All Products
Search

This Product

    Cloud Firewall:Encrypt logs

    Document Center

    Cloud Firewall:Encrypt logs

    Last Updated:Jun 25, 2024

    If you want to encrypt and store logs that are collected by using the log analysis feature of Cloud Firewall, you can use service keys provided by Simple Log Service or use Bring Your Own Key (BYOK) keys. This topic describes how to encrypt logs.

    Data encryption mechanism

    Simple Log Service supports the following encryption types:

    • Encryption by using service keys

      Log service generates an independent service key for each Logstore. The service key never expires.

      Simple Log Service supports the Advanced Encryption Standard (AES) and SM4 encryption algorithms.

    • Encryption by using Bring Your Own Key (BYOK) keys

      You can create a CMK in the KMS console and grant the relevant permissions to Simple Log Service. When Simple Log Service calls a KMS API operation, this CMK is used to create a key that is used to encrypt data. If the CMK is deleted or disabled, the corresponding BYOK key becomes invalid.

      Important

      If the CMK created in the KMS console becomes invalid, all read and write requests to the Logstore fail.

    Limits

    When you configure data encryption settings for the first time, you can select a data encryption mechanism. After the settings are configured, you cannot change the data encryption mechanism or modify the encryption algorithm or encryption type. You can configure only the enable parameter to enable or disable data encryption. You must add the complete settings of the encrypt_conf parameter each time you update a Logstore.

    For example, the first time you select encryption by using service keys provided by Simple Log Service, you cannot switch to encryption by using BYOK keys.

    Encryption by using service keys

    When you call the CreateLogStore operation to create a Logstore or call the UpdateLogStore operation to modify a Logstore, add the encrypt_conf parameter to configure the encryption settings. For more information, see CreateLogStore or UpdateLogStore.

    The following table describes the fields in the encrypt_conf parameter. Do not specify the user_cmk_info field.

    ParameterTypeDescriptionExample
    object

    The data structure of the encryption configuration.

    enableboolean

    Specifies whether to enable data encryption. Valid values:

    • true
    • false
    		true
    encrypt_typestring

    The encryption algorithm. Valid values: default and sm4. If enable is set to true, you must configure this parameter.

    		default
    user_cmk_infoEncryptUserCmkConf

    Optional. If you configure this parameter, the bring-your-own-key (BYOK) key is used. If you do not configure this parameter, the service key of Simple Log Service is used.

    		 { "cmk_key_id" : "f5136b95-2420-ab31-xxxxxxxxx" "arn" : "acs:ram::13234:role/logsource" "region_id" : "cn-hangzhou" }

    Encryption by using BYOK keys

    Prerequisites

    Key Management Service (KMS) is activated. For more information, see Purchase a dedicated KMS instance.

    Step 1: Authorize Simple Log Service to access KMS

    Before you can use a BYOK key to encrypt data, you must authorize Simple Log Service to access KMS.

    1. Log on to the RAM console.

    2. Create a RAM role. For more information, see Step 1: Create a RAM role.

    3. Modify the trust policy of the RAM role. For more information, see Edit the trust policy of a RAM role. 

      {
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "log.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}

    4. Grant the AliyunKMSReadOnlyAccess and AliyunKMSCryptoUserAccess permissions to the RAM role. For more information, see Grant permissions to a RAM role.

      Add permissions

    5. Before you can use a RAM user to encrypt data by using a BYOK key, you must grant the PassRole permission to the RAM user. To grant the PassRole permission to the RAM user, you can create a custom policy and attach the policy to the RAM user. For more information, see Create a custom policy and Grant permissions to RAM users. 

      {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ram:PassRole",
            "Resource": "acs:ram::*"   # The Alibaba Cloud Resource Name (ARN) of the RAM role. For more information, see How do I obtain the ARN of a RAM role? 
        }
    ]
}

    Step 2: Configure data encryption for a Logstore

    After you enable the log analysis feature, the system automatically creates a dedicated project and a dedicated Logstore. You must call the UpdateLogStore operation to encrypt data and add the encrypt_conf parameter to configure the encryption settings.

    Before you call the UpdateLogStore operation, you must call the GetLogStore operation to obtain the original configurations of the Logstore. After you modify the configurations, add the configuration after modification to the UpdateLogStore operation.

    The following table describes the fields in the encrypt_conf parameter. You must configure the user_cmk_info parameter.

    ParameterTypeDescriptionExample
    object

    The data structure of the encryption configuration.

    enableboolean

    Specifies whether to enable data encryption. Valid values:

    • true
    • false
    		true
    encrypt_typestring

    The encryption algorithm. Valid values: default and sm4. If enable is set to true, you must configure this parameter.

    		default
    user_cmk_infoEncryptUserCmkConf

    Optional. If you configure this parameter, the bring-your-own-key (BYOK) key is used. If you do not configure this parameter, the service key of Simple Log Service is used.

    		 { "cmk_key_id" : "f5136b95-2420-ab31-xxxxxxxxx" "arn" : "acs:ram::13234:role/logsource" "region_id" : "cn-hangzhou" }
    Data structure of EncryptUserCmkConf
    ParameterTypeDescriptionExample
    object

    The data structure of the user-defined encryption configuration.

    cmk_key_idstring

    The ID of the customer master key (CMK) of the bring-your-own-key (BYOK) type.

    		f5136b95-2420-ab31-xxxxxxxxx
    arnstring

    The Alibaba Cloud Resource Name (ARN) of the Resource Access Management (RAM) role.

    		acs:ram::13234:role/logsource
    region_idstring

    The ID of the region where the CMK resides.

    		cn-hangzhou
    encrypt_conf = {
    "enable" : True, # Specifies whether data encryption is enabled. 
    "encrypt_type" : "default"# The encryption algorithm. Valid values: default and m4. 
    "user_cmk_info" : # Optional parameter. If you configure this parameter, the BYOK key is used. If you do not configure this parameter, the service key is used. 
    {
          "cmk_key_id" : "" # The ID of the CMK to which the BYOK key belongs, for example, f5136b95-2420-ab31-xxxxxxxxx. 
          "arn" :  "" # The ARN of the RAM role. For more information, see How do I obtain the ARN of a RAM role? 
          "region_id" : "" # The ID of the region where the CMK resides. 
    }
}

    References

    For more information, refer to the following operations of Simple Log Service: