Create an AWS Cloud9 IDE that uses Amazon EBS volumes with default encryption - AWS Prescriptive Guidance

Create an AWS Cloud9 IDE that uses Amazon EBS volumes with default encryption

Created by Janardhan Malyala (AWS)

Environment: Production

Technologies: Operations

Workload: All other workloads

AWS services: AWS Cloud9; AWS KMS

Summary

You can use encryption by default to enforce the encryption of your Amazon Elastic Block Store (Amazon EBS) volumes and snapshot copies on the Amazon Web Services (AWS) Cloud. 

You can create an AWS Cloud9 integrated development environment (IDE) that uses EBS volumes encrypted by default. However, the AWS Identity and Access Management (IAM) service-linked role for AWS Cloud9 requires access to the AWS Key Management Service (AWS KMS) key for these EBS volumes. If access is not provided, the AWS Cloud9 IDE might fail to launch and debugging might be difficult. 

This pattern provides the steps to add the service-linked role for AWS Cloud9 to the AWS KMS key that is used by your EBS volumes. The setup described by this pattern helps you successfully create and launch an IDE that uses EBS volumes with encryption by default.

Prerequisites and limitations

Prerequisites  

  • An active AWS account.

  • Default encryption turned on for EBS volumes. For more information about encryption by default, see Amazon EBS encryption in the Amazon Elastic Compute Cloud (Amazon EC2) documentation.

  • An existing customer managed KMS key for encrypting your EBS volumes.

Architecture

Technology stack

  • AWS Cloud9

  • IAM

  • AWS KMS

Tools

  • AWS Cloud9 – AWS Cloud9 is a cloud-based IDE that you use to write, run, and debug code.

  • Amazon EBS – Amazon Elastic Block Store (Amazon EBS) provides block level storage volumes for use with EC2 instances.

  • AWS KMS – AWS Key Management Service (AWS KMS) is an encryption and key management service.

  • AWS Identity and Access Management (IAM) – IAM is a web service that helps you securely control access to AWS resources.

Epics

TaskDescriptionSkills required
Record the default encryption key value for the EBS volumes.

Sign in to the AWS Management Console and open the Amazon EC2 console. Choose EC2 dashboard, and then choose EBS encryption in Account attributes. Copy and record the value in Default encryption key.

Cloud architect, DevOps engineer
TaskDescriptionSkills required
Provide AWS Cloud9 with access to the KMS key for EBS volumes.
  1. Open the AWS KMS console, and then choose Customer managed keys. Select the AWS KMS key used for Amazon EBS encryption, and then choose View key.

  2. On the Key policy tab, confirm that you can see the text form of the key policy. If you cannot see the text form, choose Switch to policy view.

  3. Choose Edit. Add the code in the Additional information section to the policy, and then choose Save changes. The policy changes permit the service-linked role for AWS Cloud9, AWSServiceRoleForAWSCloud9, to access the key.

For more information about updating a key policy, see How to change a key policy (AWS KMS documentation).

Important: The service-linked role for AWS Cloud9 is automatically created when you launch your first IDE. For more information, see Creating a service-linked role in the AWS Cloud9 documentation. 

Cloud architect, DevOps engineer
TaskDescriptionSkills required
Create and launch the AWS Cloud9 IDE.

Open the AWS Cloud9 console and choose Create environment. Configure IDE according to your requirements by following the steps from Creating an EC2 environment in the AWS Cloud9 documentation. 

Cloud architect, DevOps engineer

Related resources

Additional information

AWS KMS key policy updates

Replace <aws_accountid> with your AWS account ID.

{             "Sid": "Allow use of the key",             "Effect": "Allow",             "Principal": {                 "AWS": "arn:aws:iam::<aws_accountid>:role/aws-service-role/cloud9.amazonaws.com/AWSServiceRoleForAWSCloud9"             },             "Action": [                 "kms:Encrypt",                 "kms:Decrypt",                 "kms:ReEncrypt*",                 "kms:GenerateDataKey*",                 "kms:DescribeKey"             ],             "Resource": "*"         },         {             "Sid": "Allow attachment of persistent resources",             "Effect": "Allow",             "Principal": {                 "AWS": "arn:aws:iam::<aws_accountid>:role/aws-service-role/cloud9.amazonaws.com/AWSServiceRoleForAWSCloud9"             },             "Action": [                 "kms:CreateGrant",                 "kms:ListGrants",                 "kms:RevokeGrant"             ],             "Resource": "*",             "Condition": {                 "Bool": {                     "kms:GrantIsForAWSResource": "true"                 }             }         }