creating-secrets-using-best-practices
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCreating Secrets Using Best Practices
遵循最佳实践创建密钥
Overview
概述
Domain expertise for creating and managing secrets in AWS Secrets Manager with
production-grade security controls: KMS encryption, automatic rotation,
least-privilege IAM policies, CloudTrail auditing, and lifecycle management.
具备在AWS Secrets Manager中创建和管理密钥的领域专业知识,采用生产级安全控制:KMS加密、自动轮换、最小权限IAM策略、CloudTrail审计以及生命周期管理。
Create a secret with best practices
遵循最佳实践创建密钥
To create a properly secured secret in AWS Secrets Manager, follow the procedure exactly.
See secret creation procedure.
The procedure supports four secret types: database credentials, API keys, OAuth tokens,
and custom secrets. Each type is structured appropriately and encrypted with a dedicated
KMS key.
要在AWS Secrets Manager中创建安全合规的密钥,请严格遵循以下步骤。详见密钥创建流程。
该流程支持四种密钥类型:数据库凭据、API密钥、OAuth令牌和自定义密钥。每种类型都有适当的结构,并使用专用KMS密钥加密。
Troubleshooting
故障排除
KMS key access issues
KMS密钥访问问题
Verify the IAM principal has and permissions, and that
the key policy grants , , and scoped
with to . See the full procedure for details.
kms:CreateKeykms:PutKeyPolicykms:GenerateDataKeykms:Decryptkms:DescribeKeykms:ViaServicesecretsmanager.<region>.amazonaws.com验证IAM主体是否拥有和权限,且密钥策略授予、和权限,并通过限定为。详情请查看完整流程。
kms:CreateKeykms:PutKeyPolicykms:GenerateDataKeykms:Decryptkms:DescribeKeykms:ViaServicesecretsmanager.<region>.amazonaws.comRotation setup failures
轮换设置失败
Check that the Lambda rotation function exists, has proper permissions, and can reach the
target system. Review CloudWatch logs for the rotation function.
检查Lambda轮换函数是否存在、是否具备适当权限,以及能否连接到目标系统。查看轮换函数的CloudWatch日志。
Secret access denied
密钥访问被拒绝
Verify the IAM policy is attached to the correct principal, the KMS key policy allows
decryption (and for write/rotation), and the principal is using HTTPS. See the full procedure for details.
kms:GenerateDataKey验证IAM策略是否附加到正确的主体,KMS密钥策略是否允许解密(以及用于写入/轮换的),且主体使用HTTPS协议。详情请查看完整流程。
kms:GenerateDataKey