How to create a AWS managed KEY .
How can I create AWS managed keys. as shown in the picture attached . I understand KMS and how to create symmetric and Asymetric keys . but I am not able to understand this AWS managed keys and from where we can create these .
How can I create AWS managed keys.
You can't create them explicitly. AWS creates them for you (thus they are AWS managed) when needed.
So lets say that you will create EBS volume with encryption. When you do this, AWS will create AWS managed key for you automatically. Only then you will be able to see it in KMS console.
Related
I am trying to create a terraform script which is creating AWS IAM user with secret key and access key id. Same script is also creating AWS EC2.
now where I am getting stuck is in to set those keys in ~/.aws/credential file(like aws configure does) in EC2.
What you're trying to do is not the recommended solution. If you want to grant any access to your EC2 instances then do so via IAM Roles rather than keys. You have to attach a Role with permissions to your EC2 and it can call other services same like it would do from AWS profile (using keys).
Reference to how to achieve this in Terraform: https://skundunotes.com/2021/11/16/attach-iam-role-to-aws-ec2-instance-using-terraform/
I have a use case where a kms key would be used to encrypt and decrypt data . how can I make sure that only the specific lambda should be able to use the kms key from AWS polices .
I tried adding Lambda ARN in kms key policies while creating, but looks like its not allowed to do the same .
how can I achieve my use case ?
Here are the steps:
Create an IAM Role for Lambda without any permissions attached.
Select the same for Define key usage permissions while creating the key.
Attach the IAM Role to the Lambda.
Start using the KMS Key in the Lambda.
As per the AWS KMS documentation
The default key policy that the console creates for symmetric CMKs allows you to choose IAM users and roles in the account, and external AWS accounts, and make them key users.
We have usecase of taking input which includes password from user and pass it to on EC2 instance. From with in Ec2 instance we hit the URL - http://169.254.169.254/latest/user-data/ and get the userdata and set appropriate passwords.
The issue is user data is visible by AWS CLI tool:
aws ec2 describe-instance-attribute --instance-id --attribute userData --output text --query "UserData.Value" | base64 --decode
This imposes huge security risk.
Whats the best way to send sensitive / secret data ?
I tried creating a key-pair, which creates the private key on local instance and public key on EC2. What would be right way to encrypt / decrypt using PowerShell and fetch it back in EC2?
The suggested approach would be to store any secrets in an external source.
AWS has a service for storing secrets, Secrets Manager. By using this service you would create a secret containing the secrets that your instance will need to access in its user data. Then give your instance an IAM role with privileges to get the secret value, via the AWS CLI.
Alternatively you could also make use of the AWS SSM Parameter Store service, storing the secrets as a SecureString type. This would work similar to secrets manager with you retrieving the secret via the AWS CLI and then using it in your script.
There are also third party solutions such as Hashicorp Vault that provide similar functionality if you do not want to store your secrets in an AWS solution.
Is there a way to decrypt the AWS managed keys?
AWS managed keys have been applied as default for root volumes/EBS & AMI, which is preventing sharing of AMI/snapshots across other AWS accounts & regions.
How to create an unencrypted AMI or decrypt the AWS managed keys?
It is possible to share encrypted AMI's across accounts which I'll detail below.
To answer the original question: you can't decrypt an encrypted AMI and you can't decrypt AWS managed keys.
What you can do is create a CMK (Customer Master Key), re-encrypt your image with the new key, and share it with the account(s) you wish.
If you are starting with snapshots encrypted under the default EBS CMK (with the key alias, aws/ebs), copy those snapshots and reencrypt them under a custom CMK you created in KMS. You will then be able to modify the key policy on the custom CMK to be able to grant access to the key to any number of external accounts.
Create an AWS KMS customer master key (CMK)
Create a policy in the source account with permissions to share the AMI, using the ec2 ModifyImageAttribute operation
Add the target account to the CMK created in step 1. (In Other AWS Accounts subsection)
Create a policy on the target account to the AWS KMS operations. Allow kms actions - DescribeKey, ReEncrypt*, CreateGrant, and Decrypt.
You can then share the key using a CLI command like the following:
aws ec2 modify-image-attribute --image-id <ami-12345678> --launch-permission "Add=[{UserId=<target account number>}]"
The attached references go into much greater detail about this process.
References
How To Share Encrypted AMIs Across Accounts
How To Create a Custom AMI with Encrypted EBS and Share It
I want to configure my SQS Terraform Script to use an aws provided SSE Key.
I know that you can do this with the follwing code:
resource "aws_sqs_queue" "terraform_queue" {
name = "terraform-example-queue"
kms_master_key_id = "alias/aws/sqs"
kms_data_key_reuse_period_seconds = 300
}
But with this example I need to first create my own KMS Key. In the aws console it is possible to use a default one without creating one by myself. How do I do this in Terraform, what do I have to type in kms_master_key_id?
The default key for any service is given by the alias alias/aws/$service. So when you refer to alias/aws/sqs you're using the default AWS managed KMS key for that service in that region.
This is briefly covered in the AWS user guide:
The alias name cannot begin with aws/. The aws/ prefix is reserved by Amazon Web Services to represent AWS managed CMKs in your account.