Summary Prerequisites and limitations Architecture Tools Epics Related resources Additional information

Create an AWS Cloud9 IDE that uses Amazon EBS volumes with default encryption

Created by Janardhan Malyala (AWS) and Dhrubajyoti Mukherjee (AWS)

Environment: Production	Technologies: Operations	Workload: All other workloads
AWS services: AWS Cloud9; AWS KMS

Summary

You can use encryption by default to enforce the encryption of your Amazon Elastic Block Store (Amazon EBS) volumes and snapshot copies on the Amazon Web Services (AWS) Cloud.

You can create an AWS Cloud9 integrated development environment (IDE) that uses EBS volumes encrypted by default. However, the AWS Identity and Access Management (IAM) service-linked role for AWS Cloud9 requires access to the AWS Key Management Service (AWS KMS) key for these EBS volumes. If access is not provided, the AWS Cloud9 IDE might fail to launch and debugging might be difficult.

This pattern provides the steps to add the service-linked role for AWS Cloud9 to the AWS KMS key that is used by your EBS volumes. The setup described by this pattern helps you successfully create and launch an IDE that uses EBS volumes with encryption by default.

Prerequisites and limitations

Prerequisites

An active AWS account.
Default encryption turned on for EBS volumes. For more information about encryption by default, see Amazon EBS encryption in the Amazon Elastic Compute Cloud (Amazon EC2) documentation.
An existing customer managed KMS key for encrypting your EBS volumes.

Note: You don't need to create the service-linked role for AWS Cloud9. When you create an AWS Cloud9 development environment, AWS Cloud9 creates the service-linked role for you.

Architecture

Technology stack

AWS Cloud9
IAM
AWS KMS

Tools

AWS Cloud9 is an integrated development environment (IDE) that helps you code, build, run, test, and debug software. It also helps you release software to the AWS Cloud.
Amazon Elastic Block Store (Amazon EBS) provides block-level storage volumes for use with Amazon Elastic Compute Cloud (Amazon EC2) instances.
AWS Identity and Access Management (IAM) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them.
AWS Key Management Service (AWS KMS) helps you create and control cryptographic keys to help protect your data.

Epics

Task	Description	Skills required
Record the default encryption key value for the EBS volumes.	Sign in to the AWS Management Console and open the Amazon EC2 console. Choose EC2 dashboard, and then choose Data protection and security in Account attributes. In EBS encryption section, copy and record the value in Default encryption key.	Cloud architect, DevOps engineer

Task Description Skills required

Task	Description	Skills required
Provide AWS Cloud9 with access to the KMS key for EBS volumes.	Open the AWS KMS console, and then choose Customer managed keys. Select the AWS KMS key used for Amazon EBS encryption, and then choose View key. On the Key policy tab, confirm that you can see the text form of the key policy. If you cannot see the text form, choose Switch to policy view. Choose Edit. Add the code in the Additional information section to the policy, and then choose Save changes. The policy changes permit the service-linked role for AWS Cloud9, `AWSServiceRoleForAWSCloud9`, to access the key. For more information about updating a key policy, see How to change a key policy (AWS KMS documentation). Important: The service-linked role for AWS Cloud9 is automatically created when you launch your first IDE. For more information, see Creating a service-linked role in the AWS Cloud9 documentation.	Cloud architect, DevOps engineer

Provide AWS Cloud9 with access to the KMS key for EBS volumes.

Open the AWS KMS console, and then choose Customer managed keys. Select the AWS KMS key used for Amazon EBS encryption, and then choose View key.
On the Key policy tab, confirm that you can see the text form of the key policy. If you cannot see the text form, choose Switch to policy view.
Choose Edit. Add the code in the Additional information section to the policy, and then choose Save changes. The policy changes permit the service-linked role for AWS Cloud9, AWSServiceRoleForAWSCloud9, to access the key.

For more information about updating a key policy, see How to change a key policy (AWS KMS documentation).

Important: The service-linked role for AWS Cloud9 is automatically created when you launch your first IDE. For more information, see Creating a service-linked role in the AWS Cloud9 documentation.

Cloud architect, DevOps engineer

Task	Description	Skills required
Create and launch the AWS Cloud9 IDE.	Open the AWS Cloud9 console and choose Create environment. Configure IDE according to your requirements by following the steps from Creating an EC2 environment in the AWS Cloud9 documentation.	Cloud architect, DevOps engineer

Related resources

Additional information

AWS KMS key policy updates

Replace <aws_accountid> with your AWS account ID.


{
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<aws_accountid>:role/aws-service-role/cloud9.amazonaws.com/AWSServiceRoleForAWSCloud9"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<aws_accountid>:role/aws-service-role/cloud9.amazonaws.com/AWSServiceRoleForAWSCloud9"
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }

Using a cross-account key

If you want to use a cross-account KMS key, you must use a grant in combination with the KMS key policy. This enables cross-account access to the key. In the same account that you used to create the Cloud9 environment, run the following command in the terminal.


aws kms create-grant \
 --region <Region where Cloud9 environment is created> \
 --key-id <The cross-account KMS key ARN> \
 --grantee-principal arn:aws:iam::<The account where Cloud9 environment is created>:role/aws-service-role/cloud9.amazonaws.com/AWSServiceRoleForAWSCloud9 \
 --operations "Encrypt" "Decrypt" "ReEncryptFrom" "ReEncryptTo" "GenerateDataKey" "GenerateDataKeyWithoutPlaintext" "DescribeKey" "CreateGrant"

After you run this command, you can create Cloud9 environments by using EBS encryption with a key in a different account.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Create a RACI matrix for cloud operations

Create tag-based CloudWatch dashboards automatically