10分でわかるKey Management Serviceの仕組み #cmdevio
-
Upload
y-torazuka -
Category
Technology
-
view
2.080 -
download
3
Transcript of 10分でわかるKey Management Serviceの仕組み #cmdevio
-
Classmethod, Inc.
10 Key Management Service
1
DEVIO-MTUP11-TOKYO-001
20141216
-
Classmethod, Inc. 2
-
Classmethod, Inc.
3
Twitter & Hatena-id: torazuka
AWS
-
Classmethod, Inc.
KMS
4
2Encrypt API Decrypt API
-
Key Management Service
5
-
Classmethod, Inc.
Key Management Service (KMS) re:Invent 2014 /AWS
6
-
Classmethod, Inc. 7
22KMS
-
Classmethod, Inc.
8
AWS AWS
-
9
-
Classmethod, Inc.
10
-
Classmethod, Inc.
11
-
Classmethod, Inc.
12
-
Classmethod, Inc.
13
-
Classmethod, Inc.
:
14
-
Classmethod, Inc.
Amazon KMS
15
Amazon KMS
AWS/
-
Classmethod, Inc.
16
AWS AWS
-
KMS
17
-
Classmethod, Inc.
18
-
Classmethod, Inc.
KMS API
19
CreateAlias
DeleteAlias
CreateKey
DisableKeyRotationEnableKeyRotation
UpdateKeyDescription
PutKeyPolicyListKeyPolicies
ListKeysListAliases
GetKeyPolicy
GetKeyRotationStatus
DisableKey EnableKey
DescribeKey
API
-
Classmethod, Inc.
20
AWS API
-
Classmethod, Inc.
KMS API
21
Encrypt DecryptReEncrypt
GenerateDataKeyGenerateDataKeyWithoutPlaintext
API
-
Classmethod, Inc.
22
AWS KMSCreateKey(Description, Policy)
KeyID, ARN, ,
PolicyDescription
-
Classmethod, Inc.
23
AWS KMSGenerateDataKey(KeyID)
ID
-
Classmethod, Inc.
24
@
-
Classmethod, Inc.
25
AWS KMS
Decrypt(CiphertextBlob)
-
Classmethod, Inc.
26
@
-
Classmethod, Inc.
/
27
-
Classmethod, Inc.
1
28
active
deactivated
-
Classmethod, Inc.
29
AWS AWS
-
30
-
Classmethod, Inc.
Key Policy Policy Policy
31
{ "Id": "key-default", "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Eect": "Allow", "Principal": {"AWS":"012345678901"}, "Action": ["kms:*"], "Resource": "*" } ] }
KMS API
root
-
Classmethod, Inc.
Key Policy
32
{ "Sid": "Allow access for Key Administrators", "Eect": "Allow", "Principal": {"AWS": "arn:aws:iam::012345678901:user/Administrator"}, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*" ], "Resource": "*" } {
"Sid": "Allow use of the key", "Eect": "Allow", "Principal": {"AWS": "arn:aws:iam::012345678901:user/User"}, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }
API
API
-
33
-
Classmethod, Inc.
Key Policy
34
-
Classmethod, Inc.
AWS Key Management Service http://aws.amazon.com/jp/kms
AWS Key Management Service whitepaper https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
35
-
Classmethod, Inc.
#cmdevio
36
DEVIO-MTUP11-TOKYO-001