Is it possible to use the custom encryption key for ebs data volumes using packer? kms_key_id will only use for the encryption of the boot volume. how can we encrypt block device mappings? (data EBS volumes)
Unfortunately that doesn't seem to be supported by AWS. See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EbsBlockDevice.html and http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html
As a workaround you can prepare a CMK encrypted (empty) snapshot and attach that in your device mapping block in Packer. That should give you a snapshot encrypted with the KMS key you want.
Related
Is there a way to decrypt the AWS managed keys?
AWS managed keys have been applied as default for root volumes/EBS & AMI, which is preventing sharing of AMI/snapshots across other AWS accounts & regions.
How to create an unencrypted AMI or decrypt the AWS managed keys?
It is possible to share encrypted AMI's across accounts which I'll detail below.
To answer the original question: you can't decrypt an encrypted AMI and you can't decrypt AWS managed keys.
What you can do is create a CMK (Customer Master Key), re-encrypt your image with the new key, and share it with the account(s) you wish.
If you are starting with snapshots encrypted under the default EBS CMK (with the key alias, aws/ebs), copy those snapshots and reencrypt them under a custom CMK you created in KMS. You will then be able to modify the key policy on the custom CMK to be able to grant access to the key to any number of external accounts.
Create an AWS KMS customer master key (CMK)
Create a policy in the source account with permissions to share the AMI, using the ec2 ModifyImageAttribute operation
Add the target account to the CMK created in step 1. (In Other AWS Accounts subsection)
Create a policy on the target account to the AWS KMS operations. Allow kms actions - DescribeKey, ReEncrypt*, CreateGrant, and Decrypt.
You can then share the key using a CLI command like the following:
aws ec2 modify-image-attribute --image-id <ami-12345678> --launch-permission "Add=[{UserId=<target account number>}]"
The attached references go into much greater detail about this process.
References
How To Share Encrypted AMIs Across Accounts
How To Create a Custom AMI with Encrypted EBS and Share It
Working on cloud formation script which will create simple ec2 instance. here i want to encrypt a root volume at the time of launch. its possible to create a separate EBS, encrypt it and attach it as boot volume. but i couldn't find a way to encrypt it while launching. any way to do this?
Thanks In Advance
It looks like AWS has recently released a feature to launch an instance with encrypted volume based on non-encrypted AMI.
Launch encrypted EBS backed EC2 instances from unencrypted AMIs in a single step
From the CloudFormation perspective, you need to overwrite AMI block device configuration. So for example, you can write like this:
BlockDeviceMappings:
- DeviceName: "/dev/xvda"
Ebs:
VolumeSize: '8'
Encrypted: 'true'
This will start an instance with encrypted root EBS from non-encrypted AMI with a default KMS key
We can't encrypt root volume during the launch. Here is what you need to do.
Always use custom KMS keys.
If you have the unencrypted AMI, just copy the AMI to the same region and use encrypt option there.
Then use that AMI in your cloudformation.
As a requirement I need to have all my EBS volume encrypted with a customer KMS (and not de fault aws/ebs one)
In the LaunchConfig's BlockDeviceMappings properties I do see a property "Encrypted" but I do not see anyway of specifying a custom KMS
I see a snapshotId property which could allow me to point to an encrypted snapshot but how will this behave? Will each box that spin create an empty volume from that snapshot ?
What is the best way to achieve this ? Is my only option to create volume in the user-data and attach it there ?
AWS AutoScaling groups does not support specifying alternate KMS keys when EC2 instances are launched.
When you run an EC2 instance via ec2:RunInstances, ec2:RequestSpotFleet, or ec2:RequestSpotInstances, you can specify a alternate KMS key to use to encrypt the EBS volumes. When this KMS key is omitted, the KMS key used to encrypt the EBS snapshot is used instead.
However, Auto Scaling launch configurations does not support the KMS key specification. So it's not possible to use an alternative KMS key when launching Auto Scaling groups. The KMS key used to encrypt the snapshots will always be used.
Source: https://docs.aws.amazon.com/autoscaling/ec2/APIReference/API_Ebs.html
I'm trying to use packer to build an AMI with encrypted EBS volumes (but not an encrypted root volume). The packer documentation says:
kms_key_id (string) - The ID of the KMS key to use for boot volume encryption.
https://www.packer.io/docs/builders/amazon-ebs.html#kms_key_id
If I supplied a kms_key_id and mark the desired ebs volumes' ami_ and launch_block_device_mappings as encrypted, will packer use that kms key? Or will a default CMK key be used?
Quickly looking into the code it looks like kms_key_id is only used for the encryption of the boot volume. Other block_device_mappings with "encrypted": true will be encrypted with the default EBS KMS key.
How to encrypt an existing AWS EBS volume with an existing AWS KMS key?
The KMS encrypt method allows encrypting a plaintext but i want to encrypt a volume.
I was trying to do this with boto 2 but obviously, boto2 don't support this.
I found this can be done only with boto 3 :
http://boto3.readthedocs.org/en/latest/reference/services/ec2.html#ec2.Client.create_volume.
Thanks.