- Knowledge Base
- Amazon Web Services
- Default Key Usage
Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.
Risk Level: Medium (should be achieved)
Ensure that your AWS cloud services and resources are using customer-provided Customer Master Keys (CMKs) instead of default (AWS-managed) keys, in order to have full control over data encryption and decryption process, and meet compliance requirements. The default master keys are used by AWS cloud services such as RDS, EBS, Lambda, Elastic Transcoder, Redshift, SES, SQS, CloudWatch, EFS, S3 or Workspaces when no other key is defined to encrypt a resource for those services. The default key can't be modified to ensure its availability, durability, and security.
Security
When you use your own Amazon KMS Customer Master Keys (CMKs) to protect your cloud data, you have complete control over who can use the master keys to access your data, implementing the Principle of Least Privilege (POLP) on encryption key ownership and usage. Amazon KMS service allows you to easily create, rotate, disable, and audit customer-provided Customer Master Keys (CMKs) for your cloud data.
Note: As an example, this conformity rule demonstrates how customer-provided Customer Master Keys (CMKs) can be used to encrypt Amazon EBS volumes instead of default (AWS-managed) keys.
Audit
To determine if the default Amazon KMS keys are used to encrypt EBS volumes within your AWS account, perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.
03 In the navigation panel, under Elastic Block Store, choose Volumes.
04 Click inside the Filter by tags and attributes or search by keyword box, choose Encryption and select Encrypted. The Amazon EC2 console will list only the EBS volumes that are currently encrypted.
05 Select the encrypted Amazon EBS volume that you want to examine.
06 Choose the Description tab from the console bottom panel and check the KMS Key Aliases attribute value. If the KMS Key Aliases value is set to aws/ebs, the selected Amazon EBS volume is encrypted using the default master key created by Amazon KMS within the current AWS region. This key is managed by AWS and is implemented by default when you don't specify a customer-provided Customer Master Key at volume creation.
07 Repeat steps no. 5 and 6 for each encrypted Amazon EBS volume available in the current AWS region.
08 Change the AWS cloud region from the navigation bar to perform the Audit process for other regions.
Using AWS CLI
01 Run describe-volumes command (OSX/Linux/UNIX) with custom query filters to describe the ID of each encrypted Amazon EBS volume provisioned in the selected AWS cloud region:
aws ec2 describe-volumes --region us-east-1 --filters Name=encrypted,Values=true --query 'Volumes[*].VolumeId'
02 The command output should return the requested volume ID(s):
["vol-0abcd1234abcd1234","vol-01234abcd1234abcd"]
03 Execute describe-volumes command (OSX/Linux/UNIX) using the ID of the encrypted EBS volume that you want to examine as the identifier parameter and custom query filters to describe the Amazon Resource Name (ARN) of the master key used to encrypt the selected volume:
aws ec2 describe-volumes --region us-east-1 --volume-ids vol-0abcd1234abcd1234 --query 'Volumes[*].KmsKeyId'
04 The command output should return the requested Amazon Resource Name (ARN):
["arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd"]
05 Run describe-key command (OSX/Linux/UNIX) using the ARN of the master key returned at the previous step as the identifier parameter and custom query filters to describe manager of the specified KMS key:
aws kms describe-key --region us-east-1 --key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd --query 'KeyMetadata.KeyManager'
06 The command output should the master key manager ("AWS" if the master key is AWS-managed – default key, and "CUSTOMER" if the key is customer-provided):
"AWS"
If the describe-key command output returns "AWS", as shown in the example above, the selected Amazon EBS volume is encrypted using the default master key created by Amazon KMS service in the selected AWS region. This key is managed by AWS and is implemented by default when you don't specify a customer-provided Customer Master Key at volume creation.
07 Repeat steps no. 3 – 6 for each encrypted Amazon EBS volume available in the selected AWS region.
08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
To use customer-provided Amazon KMS Customer Master Keys (CMKs) instead of default (AWS-managed) master keys to encrypt your EBS volumes, perform the following operations:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{"AWSTemplateFormatVersion": "2010-09-09","Resources": {"KMSKEY": {"Type": "AWS::KMS::Key","Properties": {"Enabled": true,"KeySpec": "SYMMETRIC_DEFAULT","KeyUsage": "ENCRYPT_DECRYPT","Description": "Symmetric Amazon KMS Customer Master Key","KeyPolicy": {"Version": "2012-10-17","Statement": [{"Sid": "Enable IAM User Permissions","Effect": "Allow","Principal": {"AWS": "arn:aws:iam::123456789012:root"},"Action": "kms:*","Resource": "*"},{"Sid": "Allow access for Key Administrators","Effect": "Allow","Principal": {"AWS": "arn:aws:iam::123456789012:user/kms-key-admin"},"Action": ["kms:Create*","kms:Describe*","kms:Enable*","kms:List*","kms:Put*","kms:Update*","kms:Revoke*","kms:Disable*","kms:Get*","kms:Delete*","kms:TagResource","kms:UntagResource","kms:ScheduleKeyDeletion","kms:CancelKeyDeletion"],"Resource": "*"},{"Sid": "Allow use of the key","Effect": "Allow","Principal": {"AWS": ["arn:aws:iam::123456789012:user/cloud-resource-manager"]},"Action": ["kms:Encrypt","kms:Decrypt","kms:ReEncrypt*","kms:GenerateDataKey*","kms:DescribeKey"],"Resource": "*"},{"Sid": "Allow attachment of persistent resources","Effect": "Allow","Principal": {"AWS": ["arn:aws:iam::123456789012:user/cloud-resource-manager"]},"Action": ["kms:CreateGrant","kms:ListGrants","kms:RevokeGrant"],"Resource": "*","Condition": {"Bool": {"kms:GrantIsForAWSResource": "true"}}}]}}},"KMSKEYAlias": {"Type": "AWS::KMS::Alias","Properties": {"AliasName": "alias/EBSVolumeCMK","TargetKeyId": {"Ref": "KMSKEY"}}},"EBSVolumeSnapshot": {"Type": "AWS::EC2::Snapshot","Properties": {"VolumeId": "vol-0abcd1234abcd1234"}},"EBSSnapshotCopy": {"Type": "AWS::EC2::Snapshot","Properties": {"SnapshotId": {"Ref": "EBSVolumeSnapshot"},"Encrypted": true}},"EncryptedEBSVolume": {"Type": "AWS::EC2::Volume","Properties": {"SnapshotId": {"Ref": "EBSSnapshotCopy"},"AvailabilityZone": "us-east-1b","Encrypted": true,"KmsKeyId": {"Ref": "KMSKEY"}}}}} 02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09'Resources:KMSKEY:Type: AWS::KMS::KeyProperties:Enabled: trueKeySpec: SYMMETRIC_DEFAULTKeyUsage: ENCRYPT_DECRYPTDescription: Symmetric Amazon KMS Customer Master KeyKeyPolicy:Version: '2012-10-17'Statement:- Sid: Enable IAM User PermissionsEffect: AllowPrincipal:AWS: arn:aws:iam::123456789012:rootAction: kms:*Resource: '*'- Sid: Allow access for Key AdministratorsEffect: AllowPrincipal:AWS: arn:aws:iam::123456789012:user/kms-key-adminAction:- kms:Create*- kms:Describe*- kms:Enable*- kms:List*- kms:Put*- kms:Update*- kms:Revoke*- kms:Disable*- kms:Get*- kms:Delete*- kms:TagResource- kms:UntagResource- kms:ScheduleKeyDeletion- kms:CancelKeyDeletionResource: '*'- Sid: Allow use of the keyEffect: AllowPrincipal:AWS:- arn:aws:iam::123456789012:user/cloud-resource-managerAction:- kms:Encrypt- kms:Decrypt- kms:ReEncrypt*- kms:GenerateDataKey*- kms:DescribeKeyResource: '*'- Sid: Allow attachment of persistent resourcesEffect: