。 I assume under the "amazon access token" you mean the client credentials.我假设在“亚马逊访问令牌”下您指的是客户端凭据。

Where can I securely store the amazon access token and encrypted data key?我在哪里可以安全地存储亚马逊访问令牌和加密数据密钥?

For the data key - the encrypted data key may be stored/sent along the data (if you generate a new key for each encryption) or as a configuration (if you plan to reuse the key), that's already safely encrypted.对于数据密钥 - 加密的数据密钥可以与数据一起存储/发送(如果您为每个加密生成一个新密钥)或作为配置(如果您计划重复使用该密钥),它已经安全加密。

If your client (code using the KMS) is running on the AWS infrastructure, you may use service roles to allow access from a service to the KMS service without storing the identity credentials explicitly.如果您的客户端(使用 KMS 的代码)在 AWS 基础设施上运行,您可以使用服务角色来允许从服务访问 KMS 服务,而无需显式存储身份凭证。 This is the default (and best) way if the client runs on AWS too.如果客户端也在 AWS 上运行,这是默认(也是最佳)方式。

If you are accessing the KMS services from outside AWS, you application needs to have the client credentials.如果您从 AWS 外部访问 KMS 服务,您的应用程序需要具有客户端凭证。 As already commented, in theory you may use a Secret Manager as well, but then you need credentials to access that service anyway.正如已经评论过的,理论上您也可以使用 Secret Manager,但无论如何您都需要凭据才能访问该服务。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在 Amazon S3 上安全地存储图像 - How to securely store images on Amazon S3 是否可以安全访问Amazon S3静态网站? - Securely access Amazon S3 static website? 无法从亚马逊 EKS pod 访问 Aws KMS 服务 - Unable to access Aws KMS service from amazon EKS pods 在 Heroku 上使用 Amazon KMS 服务 - Using Amazon KMS service on Heroku 亚马逊AWS KMS + Gradle:NoClassDefFoundError - Amazon AWS KMS + Gradle: NoClassDefFoundError 如何使用kms角色将文件上传到Amazon S3? - How to upload a file to Amazon S3 with the kms role? 如何在Ionic 3项目中为访问令牌配置Amazon AssumeRoleWithWebIdentity? - How to configure Amazon AssumeRoleWithWebIdentity for access token in Ionic 3 project? 如何获得Amazon Cloud Drive访问令牌? - how can I get Amazon Cloud Drive access token? 如何在消息传递应用程序中安全使用Amazon S3 - How to securely use Amazon S3 in a messaging application 向Amazon KMS发送加密请求时访问被拒绝 - AccessDenied when sending Encrypt request to Amazon KMS
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM