- Knowledge Base
- Amazon Web Services
- Amazon Elastic Block Store (EBS)
- EBS Encrypted With KMS Customer Master Keys
Ensure that your Amazon EBS volumes are using customer-managed Customer Master Keys (CMKs) instead of AWS-managed keys for data encryption, in order to have full control over data encryption and decryption process and meet compliance requirements. Once the CMK-based encryption is enabled, customer-managed Customer Master Keys will be used to encrypt Amazon EBS volume data, volume snapshots, and disk I/O.
This rule can help you with the following compliance standards:
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When you use your own Amazon KMS Customer Master Keys (CMKs) to protect your EBS data, you have complete control over who can use the master keys to access your data, implementing the Principle of Least Privilege (POLP) on encryption key ownership and usage. Amazon KMS service allows you to easily create, rotate, disable, and audit customer-managed Customer Master Keys (CMKs) for your Amazon EBS volumes.
Audit
To determine if your Amazon EBS volumes are encrypted using Customer Master Keys (CMKs), perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.
03 In the navigation panel, under Elastic Block Store, choose Volumes.
04 Select the Amazon EBS volume that you want to examine.
05 Choose the Description tab from the console bottom panel and check the KMS Key Aliases attribute value. If the KMS Key Aliases attribute does not have value assigned and the Encryption attribute value is set to Not Encrypted, the selected Amazon EBS volume is not encrypted. If the KMS Key Aliases value is set to aws/ebs, the selected Amazon EBS volume is encrypted using an AWS-managed master key instead of a customer-managed Customer Master Key (CMK).
06 Repeat steps no. 4 and 5 for each Amazon EBS volume provisioned within the current AWS region.
07 Change the AWS cloud region from the navigation bar and perform the Audit process for other regions.
Using AWS CLI
01 Run describe-volumes command (OSX/Linux/UNIX) with custom query filters to describe the ID of each Amazon EBS volume provisioned in the selected AWS cloud region:
aws ec2 describe-volumes --region us-east-1 --query 'Volumes[*].VolumeId'
02 The command output should return the requested volume ID(s):
[ "vol-0abcd1234abcd1234", "vol-01234abcd1234abcd", "vol-0abcdabcd12341234" ]
03 Run describe-volumes command (OSX/Linux/UNIX) using the ID of the Amazon EBS volume that you want to examine as the identifier parameter and custom query filters to describe the Amazon Resource Name (ARN) of the master key used to encrypt the selected volume:
aws ec2 describe-volumes --region us-east-1 --volume-ids vol-0abcd1234abcd1234 --query 'Volumes[*].KmsKeyId'
04 The command output should return the requested Amazon Resource Name (ARN). If the describe-volumes command output returns an empty array instead (i.e. []), the selected Amazon EBS volume is not encrypted. Otherwise, the command output should return the ARN of the associated master key:
[ "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd" ]
05 Run describe-key command (OSX/Linux/UNIX) using the ARN of the master key returned at the previous step as the identifier parameter to describe manager of the specified key:
aws kms describe-key --region us-east-1 --key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd --query 'KeyMetadata.KeyManager'
06 The command output should the master key manager ("AWS" if the master key is AWS-managed, and "CUSTOMER" if the key is customer-managed):
"AWS"
If the describe-key command output returns "AWS", as shown in the example above, the selected Amazon EBS volume is encrypted using an AWS-managed master key instead of a customer-managed Customer Master Key (CMK).
07 Repeat steps no. 3 – 6 for each Amazon EBS volume available in the selected AWS region.
08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
To use customer-managed Customer Master Keys to encrypt your Amazon EBS volumes, perform the following operations:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{ "AWSTemplateFormatVersion":"2010-09-09", "Description":"Create and Attach KMS-Encrypted EBS Volume", "Resources":{ "KMSEncryptedEBSVolume" : { "Type" : "AWS::EC2::Volume", "Properties" : { "SnapshotId" : "snap-01234abcd1234abcd", "VolumeType" : "gp2", "Encrypted" : "true", "KmsKeyId" : "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234", "AvailabilityZone" : "us-east-1d" } }, "MountPoint" : { "Type" : "AWS::EC2::VolumeAttachment", "Properties" : { "InstanceId" : "i-0abcd1234abcd1234", "VolumeId" : { "Ref" : "KMSEncryptedEBSVolume" }, "Device" : "/dev/sdf" } } } }
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09' Description: Create and Attach KMS-Encrypted EBS Volume Resources: KMSEncryptedEBSVolume: Type: AWS::EC2::Volume Properties: SnapshotId: snap-01234abcd1234abcd VolumeType: gp2 Encrypted: 'true' KmsKeyId: arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234 AvailabilityZone: us-east-1d MountPoint: Type: AWS::EC2::VolumeAttachment Properties: InstanceId: i-0abcd1234abcd1234 VolumeId: Ref: KMSEncryptedEBSVolume Device: "/dev/sdf"
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 3.27" } } required_version = ">= 0.14.9" } provider "aws" { profile = "default" region = "us-east-1" } resource "aws_ebs_snapshot" "ebs-snapshot" { volume_id = "vol-01234abcd1234abcd" } resource "aws_ebs_volume" "encrypted-ebs-volume" { snapshot_id = aws_ebs_snapshot.ebs-snapshot.id type = "gp2" encrypted = true kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234" availability_zone = "us-east-1c" } resource "aws_volume_attachment" "encrypted-volume-attachment" { device_name = "/dev/sdf" volume_id = aws_ebs_volume.encrypted-ebs-volume.id instance_id = "i-0abcd1234abcd1234" }
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon KMS console at https://console.aws.amazon.com/iam/.
