堆栈内存溢出
  简体   繁体   English

AWS 跨区域复制和 AWS KMS 客户托管密钥

[英]AWS Cross Region replication and AWS KMS Customer Managed Keys

 原文  2021-05-16 15:55:11       amazon-web-services/ amazon-s3/ amazon-kms

问题描述

Background - I am trying to set up Cross-Region Replication for one of our buckets.背景- 我正在尝试为我们的一个存储桶设置跨区域复制。 Our bucket is currently encrypted via a KMS CMK(customer-managed key).我们的存储桶目前通过 KMS CMK(客户管理的密钥)加密。 We know that AWS KMS is region-specific.我们知道 AWS KMS 是特定于区域的。

I have been able to replicate the unencrypted objects without any issues.我已经能够毫无问题地复制未加密的对象。

Question - Will the objects in the destination bucket will be de-encrypted when the objects(which are encrypted) are replicated across to the destination bucket which at the moment is not encrypted.问题- 当对象(已加密)被复制到目前未加密的目标存储桶时,目标存储桶中的对象是否会被解密。 Because we know the CMK key is not going to be available in the destination region?因为我们知道 CMK 密钥在目标区域不可用?

1 个解决方案

解决方案1
 1  2021-05-24 06:18:15

The S3 service where you are replicating from will need to decrypt the datakey using the CMK for that region and then construct a new envelope using the CMK of the destination region.您从中复制的 S3 服务将需要使用该区域的 CMK 解密数据密钥,然后使用目标区域的 CMK 构造一个新信封。 There is no need to decrypt the actual data.无需解密实际数据。

If you are replicating across accounts, then the source account needs access to encrypt using the destination account's CMK but the destination account doesn't require access to decrypt using the source account's CMK.如果您跨账户进行复制,则源账户需要使用目标账户的 CMK 进行加密,但目标账户不需要使用源账户的 CMK 进行解密。 This shows that the S3 service where the source bucket is located is the one constructing the new envelope prior to replication - which is both the logical and the secure way of doing it.这表明源存储桶所在的 S3 服务是在复制之前构建新信封的服务——这既是逻辑又是安全的做法。 ( https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-config-for-kms-objects.html#replication-kms-cross-acct-scenario ) https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-config-for-kms-objects.html#replication-kms-cross-acct-scenario

So in transit, the replicated objects are encrypted using both TLS and KMS.因此,在传输过程中,复制的对象使用 TLS 和 KMS 进行加密。

(Disclosure: I am employed by AWS) (披露:我受雇于 AWS)

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS 跨区域复制 - AWS Cross Region Replication 如何使用 python boto3 仅从 AWS 账户中仅获取 KMS 客户托管密钥? - How to get only KMS Customer managed keys alone from AWS Account using python boto3? AWS KMS 多区域 - AWS KMS Multi region AWS RDS MySQL 跨区域复制 - AWS RDS MySQL Cross-region replication AWS跨区域复制到多个区域? - AWS cross region replication to multiple regions? AWS ECR 存储库的跨区域复制 - Cross region replication of AWS ECR repository 列出所有密钥时忽略 AWS 托管/默认 KMS 密钥? - Ignoring AWS Managed/Default KMS Keys When Listing All Keys? AWS KMS 中的非对称密钥 - Asymmetric keys in AWS KMS AWS 错误消息:使用 AWS KMS 托管密钥指定服务器端加密的请求需要 AWS 签名版本 4 - AWS Error Message: Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4 AWS S3 跨区域复制删除操作行为的状态 - Status on AWS S3 cross region replication delete operations behaviour
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM