How to encrypt an existing AWS EBS volume with an existing AWS KMS key?
The KMS encrypt method allows encrypting a plaintext but i want to encrypt a volume.
I was trying to do this with boto 2 but obviously, boto2 don't support this.
I found this can be done only with boto 3 :
http://boto3.readthedocs.org/en/latest/reference/services/ec2.html#ec2.Client.create_volume.
Thanks.
Related
I have got a key and secrets key for an external S3 bucket full of .gz files.
I need to analyze this data using Athena.
Is there an option to connect Athena to the S3 bucket using a key and secret key? if so, how to do it?
I know how to connect S3 when I get a console connection but not when I've only a key and secret key.
It is more comlicated than answering with a single answer.
As it was mentioned already, you cannot have access to the console with only the secret key. You can use those credential for programatic access for example from your CLI.
What you might want to try is to use the AWS CLI tool. https://docs.aws.amazon.com/cli/latest/reference/athena/start-query-execution.html
aws athena start-query-execution <query>
How to create a AWS managed KEY .
How can I create AWS managed keys. as shown in the picture attached . I understand KMS and how to create symmetric and Asymetric keys . but I am not able to understand this AWS managed keys and from where we can create these .
How can I create AWS managed keys.
You can't create them explicitly. AWS creates them for you (thus they are AWS managed) when needed.
So lets say that you will create EBS volume with encryption. When you do this, AWS will create AWS managed key for you automatically. Only then you will be able to see it in KMS console.
Is there a way to decrypt the AWS managed keys?
AWS managed keys have been applied as default for root volumes/EBS & AMI, which is preventing sharing of AMI/snapshots across other AWS accounts & regions.
How to create an unencrypted AMI or decrypt the AWS managed keys?
It is possible to share encrypted AMI's across accounts which I'll detail below.
To answer the original question: you can't decrypt an encrypted AMI and you can't decrypt AWS managed keys.
What you can do is create a CMK (Customer Master Key), re-encrypt your image with the new key, and share it with the account(s) you wish.
If you are starting with snapshots encrypted under the default EBS CMK (with the key alias, aws/ebs), copy those snapshots and reencrypt them under a custom CMK you created in KMS. You will then be able to modify the key policy on the custom CMK to be able to grant access to the key to any number of external accounts.
Create an AWS KMS customer master key (CMK)
Create a policy in the source account with permissions to share the AMI, using the ec2 ModifyImageAttribute operation
Add the target account to the CMK created in step 1. (In Other AWS Accounts subsection)
Create a policy on the target account to the AWS KMS operations. Allow kms actions - DescribeKey, ReEncrypt*, CreateGrant, and Decrypt.
You can then share the key using a CLI command like the following:
aws ec2 modify-image-attribute --image-id <ami-12345678> --launch-permission "Add=[{UserId=<target account number>}]"
The attached references go into much greater detail about this process.
References
How To Share Encrypted AMIs Across Accounts
How To Create a Custom AMI with Encrypted EBS and Share It
i have created an aws account, launched ec2 instance and created buckets in s3. Also i have installed python, boto3 and aws cli. But i'm stuck on connecting python with aws step.
The first and foremost thing that you need to check is whether your EC2 instance has permissions to access the S3 bucket. This can be done in 2 ways:
Store the credentials in the EC2 instance (insecure)
Assign IAM roles to the EC2 instance that has S3 read and write permissions (secure)
In order to assign a role to your instance, follow this guide.
Once your permissions are set up, you can either use the AWS CLI or BOTO3 to access S3 from your EC2 instance.
1: If you are asking how to establish a connection for running your AWS-python codes then you must follow these steps on terminal:
aws configure (this ill ask you credentials which you will find in the .CSV file that is created initially)
Provide the credentials and try to run the code
For ex:
$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json
2: If your question is how you will use the boto3 API calls to run AWS functions then this might help you:If you are using boto3 SDK then you can make use of low-level clients and higher-level.
ec2 = boto3.resource('ec2')
client = boto3.client('ec2')
You can follo this link for more detailed info : http://boto3.readthedocs.io/en/latest/reference/services/ec2.html
Is it possible to use the custom encryption key for ebs data volumes using packer? kms_key_id will only use for the encryption of the boot volume. how can we encrypt block device mappings? (data EBS volumes)
Unfortunately that doesn't seem to be supported by AWS. See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EbsBlockDevice.html and http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html
As a workaround you can prepare a CMK encrypted (empty) snapshot and attach that in your device mapping block in Packer. That should give you a snapshot encrypted with the KMS key you want.