Is there a way to decrypt the AWS managed keys?
AWS managed keys have been applied as default for root volumes/EBS & AMI, which is preventing sharing of AMI/snapshots across other AWS accounts & regions.
How to create an unencrypted AMI or decrypt the AWS managed keys?
It is possible to share encrypted AMI's across accounts which I'll detail below.
To answer the original question: you can't decrypt an encrypted AMI and you can't decrypt AWS managed keys.
What you can do is create a CMK (Customer Master Key), re-encrypt your image with the new key, and share it with the account(s) you wish.
If you are starting with snapshots encrypted under the default EBS CMK (with the key alias, aws/ebs), copy those snapshots and reencrypt them under a custom CMK you created in KMS. You will then be able to modify the key policy on the custom CMK to be able to grant access to the key to any number of external accounts.
Create an AWS KMS customer master key (CMK)
Create a policy in the source account with permissions to share the AMI, using the ec2 ModifyImageAttribute operation
Add the target account to the CMK created in step 1. (In Other AWS Accounts subsection)
Create a policy on the target account to the AWS KMS operations. Allow kms actions - DescribeKey, ReEncrypt*, CreateGrant, and Decrypt.
You can then share the key using a CLI command like the following:
aws ec2 modify-image-attribute --image-id <ami-12345678> --launch-permission "Add=[{UserId=<target account number>}]"
The attached references go into much greater detail about this process.
References
How To Share Encrypted AMIs Across Accounts
How To Create a Custom AMI with Encrypted EBS and Share It
Related
I am trying to create a terraform script which is creating AWS IAM user with secret key and access key id. Same script is also creating AWS EC2.
now where I am getting stuck is in to set those keys in ~/.aws/credential file(like aws configure does) in EC2.
What you're trying to do is not the recommended solution. If you want to grant any access to your EC2 instances then do so via IAM Roles rather than keys. You have to attach a Role with permissions to your EC2 and it can call other services same like it would do from AWS profile (using keys).
Reference to how to achieve this in Terraform: https://skundunotes.com/2021/11/16/attach-iam-role-to-aws-ec2-instance-using-terraform/
I have a use case where a kms key would be used to encrypt and decrypt data . how can I make sure that only the specific lambda should be able to use the kms key from AWS polices .
I tried adding Lambda ARN in kms key policies while creating, but looks like its not allowed to do the same .
how can I achieve my use case ?
Here are the steps:
Create an IAM Role for Lambda without any permissions attached.
Select the same for Define key usage permissions while creating the key.
Attach the IAM Role to the Lambda.
Start using the KMS Key in the Lambda.
As per the AWS KMS documentation
The default key policy that the console creates for symmetric CMKs allows you to choose IAM users and roles in the account, and external AWS accounts, and make them key users.
How to create a AWS managed KEY .
How can I create AWS managed keys. as shown in the picture attached . I understand KMS and how to create symmetric and Asymetric keys . but I am not able to understand this AWS managed keys and from where we can create these .
How can I create AWS managed keys.
You can't create them explicitly. AWS creates them for you (thus they are AWS managed) when needed.
So lets say that you will create EBS volume with encryption. When you do this, AWS will create AWS managed key for you automatically. Only then you will be able to see it in KMS console.
We have a number of SecureString SSM Parameter Store values created via our bash script automations. These are encrypted with an environment-specific KMS key + Alias created via CloudFormation.
Also in the templates are IAM Roles for our EC2 instances, which need to allow retrieval and decryption of the SSM parameters. To allow this we granted access to those IAM Roles upon KMS key creation by referencing their role ARNs as principles.
However, we have some non-environment-specific SSM variables on our AWS account that persist outside of our environment CloudFormation stacks and are used by all environments.
We have recently adapted those parameters to be encrypted with the default KMS key -- alias/aws/ssm.
This approach causes an issue in regards to automation, as we need to grant usage of the default KMS key to our IAM Roles in CloudFormation. I've read the AWS documentation and cannot figure out a way of doing this.
Has anyone managed to automate this?
The default KMS key alias/aws/ssm is an AWS managed CMK. We cannot establish IAM policies or KMS key policies for AWS Managed CMKs.
Excerpt from AWS KMS FAQ,
AWS will manage the policies associated with AWS managed CMKs on your
behalf. You can track AWS managed keys in your account and all usage
is logged in AWS CloudTrail, but you have no direct control over the
keys themselves.
You don't have worry about defining IAM roles for accessing alias/aws/ssm key, having access to the required SSM parameter is sufficient.
As a requirement I need to have all my EBS volume encrypted with a customer KMS (and not de fault aws/ebs one)
In the LaunchConfig's BlockDeviceMappings properties I do see a property "Encrypted" but I do not see anyway of specifying a custom KMS
I see a snapshotId property which could allow me to point to an encrypted snapshot but how will this behave? Will each box that spin create an empty volume from that snapshot ?
What is the best way to achieve this ? Is my only option to create volume in the user-data and attach it there ?
AWS AutoScaling groups does not support specifying alternate KMS keys when EC2 instances are launched.
When you run an EC2 instance via ec2:RunInstances, ec2:RequestSpotFleet, or ec2:RequestSpotInstances, you can specify a alternate KMS key to use to encrypt the EBS volumes. When this KMS key is omitted, the KMS key used to encrypt the EBS snapshot is used instead.
However, Auto Scaling launch configurations does not support the KMS key specification. So it's not possible to use an alternative KMS key when launching Auto Scaling groups. The KMS key used to encrypt the snapshots will always be used.
Source: https://docs.aws.amazon.com/autoscaling/ec2/APIReference/API_Ebs.html