{"id":1881,"date":"2025-02-07T10:46:53","date_gmt":"2025-02-07T02:46:53","guid":{"rendered":"https:\/\/www.fanyamin.com\/wordpress\/?p=1881"},"modified":"2025-02-07T10:46:53","modified_gmt":"2025-02-07T02:46:53","slug":"aws-kms-%e5%92%8c-aws-secrets-manager","status":"publish","type":"post","link":"https:\/\/www.fanyamin.com\/wordpress\/?p=1881","title":{"rendered":"AWS KMS \u548c AWS Secrets Manager"},"content":{"rendered":"<p>AWS \u63d0\u4f9b\u591a\u79cd\u670d\u52a1\u6765\u7ba1\u7406\u654f\u611f\u6570\u636e\uff0c\u5176\u4e2d <strong>AWS Key Management Service (KMS)<\/strong> \u548c <strong>AWS Secrets Manager<\/strong> \u662f\u7528\u4e8e\u4fdd\u62a4\u548c\u7ba1\u7406\u5bc6\u94a5\u53ca\u51ed\u636e\u7684\u6838\u5fc3\u670d\u52a1\u3002\u4e0b\u9762\u8be6\u7ec6\u4ecb\u7ecd\u8fd9\u4e24\u8005\u7684\u529f\u80fd\u3001\u533a\u522b\u53ca\u5176\u76f8\u5173\u6280\u672f\u3002<\/p>\n<hr \/>\n<h2><strong>1. AWS KMS (Key Management Service)<\/strong><\/h2>\n<p>AWS KMS \u662f\u4e00\u4e2a<strong>\u6258\u7ba1\u7684\u5bc6\u94a5\u7ba1\u7406\u670d\u52a1<\/strong>\uff0c\u7528\u4e8e\u521b\u5efa\u3001\u5b58\u50a8\u548c\u63a7\u5236\u52a0\u5bc6\u5bc6\u94a5\uff0c\u4ee5\u4fdd\u62a4 AWS \u8d44\u6e90\u548c\u5e94\u7528\u7a0b\u5e8f\u4e2d\u7684\u6570\u636e\u3002<\/p>\n<h3><strong>1.1 AWS KMS \u7684\u4e3b\u8981\u529f\u80fd<\/strong><\/h3>\n<ul>\n<li><strong>\u5bc6\u94a5\u7ba1\u7406<\/strong>\n<ul>\n<li>\u751f\u6210\u3001\u5b58\u50a8\u3001\u8f6e\u6362\u548c\u9500\u6bc1\u52a0\u5bc6\u5bc6\u94a5  <\/li>\n<li>\u652f\u6301<strong>\u5bf9\u79f0\u5bc6\u94a5<\/strong>\u548c<strong>\u975e\u5bf9\u79f0\u5bc6\u94a5<\/strong>\uff08RSA\u3001ECC\uff09  <\/li>\n<li>\u652f\u6301<strong>HMAC\uff08\u54c8\u5e0c\u6d88\u606f\u8ba4\u8bc1\u7801\uff09\u5bc6\u94a5<\/strong>  <\/li>\n<\/ul>\n<\/li>\n<li><strong>\u6570\u636e\u52a0\u5bc6<\/strong>\n<ul>\n<li>\u76f4\u63a5\u4f7f\u7528 KMS \u8fdb\u884c\u6570\u636e\u52a0\u5bc6\uff08<strong>Encrypt\/Decrypt API<\/strong>\uff09  <\/li>\n<li>\u4f7f\u7528 KMS \u751f\u6210\u7684\u6570\u636e\u5bc6\u94a5\uff08Data Key\uff09\u8fdb\u884c\u672c\u5730\u52a0\u5bc6  <\/li>\n<\/ul>\n<\/li>\n<li><strong>\u6743\u9650\u63a7\u5236<\/strong>\n<ul>\n<li>\u901a\u8fc7 <strong>AWS IAM<\/strong> \u8fdb\u884c\u7ec6\u7c92\u5ea6\u6743\u9650\u63a7\u5236  <\/li>\n<li>\u5141\u8bb8<strong>\u57fa\u4e8e\u8d44\u6e90<\/strong>\u7684\u8bbf\u95ee\u7b56\u7565\uff08Resource Policies\uff09  <\/li>\n<\/ul>\n<\/li>\n<li><strong>\u5bc6\u94a5\u8f6e\u6362<\/strong>\n<ul>\n<li>\u53ef\u81ea\u52a8\u6216\u624b\u52a8\u8f6e\u6362\u5bc6\u94a5\uff0c\u63d0\u5347\u5b89\u5168\u6027  <\/li>\n<\/ul>\n<\/li>\n<li><strong>FIPS 140-2 \u8ba4\u8bc1<\/strong>\n<ul>\n<li>KMS \u63d0\u4f9b\u7b26\u5408<strong>FIPS 140-2 Level 2 \u548c Level 3<\/strong> \u6807\u51c6\u7684\u786c\u4ef6\u5b89\u5168\u6a21\u5757\uff08HSM\uff09  <\/li>\n<\/ul>\n<\/li>\n<li><strong>\u96c6\u6210 AWS \u751f\u6001<\/strong>\n<ul>\n<li>\u9002\u7528\u4e8e <strong>S3\u3001EBS\u3001RDS\u3001DynamoDB\u3001Lambda<\/strong> \u7b49\u591a\u79cd AWS \u670d\u52a1  <\/li>\n<\/ul>\n<\/li>\n<li><strong>\u8de8\u8d26\u6237\u5bc6\u94a5\u5171\u4eab<\/strong>\n<ul>\n<li>\u652f\u6301\u5728\u591a\u4e2a AWS \u8d26\u6237\u95f4\u5171\u4eab KMS \u5bc6\u94a5  <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3><strong>1.2 AWS KMS \u5de5\u4f5c\u539f\u7406<\/strong><\/h3>\n<ol>\n<li><strong>\u7528\u6237\u521b\u5efa KMS \u5bc6\u94a5\uff08Customer Managed Key, CMK\uff09<\/strong><\/li>\n<li><strong>AWS \u670d\u52a1\u6216\u5e94\u7528\u8bf7\u6c42\u52a0\u5bc6\u6570\u636e<\/strong><\/li>\n<li><strong>KMS \u751f\u6210\u6570\u636e\u5bc6\u94a5\uff08Data Key\uff09<\/strong><\/li>\n<li><strong>\u6570\u636e\u5bc6\u94a5\u7528\u4e8e\u52a0\u5bc6\u5b9e\u9645\u6570\u636e<\/strong>\uff08\u6570\u636e\u5bc6\u94a5\u672c\u8eab\u53ef\u7531 KMS \u52a0\u5bc6\u5b58\u50a8\uff09<\/li>\n<li><strong>\u89e3\u5bc6\u65f6\uff0c\u5e94\u7528\u8bf7\u6c42 KMS \u89e3\u5bc6\u6570\u636e\u5bc6\u94a5<\/strong><\/li>\n<li><strong>\u6570\u636e\u5bc6\u94a5\u89e3\u5bc6\u540e\u7528\u4e8e\u89e3\u5bc6\u539f\u59cb\u6570\u636e<\/strong><\/li>\n<\/ol>\n<h3><strong>1.3 AWS KMS \u76f8\u5173\u6280\u672f<\/strong><\/h3>\n<ul>\n<li><strong>AWS CloudTrail \u8bb0\u5f55 KMS \u64cd\u4f5c<\/strong>\uff08\u76d1\u63a7\u5bc6\u94a5\u7684\u4f7f\u7528\u60c5\u51b5\uff09<\/li>\n<li><strong>Envelope Encryption\uff08\u4fe1\u5c01\u52a0\u5bc6\uff09<\/strong>\uff1a\u4f7f\u7528 KMS \u751f\u6210\u6570\u636e\u5bc6\u94a5\uff0c\u52a0\u5bc6\u6570\u636e\u540e\u5b58\u50a8\u6570\u636e\u5bc6\u94a5\u7684\u52a0\u5bc6\u7248\u672c<\/li>\n<li><strong>KMS API<\/strong>\uff1a<code>Encrypt<\/code>\u3001<code>Decrypt<\/code>\u3001<code>GenerateDataKey<\/code>\u3001<code>ReEncrypt<\/code><\/li>\n<li><strong>AWS CloudHSM<\/strong>\uff1a\u4e13\u7528\u7684\u786c\u4ef6\u5b89\u5168\u6a21\u5757\uff08HSM\uff09\uff0c\u63d0\u4f9b\u66f4\u9ad8\u7ea7\u522b\u7684\u5bc6\u94a5\u7ba1\u7406  <\/li>\n<\/ul>\n<hr \/>\n<h2><strong>2. AWS Secrets Manager<\/strong><\/h2>\n<p>AWS Secrets Manager \u662f<strong>\u4e13\u95e8\u7528\u4e8e\u5b58\u50a8\u3001\u7ba1\u7406\u548c\u8f6e\u6362\u654f\u611f\u51ed\u636e<\/strong>\uff08\u5982\u6570\u636e\u5e93\u51ed\u636e\u3001API \u5bc6\u94a5\u3001OAuth \u4ee4\u724c\u7b49\uff09\u7684\u6258\u7ba1\u670d\u52a1\u3002<\/p>\n<h3><strong>2.1 AWS Secrets Manager \u7684\u4e3b\u8981\u529f\u80fd<\/strong><\/h3>\n<ul>\n<li><strong>\u5b58\u50a8\u548c\u7ba1\u7406\u51ed\u636e<\/strong>\n<ul>\n<li>\u652f\u6301 <strong>\u6570\u636e\u5e93\u51ed\u636e\uff08RDS\u3001MySQL\u3001PostgreSQL \u7b49\uff09<\/strong><\/li>\n<li>\u652f\u6301 <strong>API \u5bc6\u94a5<\/strong><\/li>\n<li>\u652f\u6301 <strong>OAuth \u4ee4\u724c<\/strong><\/li>\n<li>\u652f\u6301 <strong>SSH \u5bc6\u94a5<\/strong><\/li>\n<\/ul>\n<\/li>\n<li><strong>\u81ea\u52a8\u8f6e\u6362\u51ed\u636e<\/strong>\n<ul>\n<li>\u9002\u7528\u4e8e <strong>RDS\u3001Redshift<\/strong>\uff0c\u53ef\u81ea\u52a8\u66f4\u65b0\u6570\u636e\u5e93\u51ed\u636e<\/li>\n<li>\u7528\u6237\u53ef\u7f16\u5199 Lambda \u51fd\u6570\u6765\u81ea\u5b9a\u4e49\u8f6e\u6362\u903b\u8f91<\/li>\n<\/ul>\n<\/li>\n<li><strong>\u5b89\u5168\u8bbf\u95ee<\/strong>\n<ul>\n<li><strong>\u57fa\u4e8e AWS IAM \u6743\u9650\u7ba1\u7406<\/strong>\uff0c\u786e\u4fdd\u5b89\u5168\u8bbf\u95ee<\/li>\n<li><strong>\u81ea\u52a8\u52a0\u5bc6\u5b58\u50a8<\/strong>\uff08\u4f7f\u7528 AWS KMS \u8fdb\u884c\u52a0\u5bc6\uff09<\/li>\n<\/ul>\n<\/li>\n<li><strong>\u96c6\u6210 AWS \u751f\u6001<\/strong>\n<ul>\n<li>\u517c\u5bb9 <strong>EC2\u3001ECS\u3001Lambda\u3001RDS\u3001DynamoDB<\/strong> \u7b49<\/li>\n<\/ul>\n<\/li>\n<li><strong>\u591a\u7248\u672c\u5386\u53f2<\/strong>\n<ul>\n<li>\u53ef\u4ee5\u56de\u6eda\u5230\u4ee5\u524d\u5b58\u50a8\u7684\u51ed\u636e\u7248\u672c<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3><strong>2.2 AWS Secrets Manager \u5de5\u4f5c\u539f\u7406<\/strong><\/h3>\n<ol>\n<li><strong>\u5b58\u50a8\u51ed\u636e<\/strong>\n<ul>\n<li>\u521b\u5efa Secret\uff0c\u5e76\u9009\u62e9\u81ea\u52a8\u6216\u624b\u52a8\u8f6e\u6362  <\/li>\n<li>AWS KMS \u8d1f\u8d23\u52a0\u5bc6 Secret  <\/li>\n<\/ul>\n<\/li>\n<li><strong>\u5e94\u7528\u7a0b\u5e8f\u8bbf\u95ee\u51ed\u636e<\/strong>\n<ul>\n<li>\u901a\u8fc7 <strong>AWS SDK \u6216 Secrets Manager API<\/strong> \u8bbf\u95ee Secret  <\/li>\n<li>Secret \u4ec5\u5728\u6709\u6743\u9650\u7684 IAM \u89d2\u8272\u4e0b\u53ef\u8bbf\u95ee  <\/li>\n<\/ul>\n<\/li>\n<li><strong>\u81ea\u52a8\u8f6e\u6362<\/strong>\n<ul>\n<li>\u8f6e\u6362\u53d1\u751f\u65f6\uff0cSecrets Manager \u8c03\u7528 AWS Lambda \u6765\u66f4\u65b0 Secret  <\/li>\n<li>\u65b0 Secret \u901a\u8fc7 API \u4f20\u9012\u7ed9\u5e94\u7528\u7a0b\u5e8f  <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h3><strong>2.3 AWS Secrets Manager \u76f8\u5173\u6280\u672f<\/strong><\/h3>\n<ul>\n<li><strong>Secrets