AWS KMS 和相关资源
AWS KMS and Associated Resources
我试图更好地了解在 AWS KMS 中禁用 CMK 时会发生什么。具体来说,如果我有一个用这个密钥加密的 EBS 卷,什么。此卷和附加到该卷的 EC2 发生了什么?
在禁用 CMK 期间,卷是否会变得不可用?
卷附加到的EC2是否已关闭?
非常感谢任何指导。
最佳,
来自docs:
If you disable a CMK, it cannot be used to encrypt or decrypt data until you re-enable it.
当您使用 CMK 加密根 EBS 卷然后禁用它时,您将无法再次启动它。
在 disabled key 上只能进行少数操作,例如 DescribeKey、CreateAlias 或 GetKeyPolicy。
当实例为 运行 时禁用密钥,它将保留 运行。原因是(我认为)和你 delete key:
Several AWS services integrate with AWS KMS to protect your data. Some of these services, such as Amazon EBS and Amazon Redshift, use a customer master key (CMK) in AWS KMS to generate a data key and then use the data key to encrypt your data. These plaintext data keys persist in memory as long as the data they are protecting is actively in use.
Scheduling a CMK for deletion makes it unusable, but it does not prevent the AWS service from using data keys in memory to encrypt and decrypt your data. The service is not affected until it needs to use the CMK that is pending deletion or deleted.
我试图更好地了解在 AWS KMS 中禁用 CMK 时会发生什么。具体来说,如果我有一个用这个密钥加密的 EBS 卷,什么。此卷和附加到该卷的 EC2 发生了什么?
在禁用 CMK 期间,卷是否会变得不可用? 卷附加到的EC2是否已关闭?
非常感谢任何指导。
最佳,
来自docs:
If you disable a CMK, it cannot be used to encrypt or decrypt data until you re-enable it.
当您使用 CMK 加密根 EBS 卷然后禁用它时,您将无法再次启动它。
在 disabled key 上只能进行少数操作,例如 DescribeKey、CreateAlias 或 GetKeyPolicy。
当实例为 运行 时禁用密钥,它将保留 运行。原因是(我认为)和你 delete key:
Several AWS services integrate with AWS KMS to protect your data. Some of these services, such as Amazon EBS and Amazon Redshift, use a customer master key (CMK) in AWS KMS to generate a data key and then use the data key to encrypt your data. These plaintext data keys persist in memory as long as the data they are protecting is actively in use.
Scheduling a CMK for deletion makes it unusable, but it does not prevent the AWS service from using data keys in memory to encrypt and decrypt your data. The service is not affected until it needs to use the CMK that is pending deletion or deleted.