How do I use an encrypted AMI in my Auto Scaling group that another account shared with me?

4 minute read
0

I want to use an encrypted Amazon Machine Image (AMI) in my AWS Auto Scaling group that another AWS account shared with me. The AMI is encrypted with an AWS Key Management Service (AWS KMS) customer managed key.

Short description

The AWS KMS key policy for the AWS KMS key must allow your account's AWS Identity and Access Management (IAM) identity to use the AMI to launch an instance. To launch instances, Auto Scaling groups use permissions that service-linked roles (SLRs) grant.

To use the encrypted AMI in your Auto Scaling group, the KMS key policy must provide access to the following roles:

  • The SLR that's associated with the Auto Scaling group in your account.
  • The IAM identity in your account to create a grant that allows the SLR to use the key.

Resolution

To use the encrypted AMI in your Auto Scaling group, complete the following steps:

  1. Modify the KMS key policy that's associated with the KMS key that encrypts the AMI.
  2. Create a grant for the SLR to use the key.

Modify the KMS key policy

Complete the following steps:

  1. From the account that's sharing the encrypted AMI with you, open the AWS KMS console, and then select the KMS key.

  2. In the Key Policy section, add the following permissions for the SLR that's used in your account's Auto Scaling group:

    kms:Encrypt
    kms:Decrypt
    kms:ReEncrypt*
    kms:GenerateDataKey*
    kms:DescribeKey 
  3. To create the grant in your account, you must add the kms:CreateGrant, kms:ListGrants, and kms:RevokeGrant permissions to the key policy. The policy must also include the Allow use of the key and Allow attachment of persistent resources statements.

    The following is an example of the key policy. Replace SOURCE_ACCOUNT with the ID of the account that's sharing the encrypted AMI and DESTINATION_ACCOUNT with your account's ID:

    {
        "Version": "2012-10-17",
        "Id": "key-consolepolicy-3",
        "Statement": [
            {
                "Sid": "Enable IAM User Permissions",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::SOURCE_ACCOUNT:root"
                },
                "Action": "kms:*",
                "Resource": "*"
            },
            {
                "Sid": "Allow access for Key Administrators",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::SOURCE_ACCOUNT:user/AdminUser"
                },
                "Action": [
                    "kms:Create*",
                    "kms:Describe*",
                    "kms:Enable*",
                    "kms:List*",
                    "kms:Put*",
                    "kms:Update*",
                    "kms:Revoke*",
                    "kms:Disable*",
                    "kms:Get*",
                    "kms:Delete*",
                    "kms:TagResource",
                    "kms:UntagResource",
                    "kms:ScheduleKeyDeletion",
                    "kms:CancelKeyDeletion"
                ],
                "Resource": "*"
            },
            {
                "Sid": "Allow use of the key",
                "Effect": "Allow",
                "Principal": {
                    "AWS": [
                        "arn:aws:iam::DESTINATION_ACCOUNT:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
                        "arn:aws:iam::SOURCE_ACCOUNT:user/AdminUser"
                    ]
                },
                "Action": [
                    "kms:Encrypt",
                    "kms:Decrypt",
                    "kms:ReEncrypt*",
                    "kms:GenerateDataKey*",
                    "kms:DescribeKey"
                ],
                "Resource": "*"
            },
            {
                "Sid": "Allow attachment of persistent resources",
                "Effect": "Allow",
                "Principal": {
                    "AWS": [
                        "arn:aws:iam::DESTINATION_ACCOUNT:user/DESTINATION_USER",
                        "arn:aws:iam::SOURCE_ACCOUNT:user/AdminUser"
                    ]
                },
                "Action": [
                    "kms:CreateGrant",
                    "kms:ListGrants",
                    "kms:RevokeGrant"
                ],
                "Resource": "*"
            }
        ]
    }
    

    Note: When you use the AWS Management Console to create a KMS key and include external account IDs as users, the key policy automatically applies kms:GrantIsForAWSResource. The kms:GrantIsForAWSResource condition key doesn't allow users to create grants for the SLR. Make sure that the key policy doesn't contain this condition key in the Allow attachment of persistent resources statement.

Create a grant for the SLR

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

The grant allows the SLR in your account to perform cryptographic actions with the source account's KMS key.

In your account, run the create-grant AWS CLI command from the DESTINATION_USER that's specified in the key policy:

aws kms create-grant --key-id [X] \
--grantee-principal [Y] \
--operations Decrypt Encrypt GenerateDataKey GenerateDataKeyWithoutPlaintext \
ReEncryptFrom ReEncryptTo CreateGrant DescribeKey

Note: Replace [X] with the source account KMS key ARN and  [Y] with the SLR ARN of your account.

Related information

Required AWS KMS key policy for use with encrypted volumes

AWS OFFICIAL
AWS OFFICIALUpdated 5 months ago