Manager API<\/strong> (<code>GetSecretValue<\/code>\u3001<code>UpdateSecret<\/code>\u3001<code>RotateSecret<\/code>)<\/li>\n<li><strong>AWS Lambda \u8f6e\u6362\u51ed\u636e<\/strong><\/li>\n<li><strong>AWS KMS \u8fdb\u884c\u52a0\u5bc6<\/strong><\/li>\n<li><strong>Secrets Manager \u96c6\u6210 AWS Systems Manager Parameter Store<\/strong><\/li>\n<\/ul>\n<hr \/>\n<h2><strong>3. AWS KMS vs AWS Secrets Manager: \u533a\u522b<\/strong><\/h2>\n<table>\n<thead>\n<tr>\n<th>\u529f\u80fd<\/th>\n<th>AWS KMS<\/th>\n<th>AWS Secrets Manager<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>\u7528\u9014<\/strong><\/td>\n<td>\u52a0\u5bc6\/\u89e3\u5bc6\u6570\u636e\u3001\u7ba1\u7406\u5bc6\u94a5<\/td>\n<td>\u5b58\u50a8\u548c\u7ba1\u7406\u5bc6\u7801\u3001API \u5bc6\u94a5\u3001\u51ed\u636e<\/td>\n<\/tr>\n<tr>\n<td><strong>\u6570\u636e\u7c7b\u578b<\/strong><\/td>\n<td>\u52a0\u5bc6\u5bc6\u94a5\u3001HMAC\u3001\u6570\u636e\u5bc6\u94a5<\/td>\n<td>\u7528\u6237\u540d\/\u5bc6\u7801\u3001API \u5bc6\u94a5\u3001OAuth \u4ee4\u724c<\/td>\n<\/tr>\n<tr>\n<td><strong>\u6743\u9650\u7ba1\u7406<\/strong><\/td>\n<td>IAM \u89d2\u8272\u3001KMS \u8d44\u6e90\u7b56\u7565<\/td>\n<td>IAM \u89d2\u8272\u3001Secrets Manager \u8d44\u6e90\u7b56\u7565<\/td>\n<\/tr>\n<tr>\n<td><strong>\u96c6\u6210 AWS \u670d\u52a1<\/strong><\/td>\n<td>S3\u3001EBS\u3001RDS\u3001DynamoDB\u3001Lambda<\/td>\n<td>RDS\u3001ECS\u3001Lambda\u3001\u5e94\u7528\u7a0b\u5e8f<\/td>\n<\/tr>\n<tr>\n<td><strong>\u81ea\u52a8\u8f6e\u6362<\/strong><\/td>\n<td>\u4ec5\u652f\u6301\u5bc6\u94a5\u8f6e\u6362<\/td>\n<td>\u652f\u6301\u6570\u636e\u5e93\u548c\u81ea\u5b9a\u4e49\u51ed\u636e\u8f6e\u6362<\/td>\n<\/tr>\n<tr>\n<td><strong>API \u8c03\u7528<\/strong><\/td>\n<td><code>Encrypt<\/code>\u3001<code>Decrypt<\/code>\u3001<code>GenerateDataKey<\/code><\/td>\n<td><code>GetSecretValue<\/code>\u3001<code>RotateSecret<\/code><\/td>\n<\/tr>\n<tr>\n<td><strong>\u52a0\u5bc6\u673a\u5236<\/strong><\/td>\n<td>\u4f7f\u7528 AWS KMS \u8fdb\u884c\u52a0\u5bc6<\/td>\n<td>\u9ed8\u8ba4\u4f7f\u7528 AWS KMS \u8fdb\u884c\u52a0\u5bc6<\/td>\n<\/tr>\n<tr>\n<td><strong>\u8bbf\u95ee\u65b9\u5f0f<\/strong><\/td>\n<td>\u901a\u8fc7 AWS SDK \u6216 API \u8bbf\u95ee<\/td>\n<td>\u901a\u8fc7 AWS SDK\u3001CLI \u6216 API \u83b7\u53d6 Secret<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h2><strong>4. \u9002\u7528\u573a\u666f<\/strong><\/h2>\n<h3><strong>4.1 \u4ec0\u4e48\u65f6\u5019\u4f7f\u7528 AWS KMS<\/strong><\/h3>\n<ul>\n<li>\u9700\u8981<strong>\u52a0\u5bc6\u9759\u6001\u6570\u636e<\/strong>\uff08S3\u3001RDS\u3001DynamoDB\u3001EBS \u7b49\uff09<\/li>\n<li>\u9700\u8981<strong>\u5bf9\u6570\u636e\u8fdb\u884c\u7b7e\u540d\u6216\u9a8c\u8bc1<\/strong>\uff08HMAC\u3001\u975e\u5bf9\u79f0\u52a0\u5bc6\uff09<\/li>\n<li>\u9700\u8981<strong>\u5bf9\u6570\u636e\u8fdb\u884c\u52a0\u5bc6\/\u89e3\u5bc6<\/strong>\uff08\u5982 TLS \u8bc1\u4e66\u7ba1\u7406\uff09<\/li>\n<li><strong>\u9700\u8981\u5bc6\u94a5\u7ba1\u7406<\/strong>\uff08\u4f8b\u5982 API \u5bc6\u94a5\u7684\u52a0\u5bc6\u5b58\u50a8\uff09<\/li>\n<\/ul>\n<h3><strong>4.2 \u4ec0\u4e48\u65f6\u5019\u4f7f\u7528 AWS Secrets Manager<\/strong><\/h3>\n<ul>\n<li>\u9700\u8981<strong>\u5b58\u50a8 API \u5bc6\u94a5\u3001\u6570\u636e\u5e93\u51ed\u636e<\/strong><\/li>\n<li>\u9700\u8981<strong>\u5e94\u7528\u7a0b\u5e8f\u52a8\u6001\u83b7\u53d6\u548c\u8f6e\u6362\u51ed\u636e<\/strong><\/li>\n<li>\u9700\u8981<strong>\u7ba1\u7406 OAuth \u4ee4\u724c<\/strong><\/li>\n<li>\u9700\u8981<strong>\u81ea\u52a8\u8f6e\u6362\u6570\u636e\u5e93\u5bc6\u7801<\/strong><\/li>\n<\/ul>\n<hr \/>\n<h2><strong>5. \u603b\u7ed3<\/strong><\/h2>\n<ul>\n<li><strong>AWS KMS<\/strong> \u4e3b\u8981\u7528\u4e8e<strong>\u7ba1\u7406\u52a0\u5bc6\u5bc6\u94a5<\/strong>\uff0c\u63d0\u4f9b\u6570\u636e\u52a0\u5bc6\u3001\u5bc6\u94a5\u7ba1\u7406\u3001\u8bbf\u95ee\u63a7\u5236\u7b49\u529f\u80fd\uff0c\u9002\u7528\u4e8e<strong>\u5b58\u50a8\u52a0\u5bc6\u3001\u6570\u636e\u7b7e\u540d<\/strong>\u7b49\u573a\u666f\u3002<\/li>\n<li><strong>AWS Secrets Manager<\/strong> \u4e3b\u8981\u7528\u4e8e<strong>\u5b58\u50a8\u548c\u7ba1\u7406\u5e94\u7528\u7a0b\u5e8f\u7684\u51ed\u636e<\/strong>\uff0c\u5e76\u652f\u6301<strong>\u81ea\u52a8\u8f6e\u6362\u5bc6\u7801<\/strong>\uff0c\u9002\u7528\u4e8e<strong>\u6570\u636e\u5e93\u51ed\u636e\u3001API \u5bc6\u94a5\u7ba1\u7406<\/strong>\u7b49\u3002<\/li>\n<\/ul>\n<p>\u4e24\u8005\u53ef\u4ee5\u7ed3\u5408\u4f7f\u7528\uff0c\u4f8b\u5982\uff1a<\/p>\n<ul>\n<li><strong>\u7528 AWS Secrets Manager \u5b58\u50a8 API \u5bc6\u94a5\uff0c\u4f46\u7528 AWS KMS \u52a0\u5bc6\u8be5\u5bc6\u94a5<\/strong><\/li>\n<li><strong>\u7528 AWS KMS \u751f\u6210\u6570\u636e\u5bc6\u94a5\uff0c\u7136\u540e\u7528\u8be5\u6570\u636e\u5bc6\u94a5\u52a0\u5bc6 S3 \u4e2d\u7684\u6570\u636e<\/strong><\/li>\n<\/ul>\n<p>\u5982\u679c\u4f60\u7684\u5e94\u7528\u6d89\u53ca<strong>\u5b58\u50a8\u654f\u611f\u4fe1\u606f\u548c\u5bc6\u94a5\u7ba1\u7406<\/strong>\uff0cAWS KMS \u548c AWS Secrets Manager \u662f AWS \u751f\u6001\u7cfb\u7edf\u4e2d\u7684\u5173\u952e\u5b89\u5168\u5de5\u5177\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>AWS \u63d0\u4f9b\u591a\u79cd\u670d\u52a1\u6765\u7ba1\u7406\u654f\u611f\u6570\u636e\uff0c\u5176\u4e2d AWS Key Management Service (KMS) \u548c AWS Secrets Manager \u662f\u7528\u4e8e\u4fdd\u62a4\u548c\u7ba1\u7406\u5bc6\u94a5\u53ca\u51ed\u636e\u7684\u6838\u5fc3\u670d\u52a1\u3002\u4e0b\u9762\u8be6\u7ec6\u4ecb\u7ecd\u8fd9\u4e24\u8005\u7684\u529f\u80fd\u3001\u533a\u522b\u53ca\u5176\u76f8\u5173\u6280\u672f\u3002 1. AWS KMS (Key Management Service) AWS KMS \u662f\u4e00\u4e2a\u6258\u7ba1\u7684\u5bc6\u94a5\u7ba1\u7406\u670d\u52a1\uff0c\u7528\u4e8e\u521b\u5efa\u3001\u5b58\u50a8\u548c\u63a7\u5236\u52a0\u5bc6\u5bc6\u94a5\uff0c\u4ee5\u4fdd\u62a4 AWS \u8d44\u6e90\u548c\u5e94\u7528\u7a0b\u5e8f\u4e2d\u7684\u6570\u636e\u3002 1.1 AWS KMS \u7684\u4e3b\u8981\u529f\u80fd \u5bc6\u94a5\u7ba1\u7406 \u751f\u6210\u3001\u5b58\u50a8\u3001\u8f6e\u6362\u548c\u9500\u6bc1\u52a0\u5bc6\u5bc6\u94a5 \u652f\u6301\u5bf9\u79f0\u5bc6\u94a5\u548c\u975e\u5bf9\u79f0\u5bc6\u94a5\uff08RSA\u3001ECC\uff09 \u652f\u6301HMAC\uff08\u54c8\u5e0c\u6d88\u606f\u8ba4\u8bc1\u7801\uff09\u5bc6\u94a5 \u6570\u636e\u52a0\u5bc6 \u76f4\u63a5\u4f7f\u7528 KMS \u8fdb\u884c\u6570\u636e\u52a0\u5bc6\uff08Encrypt\/Decrypt API\uff09 \u4f7f\u7528 KMS \u751f\u6210\u7684\u6570\u636e\u5bc6\u94a5\uff08Data Key\uff09\u8fdb\u884c\u672c\u5730\u52a0\u5bc6 \u6743\u9650\u63a7\u5236 \u901a\u8fc7 AWS IAM \u8fdb\u884c\u7ec6\u7c92\u5ea6\u6743\u9650\u63a7\u5236 \u5141\u8bb8\u57fa\u4e8e\u8d44\u6e90\u7684\u8bbf\u95ee\u7b56\u7565\uff08Resource Policies\uff09 \u5bc6\u94a5\u8f6e\u6362 \u53ef\u81ea\u52a8\u6216\u624b\u52a8\u8f6e\u6362\u5bc6\u94a5\uff0c\u63d0\u5347\u5b89\u5168\u6027 FIPS 140-2 \u8ba4\u8bc1 KMS \u63d0\u4f9b\u7b26\u5408FIPS 140-2 [&hellip;] <a class=\"read-more\" href=\"https:\/\/www.fanyamin.com\/wordpress\/?p=1881\" title=\"Permanent Link to: AWS KMS \u548c AWS Secrets Manager\">&rarr;Read&nbsp;more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-1881","post","type-post","status-publish","format-standard","hentry","category-5"],"_links":{"self":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1881"}],"collection":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1881"}],"version-history":[{"count":1,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1881\/revisions"}],"predecessor-version":[{"id":1882,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1881\/revisions\/1882"}],"wp:attachment":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1881"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1881"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1881"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}