AllowPrincipal:AWS:- arn:aws:iam::123456789012:user/cloud-resource-managerAction:- kms:CreateGrant- kms:ListGrants- kms:RevokeGrantResource: '*'Condition:Bool:kms:GrantIsForAWSResource: 'true'KMSKEYAlias:Type: AWS::KMS::AliasProperties:AliasName: alias/EBSVolumeCMKTargetKeyId: !Ref 'KMSKEY'EBSVolumeSnapshot:Type: AWS::EC2::SnapshotProperties:VolumeId: vol-0abcd1234abcd1234EBSSnapshotCopy:Type: AWS::EC2::SnapshotProperties:SnapshotId: !Ref 'EBSVolumeSnapshot'Encrypted: trueEncryptedEBSVolume:Type: AWS::EC2::VolumeProperties:SnapshotId: !Ref 'EBSSnapshotCopy'AvailabilityZone: us-east-1bEncrypted: trueKmsKeyId: !Ref 'KMSKEY'
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform {required_providers {aws = {source = "hashicorp/aws"version = "~> 4.0"}}required_version = ">= 0.14.9"}provider "aws" {profile = "default"region = "us-east-1"}resource "aws_kms_key" "kms-key" {is_enabled = truecustomer_master_key_spec = "SYMMETRIC_DEFAULT"key_usage = "ENCRYPT_DECRYPT"description = "Symmetric Amazon KMS Customer Master Key"policy = <<EOF{"Version": "2012-10-17","Statement": [{"Sid": "Enable IAM User Permissions","Effect": "Allow","Principal": {"AWS": "arn:aws:iam::123456789012:root"},"Action": "kms:*","Resource": "*"},{"Sid": "Allow access for Key Administrators","Effect": "Allow","Principal": {"AWS": "arn:aws:iam::123456789012:user/kms-key-admin"},"Action": ["kms:Create*","kms:Describe*","kms:Enable*","kms:List*","kms:Put*","kms:Update*","kms:Revoke*","kms:Disable*","kms:Get*","kms:Delete*","kms:TagResource","kms:UntagResource","kms:ScheduleKeyDeletion","kms:CancelKeyDeletion"],"Resource": "*"},{"Sid": "Allow use of the key","Effect": "Allow","Principal": {"AWS": ["arn:aws:iam::123456789012:user/cloud-resource-manager"]},"Action": ["kms:Encrypt","kms:Decrypt","kms:ReEncrypt*","kms:GenerateDataKey*","kms:DescribeKey"],"Resource": "*"},{"Sid": "Allow attachment of persistent resources","Effect": "Allow","Principal": {"AWS": ["arn:aws:iam::123456789012:user/cloud-resource-manager"]},"Action": ["kms:CreateGrant","kms:ListGrants","kms:RevokeGrant"],"Resource": "*","Condition": {"Bool": {"kms:GrantIsForAWSResource": "true"}}}]}EOF}resource "aws_kms_alias" "kms-key-alias" {target_key_id = aws_kms_key.kms-key.key_idname = "alias/EBSVolumeCMK"}resource "aws_ebs_snapshot" "ebs-volume-snapshot" {volume_id = "vol-0abcd1234abcd1234"}resource "aws_ebs_snapshot_copy" "ebs-snapshot-copy" {source_snapshot_id = aws_ebs_snapshot.ebs-volume-snapshot.idencrypted = true}resource "aws_ebs_volume" "encrypted-ebs-volume" {snapshot_id = aws_ebs_snapshot_copy.ebs-snapshot-copy.idavailability_zone = "us-east-1b"encrypted = truekms_key_id = aws_kms_key.kms-key.key_id}
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.
03 In the navigation panel, under Key Management Service (KMS), select Customer managed keys.
04 Choose the Create Key button from the console top menu to initiate the CMK setup process.
05 For Step 1 Configure key, perform the following actions:
- Choose Symmetric from the Key type section. A symmetric key is a single encryption key that can be used for both encrypt and decrypt operations.
- Under Advanced options, for Key material origin, select KMS as the source of the key material within the CMK.
- Under Advanced options, for Regionality, select whether**to allow the new key to be replicated into other AWS regions.
- Choose Next to continue.