03 In the navigation panel, under Key Management Service (KMS), select Customer managed keys.
4 Choose the Create Key button from the console top menu to initiate the CMK setup process.
05 For Step 1 Configure key, perform the following actions:
- Choose Symmetric from the Key type section. A symmetric key is a single encryption key that can be used for both encrypt and decrypt operations.
- Under Advanced options, for Key material origin, select KMS as the source of the key material within the CMK.
- Under Advanced options, for Regionality, select whether to allow the new key to be replicated into other AWS regions.
- Choose Next to continue.
06 For Step 2 Add labels, type a unique name (alias) for your new master key in the Alias box and provide a short description for the key in Description – optional box. (Optional) Use the Add tag button to create tags in order categorize and identify your CMK. Choose Next to continue the setup process.
07 For Step 3 Define key administrative permissions, choose which IAM users and/or roles can administer your new CMK from the Key administrators section. You may need to add additional permissions for the users or roles to administer the key from the AWS console. For Key deletion, select Allow key administrators to delete this key. Choose Next to continue.
08 For Step 4 Define key usage permissions, within This account section, select which IAM users and/or roles can use the new Customer Master Key for cryptographic operations. (Optional) In the Other AWS accounts section, choose Add another AWS account and enter an external AWS account ID in order to specify the external AWS account that can use the new key to encrypt and decrypt your EBS volume data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users. Choose Next to continue.
09 For Step 5 Review, review the policy available in the Key policy section, then choose Finish to create your new Customer Master Key (CMK). Once the key is successfully created, the Amazon KMS console will display the following confirmation message: "Success. Your customer master key was created with alias <key-alias> and key ID <key-id>".
10 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.
11 In the navigation panel, under Elastic Block Store, choose Volumes.
12 Select the Amazon EBS volume that you want to encrypt using your new customer-managed Customer Master Key (CMK).
13 Choose the Actions dropdown button from the console top menu and select Create Snapshot.
14 On the Create Snapshot setup page, provide a short description in the Description box, then choose Create Snapshot. Choose Close to return to the Amazon EC2 console.
15 In the navigation panel, under Elastic Block Store, choose Snapshots.
16 Select the newly created EBS volume snapshot, choose Actions, and select Copy.
17 In the Copy Snapshot configuration box, select the Encrypt this snapshot checkbox, choose the customer-managed Customer Master Key (CMK) created earlier in the Remediation section from the Master key dropdown list, and choose Copy. Click Close to return to the Snapshots page.
18 Select the new (copied) EBS volume snapshot, choose Actions, and select Create Volume.
19 On the Create Volume setup page, make sure that the appropriate customer-managed Customer Master Key (CMK) is selected from the Master Key dropdown list, review the volume configuration details, then choose Create Volume to provision your new Amazon EBS volume. Click Close to return to the EC2 console.
20 (Optional) To replace the EBS volume encrypted with the AWS-managed key with the one encrypted with customer-managed CMK within the Amazon EC2 instance configuration, perform the following actions:
- In the navigation panel, under Elastic Block Store, choose Volumes.
- Select the original Amazon EBS volume, encrypted with the AWS-managed master key.
- Choose the Actions dropdown button from the console top menu and select Detach Volume.
- Inside the Detach Volume dialog box, choose Yes, Detach.
- Select the newly created Amazon EBS volume, encrypted with the new Customer Master Key (CMK).
- Choose the Actions button from the console top menu and select Attach Volume.
- In the Attach Volume configuration box, select the ID of the Amazon EC2 instance detached at step c. from the Instance box, provide the device name required for attachment in the Device box, then choose Attach to attach the new EBS volume.
21 Repeat steps no. 12 – 20 to configure customer-managed Customer Master Keys (CMKs) for other EBS volumes provisioned within the current AWS region.
