Open menu

Use AWS KMS Customer Master Keys for EBS encryption

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Knowledge Base EBS Use AWS KMS Customer Master Keys for EBS encryption
Last updated: 10 November 2017
Security

Risk level: High (not acceptable risk)

Ensure that your EBS volumes are using KMS CMK customer-managed keys instead of AWS managed-keys (default key used for volume encryption) in order to have more granular control over your data encryption and decryption process. Once implemented, the KMS CMK customer-managed keys will be used to encrypt and decrypt EBS data at rest, volume snapshots and disk I/O.

This rule resolution is part of the Cloud Conformity Tool

When you create and use your own CMK customer-managed keys with EBS volumes, you gain full control over who can use the keys and access the data encrypted on these volumes. KMS CMK service allows you to create, rotate, disable, enable, and audit encryption keys.

Audit

To determine if your EBS volumes are encrypted with CMK customer-managed keys, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03In the navigation panel, under Elastic Block Store, click Volumes.

04 Select the EBS volume that you need to examine.

05 Select the Description tab from the bottom panel.

06 And check the EBS volume encryption status:

  1. If Encrypted parameter value is “Not Encrypted”: If Encrypted parameter value is 'Not Encrypted', the volume is not encrypted. Since EBS encryption is an immutable setting that must be turned on at volume creation, to enable encryption you must re-create the volume (see Remediation / Resolution section).
  2. If Encrypted parameter value is “Encrypted and the KMS Key Aliases value is “aws/ebs”: If Encrypted parameter value is 'Encrypted' and the KMS Key Aliases value is 'aws/ebs', the volume is using a AWS managed-key. This key is used by default when you don't specify a CMK for encryption at volume creation. To have full control over the volume encryption, create and use your own CMK customer-managed key.

Using AWS CLI

01 Run describe-volumes command (OSX/Linux/UNIX) to determine if your EBS volume is encrypted or not. The next example expose the metadata for an EBS volume with the ID vol-f7f65326: 

aws ec2 describe-volumes
	--volume-ids vol-f7f65326

02 The command output should reveal the volume encryption status.

  1. If the Encrypted parameter value is set to false, the encryption is not currently enabled: 
    {
    "Volumes": [
        {
            "AvailabilityZone": "us-east-1a",
            "Attachments": [
                {
                    "AttachTime": "2016-04-15T08:15:59.000Z",
                    "InstanceId": "i-b969a624",
                    "VolumeId": "vol-f7f65326",
                    "State": "attached",
                    "DeleteOnTermination": false,
                    "Device": "/dev/sdf"
                }
            ],
            "Encrypted": false,
            "VolumeType": "gp2",
            "VolumeId": "vol-f7f65326",
            "State": "in-use",
            "Iops": 30,
            "SnapshotId": "",
            "CreateTime": "2016-04-15T08:15:14.882Z",
            "Size": 10
        }
    ]
}
  2. If the volume encryption is enabled, the command output should return the KMS key ARN (Amazon Resource Name) ID. The ARN ID is returned as the value (highlighted) for the KmsKeyId parameter: 
    {
    "Volumes": [
        {
            "AvailabilityZone": "us-east-1a",
            "Attachments": [
                {
                    "AttachTime": "2016-04-15T08:15:59.000Z",
                    "InstanceId": "i-b969a624",
                    "VolumeId": "vol-f7f65326",
                    "State": "attached",
                    "DeleteOnTermination": false,
                    "Device": "/dev/sdf"
                }
            ],
            "Encrypted": true,
            "VolumeType": "gp2",
            "VolumeId": "vol-f7f65326",
            "State": "in-use",
            "Iops": 30,
            "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/
                         d6c03026-b0bd-451e-a864-a68355f4f035",
            "SnapshotId": "",
            "CreateTime": "2016-04-15T08:15:14.882Z",
            "Size": 10
        }
    ]
}

03 Run aws kms list-aliases command (OSX/Linux/UNIX) using the same AWS region as the EBS volume to return the KMS key alias (name) used for encryption: 

aws kms list-aliases
	--region us-east-1

04 The command output should return all the KMS keys metadata. Now compare and match the KMS key ARN ID returned earlier with each key TargetKeyID parameter value and find the alias for the key used to encrypt the volume: 

{
    "Aliases": [
        {
            "AliasArn": "arn:aws:kms:us-east-1:
                         123456789012:alias/aws/ebs",
            "AliasName": "alias/aws/ebs",
            "TargetKeyId": "d6c03026-b0bd-451e-a864-a68355f4f035"
        },
        {
            "AliasArn": "arn:aws:kms:us-east-1:
                         123456789012:alias/aws/rds",
            "AliasName": "alias/aws/rds"
        },
        {
            "AliasArn": "arn:aws:kms:us-east-1:
                         123456789012:alias/aws/s3",
            "AliasName": "alias/aws/s3"
        }
    ]
}

If the alias for the matched ID is “alias/aws/ebs”, the key used for encryption is a default key / AWS-managed key. To use your own CMK customer-managed key, see the Remediation / Resolution section.

Remediation / Resolution

To use your own CMK customer-managed key to encrypt an EBS volume, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, click Encryption Keys.

4 Select the appropriate AWS region from the Filter menu:

Select the appropriate AWS region from the Filter menu

(must match the region where the AWS resource that will use the key was created).

05 Click Create Key button from the top menu.

06 Enter an alias (name) and a description for the new CMK, then click Next Step.

07 Under Key Administrators section, select which IAM users and/or roles can administer the CMK, then click Next Step.

08 Under This Account section, select which IAM users and/or roles can use the CMK to encrypt/decrypt data with the AWS KMS API.

09 (Optional) Under External Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt/decrypt data. The owners of the external AWS accounts must also provide access to this CMK by creating policies for their IAM users.

10 Click Next Step.

11 Under Preview Key Policy section, click Finish to create your new CMK. Once the key is created, the KMS dashboard will display a confirmation message: “Your master key was created successfully. Alias: (the CMK display name)

12 Now the CMK must be implemented to encrypt/decrypt the EBS volume data. Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

13 In the navigation panel, under Elastic Block Store, click Volumes and select your EBS volume.

14 Click the Actions dropdown button from the dashboard top menu and select Create p.

15 In the Create Snapshot dialog box, provide a name and a description for the snapshot (optional) and click Create.

16 In the navigation panel, under Elastic Block Store, click Snapshots.

17 Select your newly created EBS snapshot.

18 Click the Actions dropdown button from the dashboard top menu and select Copy.

19 If the source volume is not encrypted, in the Copy Snapshot dialog box, select Encrypt this snapshot. Once the feature is enabled, select your new CMK customer-managed key from the Master Key dropdown list:

select your new CMK customer-managed key from the Master Key dropdown list

and click Copy.

20 If the source volume is encrypted with a default (aws/ebs), in the Copy Snapshot dialog box, under Master Key select your CMK customer-managed key:

select your new CMK customer-managed key from the Master Key dropdown list

and click Copy.

21 Select the new (copied) EBS snapshot.

22 Click the Actions dropdown button from the dashboard top menu and select Create Volume.

23 In the Create Volume dialog box, review the volume configuration details and click Create.

24 Click the Actions dropdown button from the dashboard top menu and select Detach Volume.

25 In the Detach Volume dialog box click Yes, Detach.

26 Go back to the navigation panel and click Volumes.

27 Select the original (source) EBS volume.

28 Select the newly created EBS volume (encrypted with the new customer-managed key).

29 Click the Actions dropdown button from the top menu and select Attach Volume.

30 In the Attach Volume dialog box enter your EC2 instance ID and the device name for attachment, then click Attach.

31 Select the Description tab from the bottom panel and make sure the new EBS volume use your own CMK customer-managed key by checking the KMS Key Aliases value:

checking the KMS Key Aliases

Using AWS CLI

01 Create a policy that enables the selected IAM users and/or roles to administer the new CMK and the selected IAM users and/or roles to encrypt/decrypt data using the KMS API. Create a new policy document called ebs-cmk-policy.json and paste the following (replace the highlighted details - the ARNs for the IAM users and/or roles - with your details): 

{
  "Version": "2012-10-17",
  "Id": "key-policy-1",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/EC2Manager"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/EC2Admin"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/EC2Admin"
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

