写点什么

AWS KMS 实现跨租户的安全数据加密(二)

  • 2019-12-26
  • 本文字数:4809 字

    阅读完需:约 16 分钟

AWS KMS 实现跨租户的安全数据加密(二)

3 配置 Cognito identity pool 及 IAM 角色

3.1 创建 Identity pool 及 IAM role

3.2 配置 Developer provider name

3.3 创建 IAM 角色

利用 identity pool 生成的 身份证书管理 CMK(权限已在 CMK 管理中指定),删除其他的权限


4 实现 Cognito Developer provider

Java


/*  *   *  Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. *   *  Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except *  in compliance with the License. A copy of the License is located at *   *  http://aws.amazon.com/apache2.0 *   *  or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the *  specific language governing permissions and limitations under the License. *    */
package com.amazon.saas.idp;
import java.util.Collections;import java.util.Map;
import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;import com.amazonaws.services.cognitoidentity.AmazonCognitoIdentity;import com.amazonaws.services.cognitoidentity.AmazonCognitoIdentityClientBuilder;import com.amazonaws.services.cognitoidentity.model.GetCredentialsForIdentityRequest;import com.amazonaws.services.cognitoidentity.model.GetCredentialsForIdentityResult;import com.amazonaws.services.cognitoidentity.model.GetOpenIdTokenForDeveloperIdentityRequest;import com.amazonaws.services.cognitoidentity.model.GetOpenIdTokenForDeveloperIdentityResult;
public class CognitoDeveloperIdentityProvider { private String region = "cn-north-1"; //cognito 对于 sts 的 provider id 中国区选择 "cognito-identity.cn-north-1.amazonaws.com.cn" private String cognitoProviderId= "cognito-identity.cn-north-1.amazonaws.com.cn"
// 前面配置的 Developer Identity Provider Name private String developerIdentityProviderName = "developerIdentityProviderName"; // indentity pool id 如 cn-north-1:cc310c44-de78-4661-8e6e-8cc21d974058
private String identityPoolId="cn-north-1:cc310c44-de78-4661-8e6e-8cc21d974058";
private AmazonCognitoIdentity amazonCognitoIdentity; // 构建 AmazonCognitoIdentityClient public void init() { AmazonCognitoIdentityClientBuilder cidBuilder = AmazonCognitoIdentityClientBuilder.standard(); cidBuilder.setRegion(region); cidBuilder.setCredentials(DefaultAWSCredentialsProviderChain.getInstance()); amazonCognitoIdentity = cidBuilder.build(); } //获取 cognito OpenIdToken public GetOpenIdTokenForDeveloperIdentityResult getOpenIdTokenFromCognito(String tenantid, String userid) { GetOpenIdTokenForDeveloperIdentityRequest request = new GetOpenIdTokenForDeveloperIdentityRequest(); request.setIdentityPoolId(identityPoolId); Map<String, String> logins = Collections.singletonMap(developerIdentityProviderName, tenantid + ":" + userid); request.setLogins(logins); GetOpenIdTokenForDeveloperIdentityResult result = amazonCognitoIdentity .getOpenIdTokenForDeveloperIdentity(request); return result; } //获取 aws credentials 用于调用 KMS public GetCredentialsForIdentityResult getCredentialsForIdentity(String identityid, String token, TenantUserInfo userinfo) { GetCredentialsForIdentityRequest request = new GetCredentialsForIdentityRequest(); request.setIdentityId(identityid); request.setLogins(Collections.singletonMap(cognitoProviderId, token)); GetCredentialsForIdentityResult result = amazonCognitoIdentity.getCredentialsForIdentity(request); return result; }
}
复制代码

