Menu
AWS Ops Automator
AWS Ops Automator

Appendix C: Configuring Keys for Encrypting Snapshots

The AWS Ops Automator allows you to use AWS Key Management Service (AWS KMS) to encrypt the snapshot copies this solution creates. The solution is designed to use the default customer master key (CMK) for Amazon Elastic Block Store for copying snapshots, but you can specify an alternate CMK. If you specify an alternate CMK, it must exist in the same AWS Region that the snapshot is copied to. Also, the account or role that the AWS Ops Automator uses, or applicable cross-account role, must have permission to use the role to encrypt copied snapshots.

Encrypting Snapshots in the Primary Account

Use this procedure to configure your CMK to encrypt snapshots in the primary account where the AWS Ops Automator stack is deployed.

  1. Sign into the AWS Management Console and open the AWS Identity and Access Management (IAM) console.

  2. In the left navigation pane, select Encryption keys.

  3. Choose the destination AWS Region for your copied snapshots.

  4. Verify that the desired key exists in the region. If the key does not exist in that region, create a key.

  5. Add a key policy to the key to allow the AWS Ops Automator’s IAM role to use the key to encrypt snapshots. The name of the role is <stackname>-SchedulerRole-<id>.

Encrypting Snapshots in a Secondary Account(s)

Use this procedure to configure your CMK to encrypt snapshots in secondary account(s).

  1. Sign into the AWS Management Console and open the AWS Identity and Access Management (IAM) console.

  2. In the left navigation pane, select Encryption keys.

  3. Choose the destination AWS Region for your copied snapshots.

  4. Verify that the desired key exists in the region. If the key does not exist in that region, create a key.

  5. Add a key policy to the key to allow the copy snapshot cross-account role in the secondary account to use the key to encrypt snapshots.

  6. In each secondary account, add the permission to use the key to the cross-account role that allows the primary account to execute the copy snapshot task in the secondary account.

    1. Navigate to the IAM console.

    2. Choose the cross-account role that allows the primary account to execute the copy snapshot task in the secondary account. For more information, see Step 3.

    3. Edit the cross-account role’s policy. Specify the key’s Amazon Resource Name and the permitted actions. For more information, see Sharing Custom Encryption Keys More Securely Between Accounts by Using AWS Key Management Service.