As a requirement I need to have all my EBS volume encrypted with a customer KMS (and not de fault aws/ebs one)
In the LaunchConfig's BlockDeviceMappings properties I do see a property "Encrypted" but I do not see anyway of specifying a custom KMS
I see a snapshotId property which could allow me to point to an encrypted snapshot but how will this behave? Will each box that spin create an empty volume from that snapshot ?
What is the best way to achieve this ? Is my only option to create volume in the user-data and attach it there ?
AWS AutoScaling groups does not support specifying alternate KMS keys when EC2 instances are launched.
When you run an EC2 instance via ec2:RunInstances, ec2:RequestSpotFleet, or ec2:RequestSpotInstances, you can specify a alternate KMS key to use to encrypt the EBS volumes. When this KMS key is omitted, the KMS key used to encrypt the EBS snapshot is used instead.
However, Auto Scaling launch configurations does not support the KMS key specification. So it's not possible to use an alternative KMS key when launching Auto Scaling groups. The KMS key used to encrypt the snapshots will always be used.
Source: https://docs.aws.amazon.com/autoscaling/ec2/APIReference/API_Ebs.html
Related
using AWS CDK, I need to create an autoscaling with encrypted volume with customer KMS key, I know that I can do this by using a launch template but I did not found in the documentation how to create the launch template and how to create the autoscaling group with this one.
I found just this constructor method "autoscaling.AutoScalingGroup"
autoscaling.AutoScalingGroup(self, "my-app",
vpc=vpc,
vpc_subnets=ec2.SubnetSelection(
subnets=[
ec2.Subnet.from_subnet_id(self,"asg_subnetAz1",subnet_az1_id),
ec2.Subnet.from_subnet_id(self, "asg_subnetAz2", subnet_az2_id)
]
),
instance_type=ec2.InstanceType( instance_type_identifier=ec2_type),
machine_image=linux_ami,
desired_capacity=1,
min_capacity=1,
max_capacity=1,
security_group=sg_asg,
block_devices=[
autoscaling.BlockDevice(
device_name="/dev/sda1",
volume=autoscaling.BlockDeviceVolume.ebs(
volume_size=ebs_volume_size,
delete_on_termination=delete,
encrypted=True,
volume_type=autoscaling.EbsDeviceVolumeType.GP2
)
)
],
user_data=ec2.UserData.custom(user_data_ec2),
role=self.ec2_role
)
it is working fine but in block_devides parameter I can not specify the customer key.
have you any idea about how to do this?
this perhaps could help another one.
to create the autoscaling with custom key 2 ways:
Create a launch template where you can specify the KMS key to encrypt the EBS volume and then create ASG with this launch template.
or just create the asg without encryption and change the account setting to force the encryption of every new ebs volume with the CMK. this is the easiest way.
Is there a way to decrypt the AWS managed keys?
AWS managed keys have been applied as default for root volumes/EBS & AMI, which is preventing sharing of AMI/snapshots across other AWS accounts & regions.
How to create an unencrypted AMI or decrypt the AWS managed keys?
It is possible to share encrypted AMI's across accounts which I'll detail below.
To answer the original question: you can't decrypt an encrypted AMI and you can't decrypt AWS managed keys.
What you can do is create a CMK (Customer Master Key), re-encrypt your image with the new key, and share it with the account(s) you wish.
If you are starting with snapshots encrypted under the default EBS CMK (with the key alias, aws/ebs), copy those snapshots and reencrypt them under a custom CMK you created in KMS. You will then be able to modify the key policy on the custom CMK to be able to grant access to the key to any number of external accounts.
Create an AWS KMS customer master key (CMK)
Create a policy in the source account with permissions to share the AMI, using the ec2 ModifyImageAttribute operation
Add the target account to the CMK created in step 1. (In Other AWS Accounts subsection)
Create a policy on the target account to the AWS KMS operations. Allow kms actions - DescribeKey, ReEncrypt*, CreateGrant, and Decrypt.
You can then share the key using a CLI command like the following:
aws ec2 modify-image-attribute --image-id <ami-12345678> --launch-permission "Add=[{UserId=<target account number>}]"
The attached references go into much greater detail about this process.
References
How To Share Encrypted AMIs Across Accounts
How To Create a Custom AMI with Encrypted EBS and Share It
Working on cloud formation script which will create simple ec2 instance. here i want to encrypt a root volume at the time of launch. its possible to create a separate EBS, encrypt it and attach it as boot volume. but i couldn't find a way to encrypt it while launching. any way to do this?
Thanks In Advance
It looks like AWS has recently released a feature to launch an instance with encrypted volume based on non-encrypted AMI.
Launch encrypted EBS backed EC2 instances from unencrypted AMIs in a single step
From the CloudFormation perspective, you need to overwrite AMI block device configuration. So for example, you can write like this:
BlockDeviceMappings:
- DeviceName: "/dev/xvda"
Ebs:
VolumeSize: '8'
Encrypted: 'true'
This will start an instance with encrypted root EBS from non-encrypted AMI with a default KMS key
We can't encrypt root volume during the launch. Here is what you need to do.
Always use custom KMS keys.
If you have the unencrypted AMI, just copy the AMI to the same region and use encrypt option there.
Then use that AMI in your cloudformation.
Is it possible to use the custom encryption key for ebs data volumes using packer? kms_key_id will only use for the encryption of the boot volume. how can we encrypt block device mappings? (data EBS volumes)
Unfortunately that doesn't seem to be supported by AWS. See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EbsBlockDevice.html and http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html
As a workaround you can prepare a CMK encrypted (empty) snapshot and attach that in your device mapping block in Packer. That should give you a snapshot encrypted with the KMS key you want.
I've read https://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-custom-ami.html on how to create a custom AMI for use with AWS Data Pipeline. The document mostly makes sense except for the last line:
"Create and configure a user account named ec2-user."
What does this mean? What credentials (if any?) do I use for this AMI user? What SSH key do I allow to log in here?
The keypair that you should use can be specified in EC2 resource definition. See https://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-resources-vpc.html
In case of the above EC2 resource snippet, my-key-pair would have a PEM file associated with it. Your ec2-account should correspond to that PEM file so that DPL can login to that EC2 resource.