5 实现数据加密解密

5.1 AWS 证书与 data key 缓存

Java


/*  *   *    Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. *     *    Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except *    in compliance with the License. A copy of the License is located at *     *    http://aws.amazon.com/apache2.0 *     *    or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the *    specific language governing permissions and limitations under the License. *    */
package com.amazon.saas.tes;
import java.util.concurrent.TimeUnit;
import com.amazon.saas.tes.TenantCryptoMaterialsManagerHolder.Cachekey;import com.amazonaws.auth.BasicSessionCredentials;import com.amazonaws.encryptionsdk.CryptoMaterialsManager;import com.amazonaws.encryptionsdk.MasterKeyProvider;import com.amazonaws.encryptionsdk.caching.CachingCryptoMaterialsManager;import com.amazonaws.encryptionsdk.caching.CryptoMaterialsCache;import com.amazonaws.encryptionsdk.caching.LocalCryptoMaterialsCache;import com.amazonaws.encryptionsdk.kms.KmsMasterKey;import com.amazonaws.encryptionsdk.kms.KmsMasterKeyProvider;import com.google.common.cache.CacheBuilder;import com.google.common.cache.CacheLoader;import com.google.common.cache.LoadingCache;import lombok.AllArgsConstructor;import lombok.EqualsAndHashCode;import lombok.Getter;import lombok.Setter;public class TenantCryptoMaterialsManagerHolder extends CacheLoader<Cachekey, CryptoMaterialsManager> { @Getter @Setter @AllArgsConstructor public static class Cachekey { private String tenantID; private String userid; } @Data public static class Config { private String keyArn; private int maxCacheSize; private int maxEntryAge; private int credentialsDuration;
} private LoadingCache<Cachekey, CryptoMaterialsManager> cache; private Config config; public void init() { //配置缓存参数 config=new Config(); cache = CacheBuilder.newBuilder().maximumSize(10000) .expireAfterWrite(config.getCredentialsDuration(), TimeUnit.MINUTES).build(this); }
public CryptoMaterialsManager createMaterialsManager(Cachekey key) { Credentials credentialsForIdentity = cognitoDeveloperIdentityProviderClient;

MasterKeyProvider<KmsMasterKey> keyProvider = KmsMasterKeyProvider.builder() .withKeysForEncryption(config.getKeyArn()) .withCredentials(new BasicSessionCredentials(credentialsForIdentity.getAccessKeyId(), credentialsForIdentity.getSecretKey(), credentialsForIdentity.getSessionToken())) .build();

int MAX_CACHE_SIZE = config.getMaxCacheSize(); CryptoMaterialsCache cache = new LocalCryptoMaterialsCache(MAX_CACHE_SIZE);
int MAX_ENTRY_AGE_SECONDS = config.getMaxEntryAge(); int MAX_ENTRY_MSGS = config.getMaxCacheSize();

CryptoMaterialsManager cachingCmm = CachingCryptoMaterialsManager.newBuilder() .withMasterKeyProvider(keyProvider).withCache(cache).withMaxAge(MAX_ENTRY_AGE_SECONDS, TimeUnit.SECONDS) .withMessageUseLimit(MAX_ENTRY_MSGS).build(); return cachingCmm; }
public CryptoMaterialsManager getMaterialsManager(TenantUserInfo userinfo) { return cache.get(new Cachekey(userinfo.getTenantID(), userinfo.getUserid())); }
@Override public CryptoMaterialsManager load(Cachekey key) throws Exception { return createMaterialsManager(key); }
}
复制代码

5.2 数据加密解密

Java


/*  *   *    Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. *     *    Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except *    in compliance with the License. A copy of the License is located at *     *    http://aws.amazon.com/apache2.0 *     *    or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the *    specific language governing permissions and limitations under the License. *    */
package com.amazon.saas.tes;
import java.util.Collections;
import com.amazonaws.encryptionsdk.AwsCrypto;import com.amazonaws.encryptionsdk.CryptoMaterialsManager;import com.amazonaws.encryptionsdk.CryptoResult;
import org.springframework.beans.factory.annotation.Autowired;
public class EncDecService { private final AwsCrypto crypto = new AwsCrypto(); @Autowired TenantCryptoMaterialsManagerHolder tenantCryptoMaterialsManagerHolder;
public TESEncryptedMessage encrypt(String plaintext, String authorizationHeader, TenantUserInfo userinfo) { CryptoMaterialsManager cmm = tenantCryptoMaterialsManagerHolder.getMaterialsManager(authorizationHeader, userinfo); String message = crypto.encryptString(cmm, plaintext, Collections.singletonMap("tenantid.userid", userinfo.getTenantID() + "." + userinfo.getUserid())) .getResult(); TESEncryptedMessage re = new TESEncryptedMessage(); re.setEncyptedMsg(message); return re; }
public TesPlainText dectypt(String encryptMessage, String authorizationHeader, TenantUserInfo userinfo) { CryptoMaterialsManager cmm = tenantCryptoMaterialsManagerHolder.getMaterialsManager(authorizationHeader, userinfo); CryptoResult<String, ?> decryptResult = crypto.decryptString(cmm, encryptMessage); TesPlainText re = new TesPlainText(); re.setText(decryptResult.getResult()); return re;
}
复制代码


作者介绍:


*


!