06 For Step 2 Add labels, type a unique name (alias) for your new master key in the Alias box and provide a short description for the key in Description – _optiona_l box. (Optional) Use the Add tag button to create tags in order categorize and identify your CMK. Choose Next to continue the setup process.
07 For Step 3 Define key administrative permissions, choose which IAM users and/or roles can administer your new CMK from the Key administrators section. You may need to add additional permissions for the users or roles to administer the key from the AWS console. For Key deletion, select Allow key administrators to delete this key. Choose Next to continue.
08 For Step 4 Define key usage permissions, within This account section, select which IAM users and/or roles can use the new Customer Master Key for cryptographic operations. (Optional) In the Other AWS accountssection, choose Add another AWS account and enter an external AWS account ID in order to specify the external AWS account that can use the new key to encrypt and decrypt your EBS volume data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users. Choose Nextto continue.
09 For Step 5 Review, review the policy available in the Key policy section, then choose Finish to create your specific Amazon KMS Customer Master Key (CMK). Once the key is successfully created, the Amazon KMS console will display the following confirmation message: "Success. Your customer master key was created with alias <key-alias> and key ID <key-id>".
10 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.
11 In the navigation panel, under Elastic Block Store, choose Volumes.
12 Select the Amazon EBS volume that you want to encrypt using your new customer-provided Customer Master Key (CMK).
13 Choose the Actions dropdown button from the console top menu and select Create Snapshot.
14 On the Create Snapshot setup page, provide a short description in the Description box, and choose Create Snapshot. Choose Close to return to the EC2 console.
15 In the navigation panel, under Elastic Block Store, choose Snapshots.
16 Select the newly created Amazon EBS snapshot, choose Actions, and select Copy.
17 In the Copy Snapshot configuration box, select Encrypt this snapshotcheckbox, choose the customer-provided Customer Master Key (CMK) created earlier in the Remediation section from the Master key dropdown list, and choose Copy. Click Close to return to the Snapshots page.
18 Select the new (copied) Amazon EBS snapshot, choose Actions, and select Create Volume.
19 On the Create Volume setup page, make sure that the appropriate customer-provided Customer Master Key (CMK) is selected from the Master Key dropdown list, review the volume configuration details, then choose Create Volume. Click Close to return to the Amazon EC2 console.
20 (Optional) To replace the volume encrypted with the default master key with the one encrypted with customer-provided CMK within the Amazon EC2 instance configuration, perform the following actions:
- In the navigation panel, under Elastic Block Store, choose Volumes.
- Select the original Amazon EBS volume, encrypted with the default master key.
- Choose the Actions dropdown button from the console top menu and select Detach Volume.
- Inside the Detach Volume dialog box, choose Yes, Detach.
- Select the newly created Amazon EBS volume, encrypted with the new customer-provided Customer Master Key (CMK).
- Choose the Actions button from the console top menu and select Attach Volume.
- In the Attach Volume configuration box, select the ID of the EC2 instance detached at step c. from the Instance box, provide the device name required for attachment in the Device box, then choose Attach.
21 Repeat steps no. 12 – 20 to configure customer-provided Customer Master Keys (CMKs) for other Amazon EBS volumes available within the current AWS region.
