Amazon EC2 Auto Scaling
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Required CMK Key Policy for Use with Encrypted Volumes

When creating an encrypted Amazon EBS snapshot or a launch template that specifies encrypted volumes, or enabling encryption by default, you can choose one of the following AWS Key Management Service customer master keys (CMK) to encrypt your data:

  • AWS managed CMK — An encryption key in your account that Amazon EBS creates, owns, and manages. This is the default encryption key for a new account. The AWS managed CMK is used for encryption unless you specify a customer managed CMK.

  • Customer managed CMK — A custom encryption key that you create, own, and manage. For more information, see Creating Keys in the AWS Key Management Service Developer Guide.

Amazon EC2 Auto Scaling does not need additional authorization to use the default AWS managed CMK to protect the encrypted volumes in your AWS account.

If you specify a customer managed CMK for Amazon EBS encryption, you (or your account administrator) must give the appropriate service-linked role access to the CMK, so that Amazon EC2 Auto Scaling can launch instances on your behalf. To do this, you must modify the CMK's key policy either when the CMK is created or at a later time.

Configuring Key Policies

Use the examples on this page to configure a key policy to give Amazon EC2 Auto Scaling access to your customer managed CMK. You must, at minimum, add two policy statements to your CMK's key policy for it to work with Amazon EC2 Auto Scaling.

  • The first statement allows the IAM identity specified in the Principal element to use the CMK directly. It includes permissions to perform the AWS KMS Encrypt, Decrypt, ReEncrypt*, GenerateDataKey*, and DescribeKey operations on the CMK.

  • The second statement allows the IAM identity specified in the Principal element to use grants to delegate a subset of its own permissions to AWS services that are integrated with AWS KMS or another principal. This allows them to use the CMK to create encrypted resources on your behalf.

When you add the new policy statements to your CMK policy, do not change any existing statements in the policy.

For each of the following examples, arguments that must be replaced, such as a key ID or the name of a service-linked role, are shown as replaceable text in italics. In most cases, you can replace the name of the service-linked role with the name of an Amazon EC2 Auto Scaling service-linked role. However, when using a launch configuration to launch Spot Instances, use the role named AWSServiceRoleForEC2Spot.

See the following resources:

Editing Key Policies in the Console

The examples in the following sections show only how to add statements to a key policy, which is just one way of changing a key policy. The easiest way to change a key policy is to use the IAM console's default view for key policies and make an IAM entity (user or role) one of the key users for the appropriate key policy. For more information, see Using the AWS Management Console Default View in the AWS Key Management Service Developer Guide.

Important

Be cautious. The console's default view policy statements include permissions to perform AWS KMS Revoke operations on the CMK. If you give an AWS account access to a CMK in your account, and you accidentally revoke the grant that gave them this permission, external users can no longer access their encrypted data or the key that was used to encrypt their data.

Example: CMK Key Policy Sections That Allow Access to the CMK

Add the following two policy statements to the key policy of the customer managed CMK, replacing the example ARN with the ARN of the appropriate service-linked role that is allowed access to the CMK. In this example, the policy sections give the service-linked role named AWSServiceRoleForAutoScaling permissions to use the customer managed CMK.

{ "Sid": "Allow use of the CMK", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" ] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }
{ "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" ] }, "Action": [ "kms:CreateGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": true } } }

Example: CMK Key Policy Sections That Allow Cross-Account Access to the CMK

If your customer managed CMK is in a different account than the Auto Scaling group, you must use a grant in combination with the key policy to allow access to the CMK. For more information, see Using Grants in the AWS Key Management Service Developer Guide.

First, add the following two policy statements to the CMK's key policy, replacing the example ARN with the ARN of the external account, and specifying the account in which the key can be used. The GrantIsForAWSResource condition is not included to allow an IAM user or role in the specified account to create the grant using the CLI command that follows.

{ "Sid": "Allow use of the key in account 111122223333", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::111122223333:root" ] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }
{ "Sid": "Allow attachment of persistent resources in account 111122223333", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::111122223333:root" ] }, "Action": [ "kms:CreateGrant" ], "Resource": "*" }

Then, from the external account, create a grant that delegates the relevant permissions to the appropriate service-linked role. The Grantee Principal element of the grant is the ARN of the appropriate service-linked role. The key-id is the ARN of the CMK. The following is an example create-a-grant CLI command that gives the service-linked role named AWSServiceRoleForAutoScaling in account 111122223333 permissions to use the CMK in account 444455556666.

aws kms create-grant \ --region us-west-2 \ --key-id arn:aws:kms:us-west-2:444455556666:key/1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d \ --grantee-principal arn:aws:iam::111122223333:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling \ --operations "Encrypt" "Decrypt" "ReEncryptFrom" "ReEncryptTo" "GenerateDataKey" "GenerateDataKeyWithoutPlaintext" "DescribeKey" "CreateGrant"

For this command to succeed, the user making the request must have permissions for the CreateGrant action. The following example IAM policy allows an IAM user or role in account 111122223333 to create a grant for the CMK in account 444455556666.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCreationOfGrant", "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": "arn:aws:kms:us-west-2:444455556666:key/1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d" } ] }

If you have any problems configuring the cross-account access to a customer managed CMK that is required to launch an instance with an encrypted volume, see the troubleshooting section.

For more information, see Amazon EBS Encryption in the Amazon EC2 User Guide for Linux Instances and the AWS Key Management Service Developer Guide.