Upload
y-torazuka
View
2.089
Download
3
Embed Size (px)
Citation preview
Classmethod, Inc.
10 Key Management Service
1
DEVIO-MTUP11-TOKYO-001
20141216
Classmethod, Inc. 2
Classmethod, Inc.
3
Twitter & Hatena-id: torazuka
AWS
Classmethod, Inc.
KMS
4
2Encrypt API Decrypt API
Key Management Service
5
Classmethod, Inc.
Key Management Service (KMS) re:Invent 2014 /AWS
6
Classmethod, Inc. 7
22KMS
Classmethod, Inc.
8
AWS AWS
9
Classmethod, Inc.
10
Classmethod, Inc.
11
Classmethod, Inc.
12
Classmethod, Inc.
13
Classmethod, Inc.
:
14
Classmethod, Inc.
Amazon KMS
15
Amazon KMS
AWS/
Classmethod, Inc.
16
AWS AWS
KMS
17
Classmethod, Inc.
18
Classmethod, Inc.
KMS API
19
CreateAlias
DeleteAlias
CreateKey
DisableKeyRotationEnableKeyRotation
UpdateKeyDescription
PutKeyPolicyListKeyPolicies
ListKeysListAliases
GetKeyPolicy
GetKeyRotationStatus
DisableKey EnableKey
DescribeKey
API
Classmethod, Inc.
20
AWS API
Classmethod, Inc.
KMS API
21
Encrypt DecryptReEncrypt
GenerateDataKeyGenerateDataKeyWithoutPlaintext
API
Classmethod, Inc.
22
AWS KMSCreateKey(Description, Policy)
KeyID, ARN, ,
PolicyDescription
Classmethod, Inc.
23
AWS KMSGenerateDataKey(KeyID)
ID
Classmethod, Inc.
24
@
Classmethod, Inc.
25
AWS KMS
Decrypt(CiphertextBlob)
Classmethod, Inc.
26
@
Classmethod, Inc.
/
27
Classmethod, Inc.
1
28
active
deactivated
Classmethod, Inc.
29
AWS AWS
30
Classmethod, Inc.
Key Policy Policy Policy
31
{ "Id": "key-default", "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Eect": "Allow", "Principal": {"AWS":"012345678901"}, "Action": ["kms:*"], "Resource": "*" } ] }
KMS API
root
Classmethod, Inc.
Key Policy
32
{ "Sid": "Allow access for Key Administrators", "Eect": "Allow", "Principal": {"AWS": "arn:aws:iam::012345678901:user/Administrator"}, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*" ], "Resource": "*" } {
"Sid": "Allow use of the key", "Eect": "Allow", "Principal": {"AWS": "arn:aws:iam::012345678901:user/User"}, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }
API
API
33
Classmethod, Inc.
Key Policy
34
Classmethod, Inc.
AWS Key Management Service http://aws.amazon.com/jp/kms
AWS Key Management Service whitepaper https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
35
Classmethod, Inc.
#cmdevio
36
DEVIO-MTUP11-TOKYO-001