22 Change the AWS cloud region from the navigation bar to perform the Remediation process for other regions.
Using AWS CLI
01 Define the policy that enables the selected IAM users and/or roles to manage your new Customer Master Key (CMK), and to encrypt/decrypt your EBS data using the KMS API. Create a new policy document (JSON format), name the file ebs-volume-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):
{"Id": "protected-cmk-policy","Version": "2012-10-17","Statement": [{"Sid": "Enable IAM User Permissions","Effect": "Allow","Principal": {"AWS": "arn:aws:iam::<aws-account-id>:root"},"Action": "kms:*","Resource": "*"},{"Sid": "Allow access for Key Administrators","Effect": "Allow","Principal": {"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"},"Action": ["kms:Create*","kms:Describe*","kms:Enable*","kms:List*","kms:Put*","kms:Update*","kms:Revoke*","kms:Disable*","kms:Get*","kms:Delete*","kms:TagResource","kms:UntagResource","kms:ScheduleKeyDeletion","kms:CancelKeyDeletion"],"Resource": "*"},{"Sid": "Allow use of the key","Effect": "Allow","Principal": {"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"},"Action": ["kms:Encrypt","kms:Decrypt","kms:ReEncrypt*","kms:GenerateDataKey*","kms:DescribeKey"],"Resource": "*"},{"Sid": "Allow attachment of persistent resources","Effect": "Allow","Principal": {"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"},"Action": ["kms:CreateGrant","kms:ListGrants","kms:RevokeGrant"],"Resource": "*","Condition": {"Bool": {"kms:GrantIsForAWSResource": "true"}}}]} 02 Run create-key command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e.ebs-volume-cmk-policy.json) as value for the --policy parameter, to create your new, customer-provided Customer Master Key (CMK):
aws kms create-key --region us-east-1 --description 'Customer Master Key for EBS Volume Encryption' --policy file://ebs-volume-cmk-policy.json --query 'KeyMetadata.Arn'
03 The command output should return the ARN of the new Customer Master Key (CMK):
"arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command should not produce an output):
aws kms create-alias --region us-east-1 --alias-name alias/EBSVolumeCMK --target-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234
05 Once your customer-provided Customer Master Key (CMK) is created, re-create the Amazon EBS volume(s) that you want to encrypt using the new CMK. Run create-snapshot command (OSX/Linux/UNIX) to create a new snapshot from the specified EBS volume:
aws ec2 create-snapshot --region us-east-1 --volume-id vol-0abcd1234abcd1234
06 The output should return the create-snapshot command request metadata:
{"Description": "","Tags": [],"Encrypted": true,"VolumeId": "vol-0abcd1234abcd1234","State": "pending","VolumeSize": 150,"StartTime": "2021-06-20T11:37:31.000Z","Progress": "","OwnerId": "123456789012","SnapshotId": "snap-0abcd1234abcd1234"} 07 Run copy-snapshot command (OSX/Linux/UNIX) to copy the EBS volume snapshot created at the previous steps. Use the --kms-key-id command parameter to encrypt the snapshot copy with your new customer-provided Customer Master Key (CMK):
aws ec2 copy-snapshot --region us-east-1 --source-region us-east-1 --source-snapshot-id snap-0abcd1234abcd1234 --encrypted --kms-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234
08 The command output should return the ID of the new EBS volume snapshot:
{"SnapshotId": " snap-01234abcd1234abcd"} 09 Run create-volume command (OSX/Linux/UNIX) to create a new Amazon EBS volume from the encrypted snapshot (copy) created at the previous steps. Make sure to include the --kms-key-id command parameter to encrypt the new EBS volume with your customer-provided Customer Master Key (CMK):
aws ec2 create-volume --region us-east-1 --volume-type gp2 --size 150 --availability-zone us-east-1a --snapshot-id snap-01234abcd1234abcd --encrypted --kms-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234
10 The command output should return the metadata available for the new encrypted EBS volume:
{"AvailabilityZone": "us-east-1a","MultiAttachEnabled": false,"Tags": [],"Encrypted": true,"VolumeType": "gp2","VolumeId": "vol-0abcdabcdabcdabcd","State": "creating","KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234","SnapshotId": "snap-01234abcd1234abcd","Iops": 100,"CreateTime": "2021-06-28T11:00:00.000Z","Size": 150} 11 To replace the volume encrypted with the default master key with the one encrypted with customer-provided CMK within the Amazon EC2 instance configuration, perform the following actions:
- Run detach-volume command (OSX/Linux/UNIX) to detach the original Amazon EBS volume, encrypted with the default master key, from the specified EC2 instance:
aws ec2 detach-volume --region us-east-1 --volume-id vol-0abcd1234abcd1234
- The output should return the detach-volume command request metadata:
{"AttachTime": "2021-06-28T12:00:19.000Z","InstanceId": "i-01234123412341234","VolumeId": "vol-0abcd1234abcd1234","State": "detaching","Device": "/dev/sdf"} - To attach the new EBS volume (encrypted with the customer-provided CMK) to the selected Amazon EC2 instance, run attach-volume command (OSX/Linux/UNIX):
aws ec2 attach-volume --volume-id vol-0abcdabcdabcdabcd --instance-id i-01234123412341234 --device /dev/sdf
- The output should return the attach-volume command request metadata:
{"AttachTime": "2021-06-28T13:00:19.000Z","InstanceId": "i-01234567890123456","VolumeId": "vol-0abcdabcdabcdabcd","State": "attaching","Device": "/dev/sdf"}
12 Repeat steps no. 6 – 12 to configure customer-provided Customer Master Keys (CMKs) for other Amazon EBS volumes available in the selected AWS region.
