How do I view encryption information about my AMI or snapshot?

4 minute read
0

I want to know whether my Amazon Machine Image (AMI) or snapshot is encrypted. If it is, then I want to know whether it uses an AWS Key Management Service (AWS KMS) managed key or a customer managed key.

Resolution

Note:

AWS CLI

To use the AWS CLI to view encryption information, complete the following steps:

  1. To view the snapshots that are associated with the AMI, run the describe-images command with the BlockDeviceMappings query filter.

    aws ec2 describe-images --image-ids ami - ######## --region us-east-1 --query "Images[*].BlockDeviceMappings" 
    [    
        [{
            "DeviceName": "/dev/xvda",
            "Ebs": {
                "DeleteOnTermination": true,
                "SnapshotId": "snap-#########",
                "VolumeSize": 8,
                "VolumeType": "gp2",
                "Encrypted": true
            }
        }]
    ]

    Note: Replace image-ids and region with the image ID and AWS Region of your AMI.

    The preceding example output shows the snapshot that's associated with the AMI. The Encrypted parameter of the snapshot is set to true.

  2. Run the describe-snapshots command. Use the snapshot-id of the snapshot that's listed in the output of the describe-images command:

    aws ec2 describe-snapshots --snapshot-ids snap - #########--region us-east-1 
    {    "Snapshots": [{
            "Description": "Copied for DestinationAmi ami-######### from SourceAmi ami-######### for SourceSnapshot snap-#########. Task created on 1,579,611,950,318.",
            "Encrypted": true,
            "KmsKeyId": "arn:aws:kms:eu-west-1:9208#########:key/dcd4d062-#########-##########",
            "OwnerId": "111122223333",
            "Progress": "100%",
            "SnapshotId": "snap-##########",
            "StartTime": "2020-01-21T13:05:53.887Z",
            "State": "completed",
            "VolumeId": "vol-ffffffff",
            "VolumeSize": 8
        }]
    }

    From the command output, copy the KMSKeyId.

  3. To determine whether the key is an AWS KMS key or a customer managed key, run the describe-key command.

    aws kms describe-key --key-id dcd4d062 - ######### - ######### --region us-east-1 
    {    "KeyMetadata": {
            "AWSAccountId": "92#########",
            "KeyId": "dcd4d062-#########-#########",
            "Arn": "arn:aws:kms:eu-west-1:92#########:key/dcd4d062-#########-#########",
            "CreationDate": 1579611763.538,
            "Enabled": true,
            "Description": "02-example-CMK",
            "KeyUsage": "ENCRYPT_DECRYPT",
            "KeyState": "Enabled",
            "Origin": "AWS_KMS",
            "KeyManager": "CUSTOMER",
            "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
            "EncryptionAlgorithms": ["SYMMETRIC_DEFAULT"]
        }
    }

    Note: Replace key-id with the KMSKeyId that's listed in the describe-snapshot command. Replace region with the snapshot's Region.
    In the preceding example output, the KeyManager parameter is Customer. The key is a customer managed key. For an AWS KMS key, the KeyManager parameter is AWS.

Amazon EC2 console

To use the Amazon Elastic Compute Cloud (Amazon EC2) console to view encryption information, complete the following steps:

  1. Open the Amazon EC2 console.
  2. From the navigation pane, choose AMIs.
  3. Use the filter and search options to limit the list of displayed AMIs to only the AMIs that match your criteria.
  4. Choose the Preferences icon and select the image attributes to display, such as the root device type. Or, you can select an AMI from the list and view its properties on the Details tab.
  5. Choose the Storage properties tab.
  6. Select the snapshot, and then on the Description tab, verify whether Encryption is set to Encrypted or Not Encrypted. If the snapshot is encrypted, then note the KMS Key ID and KMS Key ARN.
  7. Open the AWS KMS console.
  8. Choose AWS managed keys, and then enter the KMS Key ID. If no results appear, then choose Customer managed keys, and then enter the KMS Key ID.

Note: You can't share AMIs that are encrypted with an AWS managed key. For more information, see Before you share a snapshot.

Related information

AWS KMS concepts

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago