All Products
Search
Document Center

Simple Log Service:Encrypt data

Last Updated:Dec 12, 2023

Simple Log Service allows you to use Key Management Service (KMS) to encrypt data for secure storage. This way, data is stored in a secure manner. This topic describes the data encryption mechanism of Simple Log Service and how to encrypt data by using KMS.

Prerequisites

KMS is activated. For more information, see Purchase a dedicated KMS instance.

Data encryption mechanism

Simple Log Service supports the following encryption types:

  • Encryption by using service keys

    Log service generates an independent service key for each Logstore. The service key never expires.

    Simple Log Service supports the Advanced Encryption Standard (AES) and SM4 encryption algorithms.

  • Encryption by using Bring Your Own Key (BYOK) keys

    You can create a CMK in the KMS console and grant the relevant permissions to Simple Log Service. When Simple Log Service calls a KMS API operation, this CMK is used to create a key that is used to encrypt data. If the CMK is deleted or disabled, the corresponding BYOK key becomes invalid.

    Important

    If the CMK created in the KMS console becomes invalid, all read and write requests to the Logstore fail.

Step 1: Authorize Simple Log Service to access KMS

Before you can use a BYOK key to encrypt data, you must authorize Simple Log Service to access KMS.

  1. Log on to the RAM console.

  2. Create a RAM role. For more information, see Step 1: Create a RAM role.

  3. Modify the trust policy of the RAM role. For more information, see Edit the trust policy of a RAM role.

    {
        "Statement": [
            {
                "Action": "sts:AssumeRole",
                "Effect": "Allow",
                "Principal": {
                    "Service": [
                        "log.aliyuncs.com"
                    ]
                }
            }
        ],
        "Version": "1"
    }
  4. Grant the AliyunKMSReadOnlyAccess and AliyunKMSCryptoUserAccess permissions to the RAM role. For more information, see Grant permissions to a RAM role.

    Add permissions

  5. Before you can use a RAM user to encrypt data by using a BYOK key, you must grant the PassRole permission to the RAM user. To grant the PassRole permission to the RAM user, you can create a custom policy and attach the policy to the RAM user. For more information, see Create a custom policy and Grant permissions to RAM users.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "ram:PassRole",
                "Resource": "acs:ram::*"   # The Alibaba Cloud Resource Name (ARN) of the RAM role. For more information, see How do I obtain the ARN of a RAM role? 
            }
        ]
    }

Step 2: Configure data encryption for a Logstore

When you call the CreateLogStore operation to create a Logstore or call the UpdateLogStore operation to modify a Logstore, add the encrypt_conf parameter to specify the encryption settings. The following code provides sample settings.

Important

After you complete the configuration, you cannot change the encryption algorithm or encryption type. You can configure only the enable parameter to enable or disable data encryption. You must add the complete settings of the encrypt_conf parameter each time you call the UpdataLogstore operation.

encrypt_conf = {
    "enable" : True, # Specifies whether data encryption is enabled. 
    "encrypt_type" : "default"# The encryption algorithm. Valid values: default and m4. 
    "user_cmk_info" : # Optional parameter. If you configure this parameter, the BYOK key is used. If you do not configure this parameter, the service key is used. 
    {
          "cmk_key_id" : "" # The ID of the CMK to which the BYOK key belongs, for example, f5136b95-2420-ab31-xxxxxxxxx. 
          "arn" :  "" # The ARN of the RAM role. For more information, see How do I obtain the ARN of a RAM role? 
          "region_id" : "" # The ID of the region where the CMK resides. 
    }
}