13 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.
References
- AWS Documentation
- What is AWS Key Management Service?
- AWS Key Management Service Concepts
- Creating Keys
- Amazon EBS Encryption
- Copying an Amazon EBS Snapshot
- AWS Command Line Interface (CLI) Documentation
- kms
- list-aliases
- create-key
- create-alias
- ec2
- describe-volumes
- create-snapshot
- create-volume
- copy-snapshot
- detach-volume
- attach-volume
Publication date Sep 10, 2018
Related KMS rules
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
No thanks, back to article
You are auditing:
Default Key Usage
Risk Level: Medium
In the realm of cloud security and Amazon Web Services (AWS), ensuring the robust encryption of your data is paramount. The article discusses a critical aspect—Default Key Usage—with a particular focus on the Trend Micro Cloud One™ – Conformity tool. This tool, boasting over 750 automated best practice checks, serves as a sentinel for your cloud infrastructure, providing continuous assurance.
The crux of the matter revolves around mitigating a medium-risk scenario. The goal is to ensure that AWS cloud services and resources utilize customer-provided Customer Master Keys (CMKs) rather than default (AWS-managed) keys. This move empowers you with full control over the encryption and decryption process, aligning seamlessly with compliance requirements.
To substantiate the need for such diligence, the article delves into the security implications. The usage of Amazon Key Management Service (KMS) with customer-provided CMKs allows the implementation of the Principle of Least Privilege (POLP). This translates to a meticulous control mechanism, dictating who can access and manipulate the master keys, thereby fortifying the encryption key ownership and usage.
For the audit process, the article provides detailed steps for both AWS Console and AWS CLI. It guides you through the intricate process of scrutinizing Amazon Elastic Block Store (EBS) volumes, checking if default master keys are in play. The meticulous steps involve navigating through the AWS Management Console, EC2 console, and utilizing AWS CLI commands such as describe-volumes and describe-key. The focus is on KMS Key Aliases, a critical attribute indicating the use of default or customer-provided keys.
Now, when it comes to remediation, the article takes a multi-pronged approach, catering to various user preferences. It spans AWS CloudFormation, Terraform (AWS Provider), AWS Console, and AWS CLI. A comprehensive CloudFormation template and Terraform configuration exemplify the process of creating a customer-provided CMK and associating it with an encrypted EBS volume.
In the AWS Console realm, step-by-step instructions guide you through creating a customer-managed key and subsequently encrypting an EBS volume. The meticulous walkthrough involves configuring key parameters, defining administrative and usage permissions, and finally, reviewing and confirming the creation of the customer-provided CMK.
The AWS CLI section provides commands to define policies, create a new CMK, and associate aliases. The narrative here is about empowering users to script and automate the process for scalability and efficiency.
The article, published on September 10, 2018, serves as a timeless reference. It draws extensively from AWS Documentation, referencing key concepts such as AWS Key Management Service, creating keys, Amazon EBS encryption, and copying EBS snapshots. The AWS Command Line Interface (CLI) Documentation is also referenced for commands like kms list-aliases, create-key, create-alias, ec2 describe-volumes, create-snapshot, create-volume, copy-snapshot, detach-volume, and attach-volume.
In essence, this article isn't just a guide; it's a roadmap for securing your AWS cloud infrastructure, showcasing the expertise required to navigate the intricate landscape of cloud security and encryption.
