CodeCommitリポジトリの復号化のCloudTrailログ確認

2021/10/21 2021/11/17

ユーザーガイドAWS Key Management Service と AWS CodeCommit リポジトリの暗号化に記載がありますが、AWS CodeCommitリポジトリにソースコードを保存すると、AWS KMSのAWS所有キーaws/codecommitによって暗号化されて、git pullコマンドで復号化されるそうです。

ということで確認してみました。

CloudTrailログ

git pullしたときであろうログを確認してみました。
invokedByがcodecommit.amazonaws.comでKMSのDecryptアクションが実行されていました。
aws:codecommit:idにリポジトリのIDがありました。

{
      "eventVersion": "1.08",
      "userIdentity": {
        〜中略〜
        },
        "invokedBy": "codecommit.amazonaws.com"
      },
      "eventTime": "2021-11-17T12:02:33Z",
      "eventSource": "kms.amazonaws.com",
      "eventName": "Decrypt",
      "awsRegion": "us-east-1",
      "sourceIPAddress": "codecommit.amazonaws.com",
      "userAgent": "codecommit.amazonaws.com",
      "requestParameters": {
        "encryptionAlgorithm": "SYMMETRIC_DEFAULT",
        "encryptionContext": {
          "aws:codecommit:env-alg": "AES/256",
          "aws:codecommit:sig-alg": "HmacSHA256/256",
          "aws:codecommit:id": "xxxxx-xxxxxx-xxxxxx"
        }
      },
      ~中略~
    },

{

"eventVersion": "1.08",

"userIdentity": {

〜中略〜

"invokedBy": "codecommit.amazonaws.com"

"eventTime": "2021-11-17T12:02:33Z",

"eventSource": "kms.amazonaws.com",

"eventName": "Decrypt",

"awsRegion": "us-east-1",

"sourceIPAddress": "codecommit.amazonaws.com",

"userAgent": "codecommit.amazonaws.com",

"requestParameters": {

"encryptionAlgorithm": "SYMMETRIC_DEFAULT",

"encryptionContext": {

"aws:codecommit:env-alg": "AES/256",

"aws:codecommit:sig-alg": "HmacSHA256/256",

"aws:codecommit:id": "xxxxx-xxxxxx-xxxxxx"

}

~中略~

CodeCommitリポジトリIDの確認

リポジトリIDはget-repositoryコマンドで確認しました。

$ aws codecommit get-repository --repository-name RepositoryName
{
    "repositoryMetadata": {
        "creationDate": 1628481144.858, 
        "defaultBranch": "master", 
        "repositoryName": "RepositoryName", 
        "cloneUrlSsh": "ssh://git-codecommit.us-east-1.amazonaws.com/v1/repos/RepositoryName", 
        "lastModifiedDate": 1637150992.85, 
        "repositoryDescription": "sample repository", 
        "cloneUrlHttp": "https://git-codecommit.us-east-1.amazonaws.com/v1/repos/RepositoryName", 
        "repositoryId": "xxxxx-xxxxxx-xxxxxx", 
        "Arn": "arn:aws:codecommit:us-east-1:123456789012:RepositoryName", 
        "accountId": "123456789012"
    }
}

$ aws codecommit get-repository --repository-name RepositoryName

{

"repositoryMetadata": {

"creationDate": 1628481144.858,

"defaultBranch": "master",

"repositoryName": "RepositoryName",

"cloneUrlSsh": "ssh://git-codecommit.us-east-1.amazonaws.com/v1/repos/RepositoryName",

"lastModifiedDate": 1637150992.85,

"repositoryDescription": "sample repository",

"cloneUrlHttp": "https://git-codecommit.us-east-1.amazonaws.com/v1/repos/RepositoryName",

"repositoryId": "xxxxx-xxxxxx-xxxxxx",

"Arn": "arn:aws:codecommit:us-east-1:123456789012:RepositoryName",

"accountId": "123456789012"

}

Athena検索時のSQLメモ

該当のCloudTrailログは、Athenaで検索して確認しました。
Athenaテーブルは、S3オブジェクトへのリクエストをCloudTrail, Athenaで識別する(パーティショニング)の方法で作成しています。

select * from "cloudtrail_events_db"."cloudtrail_partiion_table"
where account='123456789012'
and region='us-east-1'
and year='2021'
and month='11'
and day='17'
and eventsource='kms.amazonaws.com'
and sourceipaddress='codecommit.amazonaws.com'
and requestparameters like '%xxxxx-xxxxxx-xxxxxx%'

select * from "cloudtrail_events_db"."cloudtrail_partiion_table"

where account='123456789012'

and region='us-east-1'

and year='2021'

and month='11'

and day='17'

and eventsource='kms.amazonaws.com'

and sourceipaddress='codecommit.amazonaws.com'

and requestparameters like '%xxxxx-xxxxxx-xxxxxx%'

KMS aws/codecommitのキーポリシー

対象のアカウントからのアクセスを許可するポリシーが設定されていました。

{
    "Version": "2012-10-17",
    "Id": "auto-codecommit-2",
    "Statement": [
        {
            "Sid": "Allow access through CodeCommit for all principals in the account that are authorized to use CodeCommit",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:CallerAccount": "123456789012",
                    "kms:ViaService": "codecommit.us-east-1.amazonaws.com"
                }
            }
        },
        {
            "Sid": "Allow direct access to key metadata to the account",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            },
            "Action": [
                "kms:Describe*",
                "kms:Get*",
                "kms:List*"
            ],
            "Resource": "*"
        }
    ]
}