AWS KMS Amazon IAM Encrypted EC2 EBS Volumes

Security

When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared responsibility model reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, visit AWS Cloud Security.

AWS KMS

The solution creates an AWS managed Customer managed key, which is used to configure server-side encryption for the SNS topic and the DynamoDB tables.

Amazon IAM

The solution's Lambda function requires permissions to start/stop both to EC2 and RDS DB instances, modify instance attributes, and update tags for the instances. All the necessary permissions are provided by the solution to Lambda service role created as part of the solution template.

Additionally, the Lambda service role has access to get/put Systems Manager parameters, access to CloudWatch log groups, AWS KMS key encryption/decryption, and publish messages to SNS topics. For detailed information about each permission provided to the service role, refer to the CloudFormation templates.

Encrypted EC2 EBS Volumes

When scheduling EC2 instances attached to EBS volumes encrypted by AWS KMS, you must grant Instance Scheduler on AWS permission to use the associated AWS KMS key(s). This allows Amazon EC2 to decrypt the attached EBS volumes during the started function. This permission must be granted to the scheduling role in the same account as the EC2 instance(s) using the key.

To grant permission to use an AWS KMS key with Instance Scheduler on AWS, add the AWS KMS key's ARN to the Instance Scheduler on AWS stack (hub or spoke) in the same account as the EC2 instance(s) using the key(s):

KMS Ket Arns for EC2

This will automatically generate the following policy and add it to the scheduling role for that account:


 {

   "Version": "2012-10-17",
   "Statement": [
      {
        "Condition": {
            "StringLike": {
               "kms:ViaService": "ec2.*.amazonaws.com"
         },
        "Null": {
              "kms:EncryptionContextKeys": "false",
              "kms:GrantOperations": "false"
         },
        "ForAllValues:StringEquals": {
            "kms:EncryptionContextKeys": [
                 "aws:ebs:id"
              ],
              "kms:GrantOperations": [
                 "Decrypt"
              ]
        },
        "Bool": {
                 "kms:GrantIsForAWSResource": "true"
              }
        },
        "Action": "kms:CreateGrant",
        "Resource": [
             "Your-KMS-ARNs-Here"
        ],
        "Effect": "Allow"
      }
   ]
 }

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS services used in this solution

Getting started