在 SQS 中为无服务器启用静态加密
Enable encryption at rest in SQS for serverless
我们正在为我们的微服务应用程序(lambda 函数)使用无服务器框架。在 serverless.yml 文件中,我们列出了部署时需要创建的资源。
serverles.yml 文件的资源部分如下所示:
resources:
Resources:
GatewayResponse:
Type: "AWS::ApiGateway::GatewayResponse"
Properties:
ResponseParameters:
gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
ResponseType: EXPIRED_TOKEN
RestApiId:
Ref: "ApiGatewayRestApi"
StatusCode: "401"
AuthFailureGatewayResponse:
Type: "AWS::ApiGateway::GatewayResponse"
Properties:
ResponseParameters:
gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
ResponseType: UNAUTHORIZED
RestApiId:
Ref: "ApiGatewayRestApi"
StatusCode: "401"
SqsQueue:
Type: "AWS::SQS::Queue"
Properties:
QueueName: ${opt:stage}-${opt:product}-sqs-queue
VisibilityTimeout: 900
RedrivePolicy:
deadLetterTargetArn:
Fn::GetAtt:
- SqsDeadLetterQueue
- Arn
maxReceiveCount: 1
SqsDeadLetterQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: ${opt:stage}-${opt:product}-deadletter-queue
MessageRetentionPeriod: 1209600
如您所见,我们也在那里创建了 SQS 队列资源。最初我们没有在我们的 SQS 中启用静态加密,但现在需要了。
我可以进入 AWS 控制台并从那里手动为我们创建的每个队列启用静态加密,但这会很乏味,而且我想将它包含在 serverless.yml 创建中,所以任何从现在开始创建的SQS资源默认启用加密。
我想知道我需要在 serverless.yml 的资源部分添加什么。我是否添加 CMK(客户主密钥)别名,我可以使用默认 CMK 别名,还是我需要为此目的生成一个新别名。我是否还需要修改其他引用 SQS 的 lambda 以便它们能够访问它?
要向队列添加加密,您必须在模板中向队列添加 KmsMasterKeyId。如果您想使用 AWS 托管 CMK,则 ID 将为 alias/aws/sqs(假设两个队列):
resources:
Resources:
GatewayResponse:
Type: "AWS::ApiGateway::GatewayResponse"
Properties:
ResponseParameters:
gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
ResponseType: EXPIRED_TOKEN
RestApiId:
Ref: "ApiGatewayRestApi"
StatusCode: "401"
AuthFailureGatewayResponse:
Type: "AWS::ApiGateway::GatewayResponse"
Properties:
ResponseParameters:
gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
ResponseType: UNAUTHORIZED
RestApiId:
Ref: "ApiGatewayRestApi"
StatusCode: "401"
SqsQueue:
Type: "AWS::SQS::Queue"
Properties:
QueueName: ${opt:stage}-${opt:product}-sqs-queue
VisibilityTimeout: 900
RedrivePolicy:
deadLetterTargetArn:
Fn::GetAtt:
- SqsDeadLetterQueue
- Arn
maxReceiveCount: 1
KmsMasterKeyId: alias/aws/sqs
SqsDeadLetterQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: ${opt:stage}-${opt:product}-deadletter-queue
MessageRetentionPeriod: 1209600
KmsMasterKeyId: alias/aws/sqs
我们正在为我们的微服务应用程序(lambda 函数)使用无服务器框架。在 serverless.yml 文件中,我们列出了部署时需要创建的资源。
serverles.yml 文件的资源部分如下所示:
resources:
Resources:
GatewayResponse:
Type: "AWS::ApiGateway::GatewayResponse"
Properties:
ResponseParameters:
gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
ResponseType: EXPIRED_TOKEN
RestApiId:
Ref: "ApiGatewayRestApi"
StatusCode: "401"
AuthFailureGatewayResponse:
Type: "AWS::ApiGateway::GatewayResponse"
Properties:
ResponseParameters:
gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
ResponseType: UNAUTHORIZED
RestApiId:
Ref: "ApiGatewayRestApi"
StatusCode: "401"
SqsQueue:
Type: "AWS::SQS::Queue"
Properties:
QueueName: ${opt:stage}-${opt:product}-sqs-queue
VisibilityTimeout: 900
RedrivePolicy:
deadLetterTargetArn:
Fn::GetAtt:
- SqsDeadLetterQueue
- Arn
maxReceiveCount: 1
SqsDeadLetterQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: ${opt:stage}-${opt:product}-deadletter-queue
MessageRetentionPeriod: 1209600
如您所见,我们也在那里创建了 SQS 队列资源。最初我们没有在我们的 SQS 中启用静态加密,但现在需要了。
我可以进入 AWS 控制台并从那里手动为我们创建的每个队列启用静态加密,但这会很乏味,而且我想将它包含在 serverless.yml 创建中,所以任何从现在开始创建的SQS资源默认启用加密。
我想知道我需要在 serverless.yml 的资源部分添加什么。我是否添加 CMK(客户主密钥)别名,我可以使用默认 CMK 别名,还是我需要为此目的生成一个新别名。我是否还需要修改其他引用 SQS 的 lambda 以便它们能够访问它?
要向队列添加加密,您必须在模板中向队列添加 KmsMasterKeyId。如果您想使用 AWS 托管 CMK,则 ID 将为 alias/aws/sqs(假设两个队列):
resources:
Resources:
GatewayResponse:
Type: "AWS::ApiGateway::GatewayResponse"
Properties:
ResponseParameters:
gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
ResponseType: EXPIRED_TOKEN
RestApiId:
Ref: "ApiGatewayRestApi"
StatusCode: "401"
AuthFailureGatewayResponse:
Type: "AWS::ApiGateway::GatewayResponse"
Properties:
ResponseParameters:
gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
ResponseType: UNAUTHORIZED
RestApiId:
Ref: "ApiGatewayRestApi"
StatusCode: "401"
SqsQueue:
Type: "AWS::SQS::Queue"
Properties:
QueueName: ${opt:stage}-${opt:product}-sqs-queue
VisibilityTimeout: 900
RedrivePolicy:
deadLetterTargetArn:
Fn::GetAtt:
- SqsDeadLetterQueue
- Arn
maxReceiveCount: 1
KmsMasterKeyId: alias/aws/sqs
SqsDeadLetterQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: ${opt:stage}-${opt:product}-deadletter-queue
MessageRetentionPeriod: 1209600
KmsMasterKeyId: alias/aws/sqs