02 Run create-key command (OSX/Linux/UNIX) using the AWS region where the data resource is located and the policy name created earlier (ebs-cmk-policy.json) to create the new CMK customer-managed key: 

aws kms create-key
	--region us-east-1
	--description 'CMK used for EBS volumes data encryption'
	--policy file://ebs-cmk-policy.json

03 The command output should return the new CMK metadata: 

{
    "KeyMetadata": {
        "KeyId": "146e5259-68af-4501-82d3-8fef8b3a50bc",
        "Description": "CMK used for EBS volumes data encryption",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1460740376.447,
        "Arn": "arn:aws:kms:us-east-1:123456789012:
                key/146e5259-68af-4501-82d3-8fef8b3a50bc",
        "AWSAccountId": "123456789012"
    }
}

04 Run create-alias command (OSX/Linux/UNIX) using the newly created key ARN to attach an alias (display name) to the CMK. The alias name must start with the prefix "alias/": 

aws kms create-alias
	--alias-name alias/MyEBSDataCMK
	--target-key-id
arn:aws:kms:us-east-1:123456789012:key/146e5259-68af-4501-82d3-8fef8b3a50bc

05 Once the CMK is created it must be implemented to encrypt/decrypt the EBS volume data. Run create-snapshot command (OSX/Linux/UNIX) to create a new snapshot from your existing volume (regardless the volume encryption status). The following example use an EBS volume with the ID vol-f7f65326: 

aws ec2 create-snapshot
	--volume-id vol-f7f65326

06 The command output should reveal the EBS snapshot ID: 

{
    "Description": "",
    "Encrypted": true,
    "VolumeId": "vol-f7f65326",
    "State": "pending",
    "VolumeSize": 10,
    "Progress": "",
    "StartTime": "2016-04-15T18:04:15.000Z",
    "SnapshotId": "snap-a17c63a0",
    "OwnerId": "123456789012"
}

07 Run copy-snapshot command (OSX/Linux/UNIX) to create a copy of the existent EBS snapshot using its ID as the data source ID and the new CMK customer-managed key ARN: 

aws
	--region us-east-1 ec2 copy-snapshot
	--source-region us-east-1
	--source-snapshot-id snap-a17c63a0
	--encrypted
	--kms-key-id arn:aws:kms:us-east-1:123456789012:key/146e5259-68af-4501-82d3-8fef8b3a50bc

09 The command output should return the new EBS snapshot ID (snapshot copy):

{
    "SnapshotId": "snap-f1619dbf"
}

10 Run create-volume command (OSX/Linux/UNIX) to create a new EBS volume from the encrypted snapshot. The following example describes creating an EBS volume from a source snapshot with the ID snap-f1619dbf:

aws ec2 create-volume
	--region us-east-1
	--availability-zone us-east-1a
	--snapshot-id snap-f1619dbf
	--volume-type gp2

11 The command output should reveal the new encrypted EBS volume ID:

{
    "AvailabilityZone": "us-east-1a",
    "Encrypted": true,
    "VolumeType": "gp2",
    "VolumeId": "vol-cfd97f1e",
    "State": "creating",
    "Iops": 30,
    "SnapshotId": "snap-f1619dbf",
    "CreateTime": "2016-04-15T18:21:03.779Z",
    "Size": 10
}

12 Run detach-volume command (OSX/Linux/UNIX) to detach the original (source) EBS volume. The following example describes detaching an EBS volume with the ID vol-f7f65326:

aws ec2 detach-volume
	--volume-id vol-f7f65326

13 To attach the new EBS volume (encrypted with your CMK customer-managed key) to the EC2 instance run attach-volume command (OSX/Linux/UNIX). The following example describes attaching an EBS volume with the ID vol-cfd97f1e to an EC2 instance with the ID i-b969a624: 

aws ec2 attach-volume
	--volume-id vol-cfd97f1e
	--instance-id i-b969a624
	--device /dev/sdf

14 The command output should return the encrypted EBS volume state (attaching in this case) : 

{
    "AttachTime": "2016-04-15T18:28:46.112Z",
    "InstanceId": "i-b969a624",
    "VolumeId": "vol-cfd97f1e",
    "State": "attaching",
    "Device": "/dev/sdf"
}

References

Publication date Apr 18, 2016

Related EBS rules