如果AMI或快照已加密以及AWS中的哪个密钥由AWS Managed CMK或Customer Manager CMK加密,如何获取详细信息? [英] How Can I get details of an AMI or Snapshot if It is encrypted and with which key AWS Managed CMK or Customer Manager CMK in AWS

查看:242
本文介绍了如果AMI或快照已加密以及AWS中的哪个密钥由AWS Managed CMK或Customer Manager CMK加密,如何获取详细信息?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

问题: ➜我想获取有关我的AMI的信息,以了解它是否已加密,如果是,则使用它使用哪个密钥(AWS Managed CMK或Customer Manager CMK)进行加密,以便我可以在与AMI共享我的AMI时利用此信息没有任何问题的另一个帐户.

Issue : ➜ I want to get information about my AMI to know if it is Encrypted or not and If yes, then with which key it is encrypted with (AWS Managed CMK or Customer Manager CMK) so that I can utilize this information while sharing my AMI with another account without any issues.

推荐答案

解决方案:➜

****我们可以使用AWS控制台以及AWS CLI获取此信息,这在对加密的AMI/快照和KMS相互关系进行故障排除时很有用****

****We can get this information using AWS Console as well as AWS CLI which could be useful while troubleshooting Encrypted AMI/Snapshots and KMS co-relation****

如何使用AWS CLI命令进行检查:

How can I check using AWS CLI Commands:

您可以使用以下API来获取信息:

You can use below APIs to get the information :

  • 描述图像(此可用于获取块设备 AMI的信息,该信息还为您提供快照ID 与该设备相关联).
  • 描述快照(此可用于获取有关的信息 每个快照以获取加密参数"true"或 "false"和相应的keyid)
  • 描述键(如果快照已加密,您可以检查 密钥的详细信息,无论是"AWS托管CMK"还是客户" 经理CMK)
  • describe-images ( this can be used to get the block devices information of the AMI which also provides you a snapshot id associated with that device).
  • describe-snapshots (this can be used to get the information about each snapshot in order to get the encryption parameter "true" or "false" and the corresponding keyid)
  • describe-key ( if the snapshot is encrypted , you can check the details of the Key whether it is "AWS Managed CMK" or "Customer Manager CMK" )

示例:

我想获取位于区域(eu-west-1)的My AMI(ami-0xxxxxx)的详细信息.我想知道此AMI是否已加密,如果是,那么将使用哪些密钥进行加密,以便我可以进一步决定允许其他帐户使用它.

1 检查AMI块映射查看关联的快照:

1 Checking AMI Block Mappings to See Snapshots associated :

# aws ec2 describe-images --image-ids ami-0xxxxxx --region eu-west-1 --query "Images[*].BlockDeviceMappings"

2 检查快照详细信息以找到密钥和加密详细信息:

2 Checking Snapshots details to find the key and encryption details :

 # aws ec2 describe-snapshots --snapshot-ids "snap-xxxxxxxxxxxxx"  --region eu-west-1

3 现在,检查是否使用AWS托管密钥或客户托管密钥对其加密:

3 Now, Checking If its encrypted using AWS Managed Key or Customer Managed Key:

 # aws kms describe-key --key-id "dcd4dcd4xxxxxxxxxxxxxxxxxx"  --region eu-west-1

如何使用AWS Console进行检查:

  • 转到AWS控制台-EC2-导航到图像"部分,然后单击"AMI" 或单击此处
  • 复制您想知道其信息的AMI ID. 导航到弹性块存储"并导航到快照"页面,或单击此处,您可以将AMI ID粘贴到已复制的可用搜索框中(它将显示该AMI的关联快照)
  • 要了解下面的快照加密状态检查说明,您将找到诸如以下的详细信息:
    • 加密:已加密
    • KMS密钥ID:dcd4dxxxxxxxxxx
    • KMS密钥ARN:arn:aws:kms:eu-west-1:920sssss:key/dcd4dxxxxxxxxxx
    • Go to AWS Console - EC2 - Navigate to Images section and click "AMIs" or Click here
    • Copy the AMI id whose information you would like to know. Navigate to "Elastic Block Store" and Navigate to "Snapshots" page or click here and you can paste the AMI id in the search box available which you've copied (it will show you the associated Snapshots for this AMI )
    • To know the Snapshot Encryption Status check Description below and you will find details such as :
      • Encryption : Encrypted
      • KMS Key ID : dcd4dxxxxxxxxxx
      • KMS Key ARN : arn:aws:kms:eu-west-1:920ssss:key/dcd4dxxxxxxxxxx

      ➜这意味着AMI已加密且密钥ID为(dcd4dxxxxxxxxxx)(意味着已加密快照)-您可以记下此信息以进一步检查密钥类型.

      <<现在,无论是密钥(AWS托管CMK还是客户经理CMK),我们都没有有关密钥的详细信息>>

      要了解这一点,请按照以下步骤操作:

      • 转到AWS控制台- KMS -在左侧,您具有所有可用的键:
        • AWS托管密钥
        • 客户管理键
        • Go to AWS Console - KMS - and there on the left hand side you have all the keys available:
          • AWS managed keys
          • Customer managed keys

          ➜现在,您可以单击以上选项之一来过滤您在下面在上面指出的密钥ID,以验证密钥的类型是(AWS托管CMK还是客户经理CMK).

          ➜ Now, you can click on one of the above choices to filter for the Key Id which you have noted above in below to verify the type of key whether it is (AWS Managed CMK or Customer Manager CMK).

          现在,您可以使用上述信息作进一步使用,例如与另一个帐户共享此AMI

          *****请注意*****

          *****Please Note*****

          ➜您无法共享使用AWS Managed Key(这是要加密的aws默认密钥)加密的AMI,该AMI也记录在这里: [+]注意事项: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html#share-snapshot-considerations

          ➜You can't share the AMIs which are encrypted with AWS Managed Key (which is the aws default key to encrypt) which is also documented here: [+] Considerations : https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html#share-snapshot-considerations

          此外,要了解有关客户管理的CMK"的更多信息, "AWS托管CMK",请参阅:

          Also, To know more on "Customer Managed CMKs" & "AWS Managed CMKs" , please refer :

          [+] AWS Key Management Service概念: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html

          [+] AWS Key Management Service Concepts : https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html

          这篇关于如果AMI或快照已加密以及AWS中的哪个密钥由AWS Managed CMK或Customer Manager CMK加密,如何获取详细信息?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