Saltar al contenido
Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post
Acerca de re:Post

Can Cloudtrail support KMS code signing transparency logs (e.g. by logging signatures)?

-1

I would like to use AWS KMS for code signing. Additionally, I would like to publish transparency logs as an assurance that the signing key has not signed unknown code. However CloudTrail logs don't include useful information about the response, such as the original message digest or the resulting signature. The log entry only seems to really record that a sign operation was requested against a key ID, at a specific time.

Is there any way to get more detailed information about key use from KMS?

requestParameters	
  keyId	"4ae12714-..."
  messageType	"DIGEST"
  signingAlgorithm	"RSASSA_PKCS1_V1_5_SHA_512"
responseElements	null
requestID	"6f955fef-..."
eventID	"40787b80-..."
Temas
Administración y gobiernoSeguridad, identidad y cumplimiento
Etiquetas
AWS Key Management ServiceAWS CloudTrail
Idioma
English
preguntada hace 2 meses68 visualizaciones
1 Respuesta
1
Respuesta aceptada

CloudTrail does intentionally not log the message part of the invocation, nor the signature part of the response, and this is non-configurable.

If you want to build that, the easiest way is probably to write your own wrapper to kms.sign() and handle the logging there (so from your own application code), or, if it fits the requirements, the purpose-built AWS Signer which maintains its own signing audit trail.

AWS
respondido hace 2 meses
EXPERTO
revisado hace 2 meses
  • Gordon
    hace 2 meses

    CloudTrail does intentionally not log the message part of the invocation, nor the signature part of the response, and this is non-configurable.

    Disappointing, since that functionality is really essential to transparency (e.g. https://en.wikipedia.org/wiki/Certificate_Transparency)

    If you want to build that, the easiest way is probably to write your own wrapper to kms.sign()

    Logging use at the client really is not a substitute. If a key were misused, the adversarial misuse could simply log a plausible entry.

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Contenido relevante