22 Change the AWS cloud region from the navigation bar and perform the Remediation process for other regions.
Using AWS CLI
01 Define the policy that enables the selected IAM users and/or roles to manage your new Customer Master Key (CMK), and to encrypt/decrypt your Amazon EBS data using the KMS API. Create a new policy document (JSON format), name the file ebs-volume-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):
{ "Id": "ebs-volume-key-policy", "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<aws-account-id>:root
" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>
" }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>
" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>
" }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } } } ] }
02 Run create-key command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e. ebs-volume-cmk-policy.json) as value for the --policy parameter, to create your new customer-managed Customer Master Key (CMK):
aws kms create-key --region us-east-1 --description 'Customer Master Key for EBS Volume Encryption' --policy file://ebs-volume-cmk-policy.json --query 'KeyMetadata.Arn'
03 The command output should return the ARN of the new Customer Master Key (CMK):
"arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command should not produce an output):
aws kms create-alias --region us-east-1 --alias-name alias/EBSVolumeCMK --target-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234
05 Once your new Customer Master Key (CMK) is available for use, re-create the Amazon EBS volume(s) that you want to encrypt using the new CMK. Run create-snapshot command (OSX/Linux/UNIX) to create a new snapshot from the specified EBS volume:
aws ec2 create-snapshot --region us-east-1 --volume-id vol-0abcd1234abcd1234
06 The output should return the create-snapshot command request metadata:
{ "Description": "", "Tags": [], "Encrypted": true, "VolumeId": "vol-0abcd1234abcd1234", "State": "pending", "VolumeSize": 150, "StartTime": "2021-06-20T11:37:31.000Z", "Progress": "", "OwnerId": "123456789012", "SnapshotId": "snap-0abcd1234abcd1234" }
07 Run copy-snapshot command (OSX/Linux/UNIX) to copy the EBS volume snapshot created at the previous steps. Use the --kms-key-id command parameter to encrypt the snapshot copy with your new customer-managed Customer Master Key (CMK):
aws ec2 copy-snapshot --region us-east-1 --source-region us-east-1 --source-snapshot-id snap-0abcd1234abcd1234 --encrypted --kms-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234
08 The command output should return the ID of the new EBS volume snapshot:
{ "SnapshotId": " snap-01234abcd1234abcd" }
09 Run create-volume command (OSX/Linux/UNIX) to create a new Amazon EBS volume from the encrypted snapshot (copy) created at the previous steps. Make sure to include the --kms-key-id command parameter to encrypt the new EBS volume with your own Customer Master Key (CMK):
aws ec2 create-volume --region us-east-1 --volume-type gp2 --size 150 --availability-zone us-east-1a --snapshot-id snap-01234abcd1234abcd --encrypted --kms-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234
10 The command output should return the metadata available for the new Amazon EBS volume:
{ "AvailabilityZone": "us-east-1a", "MultiAttachEnabled": false, "Tags": [], "Encrypted": true, "VolumeType": "gp2", "VolumeId": "vol-0abcdabcdabcdabcd", "State": "creating", "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234", "SnapshotId": "snap-01234abcd1234abcd", "Iops": 450, "CreateTime": "2021-06-28T11:00:00.000Z", "Size": 150 }
11 To replace the volume encrypted with the AWS-managed key with the one encrypted with customer-managed CMK within your Amazon EC2 instance configuration, perform the following operations:
- Run detach-volume command (OSX/Linux/UNIX) to detach the original Amazon EBS volume, encrypted with the AWS-managed key, from the specified EC2 instance:
aws ec2 detach-volume --region us-east-1 --volume-id vol-0abcd1234abcd1234
- The output should return the detach-volume command request metadata:
{ "AttachTime": "2021-06-28T12:00:19.000Z", "InstanceId": "i-01234123412341234", "VolumeId": "vol-0abcd1234abcd1234", "State": "detaching", "Device": "/dev/sdf" }
- To attach the new Amazon EBS volume (encrypted with the customer-managed CMK) to the selected EC2 instance, run attach-volume command (OSX/Linux/UNIX):
aws ec2 attach-volume --volume-id vol-0abcdabcdabcdabcd --instance-id i-01234123412341234 --device /dev/sdf
- The output should return the attach-volume command request metadata:
{ "AttachTime": "2021-06-28T13:00:19.000Z", "InstanceId": "i-01234567890123456", "VolumeId": "vol-0abcdabcdabcdabcd", "State": "attaching", "Device": "/dev/sdf" }
12 Repeat steps no. 6 – 11 to configure customer-managed Customer Master Keys (CMKs) for other EBS volumes available in the selected AWS region.
13 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.
References
- AWS Documentation
- Amazon Elastic Block Store (Amazon EBS)
- Amazon EBS encryption
- Copy an Amazon EBS snapshot
- AWS Key Management Service
- AWS KMS concepts
- Creating keys
- AWS Command Line Interface (CLI) Documentation
- kms
- describe-key
- create-key
- create-alias
- ec2
- describe-volumes
- create-snapshot
- copy-snapshot
- create-volume
- detach-volume
- attach-volume
- CloudFormation Documentation
- Amazon Elastic Compute Cloud resource type reference
- Terraform Documentation
- AWS Provider