AWS Key Management Service
Developer Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Amazon EC2 Example Two

The following example shows an IAM user running an Amazon EC2 instance that mounts a data volume encrypted by using a default volume key. The action taken by the user generates multiple AWS KMS log records. Creating the encrypted volume generates a data key, and the Amazon EC2 service generates a grant, on behalf of the customer, that enables it to decrypt the data key. The instanceId, "i-81e2f56c", is referred to in the granteePrincipal field of the CreateGrant record as "123456789012:aws:ec2-infrastructure:i-81e2f56c" as well as in the identity of the principal calling Decrypt, "arn:aws:sts::123456789012:assumed-role/aws:ec2-infrastructure/i-81e2f56c". The key identified by the UUID "e29ddfd4-1bf6-4e1b-8ecb-08216bd70d07" is common across all three KMS calls.

{ "Records": [ { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2014-11-05T21:34:36Z" } }, "invokedBy": "signin.amazonaws.com" }, "eventTime": "2014-11-05T21:35:27Z", "eventSource": "ec2.amazonaws.com", "eventName": "RunInstances", "awsRegion": "us-east-1", "sourceIPAddress": "72.72.72.72", "userAgent": "signin.amazonaws.com", "requestParameters": { "instancesSet": { "items": [ { "imageId": "ami-b66ed3de", "minCount": 1, "maxCount": 1 } ] }, "groupSet": { "items": [ { "groupId": "sg-98b6e0f2" } ] }, "instanceType": "m3.medium", "blockDeviceMapping": { "items": [ { "deviceName": "/dev/xvda", "ebs": { "volumeSize": 8, "deleteOnTermination": true, "volumeType": "gp2" } }, { "deviceName": "/dev/sdb", "ebs": { "volumeSize": 8, "deleteOnTermination": false, "volumeType": "gp2", "encrypted": true } } ] }, "monitoring": { "enabled": false }, "disableApiTermination": false, "instanceInitiatedShutdownBehavior": "stop", "clientToken": "XdKUT141516171819", "ebsOptimized": false }, "responseElements": { "reservationId": "r-5ebc9f74", "ownerId": "123456789012", "groupSet": { "items": [ { "groupId": "sg-98b6e0f2", "groupName": "launch-wizard-2" } ] }, "instancesSet": { "items": [ { "instanceId": "i-81e2f56c", "imageId": "ami-b66ed3de", "instanceState": { "code": 0, "name": "pending" }, "amiLaunchIndex": 0, "productCodes": { }, "instanceType": "m3.medium", "launchTime": 1415223328000, "placement": { "availabilityZone": "us-east-1a", "tenancy": "default" }, "monitoring": { "state": "disabled" }, "stateReason": { "code": "pending", "message": "pending" }, "architecture": "x86_64", "rootDeviceType": "ebs", "rootDeviceName": "/dev/xvda", "blockDeviceMapping": { }, "virtualizationType": "hvm", "hypervisor": "xen", "clientToken": "XdKUT1415223327917", "groupSet": { "items": [ { "groupId": "sg-98b6e0f2", "groupName": "launch-wizard-2" } ] }, "networkInterfaceSet": { }, "ebsOptimized": false } ] } }, "requestID": "41c4b4f7-8bce-4773-bf0e-5ae3bb5cbce2", "eventID": "cd75a605-2fee-4fda-b847-9c3d330ebaae", "eventType": "AwsApiCall", "recipientAccountId": "123456789012" }, { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2014-11-05T21:34:36Z" } }, "invokedBy": "AWS Internal" }, "eventTime": "2014-11-05T21:35:35Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateGrant", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": { "constraints": { "encryptionContextSubset": { "aws:ebs:id": "vol-f67bafb2" } }, "granteePrincipal": "123456789012:aws:ec2-infrastructure:i-81e2f56c", "keyId": "arn:aws:kms:us-east-1:123456789012:key/e29ddfd4-1bf6-4e1b-8ecb-08216bd70d07" }, "responseElements": { "grantId": "6caf442b4ff8a27511fb6de3e12cc5342f5382112adf75c1a91dbd221ec356fe" }, "requestID": "41c4b4f7-8bce-4773-bf0e-5ae3bb5cbce2", "eventID": "c1ad79e3-0d3f-402a-b119-d5c31d7c6a6c", "readOnly": false, "resources": [ { "ARN": "arn:aws:kms:us-east-1:123456789012:key/e29ddfd4-1bf6-4e1b-8ecb-08216bd70d07", "accountId": "123456789012" } ], "eventType": "AwsApiCall", "recipientAccountId": "123456789012" }, { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2014-11-05T21:34:36Z" } }, "invokedBy": "AWS Internal" }, "eventTime": "2014-11-05T21:35:32Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKeyWithoutPlaintext", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": { "encryptionContext": { "aws:ebs:id": "vol-f67bafb2" }, "numberOfBytes": 64, "keyId": "alias/aws/ebs" }, "responseElements": null, "requestID": "create-123456789012-758247346-1415223332", "eventID": "ac3cab10-ce93-4953-9d62-0b6e5cba651d", "readOnly": true, "resources": [ { "ARN": "arn:aws:kms:us-east-1:123456789012:key/e29ddfd4-1bf6-4e1b-8ecb-08216bd70d07", "accountId": "123456789012" } ], "eventType": "AwsApiCall", "recipientAccountId": "123456789012" }, { "eventVersion": "1.02", "userIdentity": { "type": "AssumedRole", "principalId": "123456789012:aws:ec2-infrastructure:i-81e2f56c", "arn": "arn:aws:sts::123456789012:assumed-role/aws:ec2-infrastructure/i-81e2f56c", "accountId": "123456789012", "accessKeyId": "", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2014-11-05T21:35:38Z" }, "sessionIssuer": { "type": "Role", "principalId": "123456789012:aws:ec2-infrastructure", "arn": "arn:aws:iam::123456789012:role/aws:ec2-infrastructure", "accountId": "123456789012", "userName": "aws:ec2-infrastructure" } } }, "eventTime": "2014-11-05T21:35:47Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-east-1", "sourceIPAddress": "172.172.172.172", "requestParameters": { "encryptionContext": { "aws:ebs:id": "vol-f67bafb2" } }, "responseElements": null, "requestID": "b4b27883-6533-11e4-b4d9-751f1761e9e5", "eventID": "edb65380-0a3e-4123-bbc8-3d1b7cff49b0", "readOnly": true, "resources": [ { "ARN": "arn:aws:kms:us-east-1:123456789012:key/e29ddfd4-1bf6-4e1b-8ecb-08216bd70d07", "accountId": "123456789012" } ], "eventType": "AwsApiCall", "recipientAccountId": "123456789012" } ] }