### [](https://amazonaws-china.com/cn/blogs/china/tag/%E4%BB%BB%E8%80%80%E6%B4%B2/)
AWS解决方案架构师,负责企业客户应用在AWS的架构咨询和 设计。在微服务架构设计、数据库等领域有丰富的经验
复制代码


本文转载自 AWS 技术博客。


原文链接:https://amazonaws-china.com/cn/blogs/china/aws-kms-enables-secure-data-encryption-across-tenants/


2019-12-26 13:47807

评论

发布
暂无评论
发现更多内容

全网首发!马士兵内部共享—1658页《Java面试突击核心讲》

收到请回复

Java 程序员 面试 架构师 金九银十

业界良心啊!第五次更新的Spring Cloud Alibaba升级太多内容

Java 编程 程序员 IT 计算机

MySQL 数据库开发入门(三):Navicat 客户端的使用

程序员小呆

MySQL MySQL 高可用 MySQL 运维 :MySQL 数据库 MySQL 数据库

基于区块链的供应链金融创新

CECBC

Node.js 日志之 winston 实践

devpoint

nodejs winston logger 10月月更

阿里大牛开源内部"JDK源码手册"一经现世,惊艳四方

Java 架构 面试 程序人生 编程语言

五分钟了解 Blazor

智联大前端

blazor

双非学历为进大厂天天刷Java面试题,面试却履败,原因竟是算法?

Java 编程 程序员 架构 IT

从Engineer到Leader,我在思考啥?

夏兮。

互联网 管理 技术人 IT

gRPC,爆赞

AlwaysBeta

golang 编程 gRPC 后端 Go 语言

拿蚂蚁offer,全靠阿里P8大牛总结的Java架构开发手册

Java 编程 程序员 架构 面试

MySQL 数据库开发入门(一):安装与常用命令

程序员小呆

MySQL 数据库开发入门(二):数据库表的创建与管理

程序员小呆

MySQL MySQL 高可用 MySQL 运维 MySQL 数据库 java

MySQL 数据库开发入门(四):MySQL 的数据引擎

程序员小呆

MySQL MySQL 高可用 :MySQL 数据库 MySQL 数据库 java

应用出海,如何使用苹果 CallKit 提升网络通话体验

融云 RongCloud

音视频 出海社交

学生试卷&答题结构redis存储

Nico

面试官:你说说ThreadLocal为什么会导致内存泄漏?

长河

Java

Groovy记录(1)-GroovyClassLoader

春秋易简

Groovy

OceanBase 存储层代码解读(一)引言

OceanBase 数据库

oceanbase OceanBase 开源 OceanBase 社区版 OceanBase 数据库大赛

区块链技术赋能音乐作品版权保护 法院采信存证证书作为有效权属证据

CECBC

艺术市场的区块链革命

CECBC

AtomSolutions与Bholdus缔结业务合作伙伴关系

Geek_c610c0

前后端、多语言、跨云部署,全链路追踪到底有多难?

阿里巴巴云原生

阿里云 云原生 全链路追踪

趣说Node.js的回调函数

Regan Yue

node.js JavaScrip Regan Yue 10月月更

Groovy 记录(2)-CompilationUnit

春秋易简

Serverless 工程实践 | 零基础上手 Knative 应用

阿里巴巴云原生

阿里云 Serverless 云原生 Knative

「架构师教程」二十年架构师「马士兵」大牛的Java高级架构师教程

Java 编程 程序员 IT 计算机

ToB产品如何自传播(下)

石云升

产品经理 产品思维 10月月更

自定义 View:如何手动绘制一个头像控件

Changing Lin

10月月更

百度翻译团队获“2021年大数据科技传播奖”未来奖

百度大脑

人工智能

Alibaba最新微服务持续集成,内含(Jenkins+Docker+Spring Cloud+K8S)

Java 架构 面试 程序人生 编程语言

AWS KMS 实现跨租户的安全数据加密(二)_语言 & 开发_亚马逊云科技 (Amazon Web Services)_InfoQ精选文章