In the AWS Key Management Service Best Practices whitepaper, in the section on Data at Rest Encryption with Amazon EBS, it states:
There are two methods to ensure that EBS volumes are always encrypted. You can verify that the encryption flag as part of the
CreateVolume
context is set to “true” through an IAM policy. If the flag is not “true” then the IAM policy can prevent an individual from creating the EBS volume
How can I do this? I'd imagine the policy would look something like:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1509465260000",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Condition": {
"Bool": {
"ec2:Encrypted": "true"
}
},
"Resource": [
"*"
]
}
]
}
Based on the whitepaper and the docs, the Bool
condition on the ec2:Encrypted
key makes the most sense, but when trying to create an encrypted volume, I'm getting access denied.
What am I missing in the statement?
You will need additional permissions to create encrypted volumes:
1) ec2:DescribeAvailabilityZones
2) kms:*
Note: I did not drill down into KMS for the minimum permissions to use KMS encryption keys. If you want to create volumes from snapshots then you will need to add ec2:DescribeSnapshots
.
Example policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAvailabilityZones"
],
"Resource": "*"
},
{
"Sid": "Stmt1509465260000",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Condition": {
"Bool": {
"ec2:Encrypted": "true"
}
},
"Resource": [
"*"
]
}
]
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With