Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS IAM policy to enforce new EBS volumes are encrypted

In the AWS Key Management Service Best Practices whitepaper, in the section on Data at Rest Encryption with Amazon EBS, it states:

There are two methods to ensure that EBS volumes are always encrypted. You can verify that the encryption flag as part of the CreateVolume context is set to “true” through an IAM policy. If the flag is not “true” then the IAM policy can prevent an individual from creating the EBS volume

How can I do this? I'd imagine the policy would look something like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1509465260000",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVolume"
      ],
      "Condition": {
        "Bool": {
          "ec2:Encrypted": "true"
        }
      },
      "Resource": [
        "*"
      ]
    }
  ]
}

Based on the whitepaper and the docs, the Bool condition on the ec2:Encrypted key makes the most sense, but when trying to create an encrypted volume, I'm getting access denied.

What am I missing in the statement?

like image 441
maafk Avatar asked Oct 31 '17 16:10

maafk


1 Answers

You will need additional permissions to create encrypted volumes:

1) ec2:DescribeAvailabilityZones

2) kms:*

Note: I did not drill down into KMS for the minimum permissions to use KMS encryption keys. If you want to create volumes from snapshots then you will need to add ec2:DescribeSnapshots.

Example policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeAvailabilityZones"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Stmt1509465260000",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVolume"
            ],
            "Condition": {
                "Bool": {
                    "ec2:Encrypted": "true"
                }
            },
            "Resource": [
                "*"
            ]
        }
    ]
}
like image 149
John Hanley Avatar answered Nov 03 '22 00:11

John Hanley