AWS IAM policy to enforce new EBS volumes are encrypted

Asked 31/10, 2017 at 16:27 Answered 10/1, 2020 at 20:15

Solved amazon-web-services amazon-iam amazon-ebs

In the AWS Key Management Service Best Practices whitepaper, in the section on Data at Rest Encryption with Amazon EBS, it states:

There are two methods to ensure that EBS volumes are always encrypted. You can verify that the encryption flag as part of the CreateVolume context is set to “true” through an IAM policy. If the flag is not “true” then the IAM policy can prevent an individual from creating the EBS volume

How can I do this? I'd imagine the policy would look something like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1509465260000",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVolume"
      ],
      "Condition": {
        "Bool": {
          "ec2:Encrypted": "true"
        }
      },
      "Resource": [
        "*"
      ]
    }
  ]
}

Based on the whitepaper and the docs, the Bool condition on the ec2:Encrypted key makes the most sense, but when trying to create an encrypted volume, I'm getting access denied.

What am I missing in the statement?

Tempt answered 31/10, 2017 at 16:27 Comment(0)

You will need additional permissions to create encrypted volumes:

1) ec2:DescribeAvailabilityZones

2) kms:*

Note: I did not drill down into KMS for the minimum permissions to use KMS encryption keys. If you want to create volumes from snapshots then you will need to add ec2:DescribeSnapshots.

Example policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeAvailabilityZones"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Stmt1509465260000",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVolume"
            ],
            "Condition": {
                "Bool": {
                    "ec2:Encrypted": "true"
                }
            },
            "Resource": [
                "*"
            ]
        }
    ]
}

Pup answered 31/10, 2017 at 17:18 Comment(6)

Thank you! I had to add a few more Actions for my use case. Will post an answer showing exactly what I did – Tempt 31/10, 2017 at 18:6

Thank you for posting the final solution. This will help others to better understand IAM policies. The principles of least privilege are very import with cloud security. – Pup 31/10, 2017 at 18:14

No problem! Are you aware of any good frameworks for IAM/KMS governance for organizations with multiple applications/development teams using the same AWS account? It's easy to agree on 'principal of least privilege', but can be tough to implement and manage over time. – Tempt 31/10, 2017 at 18:42

@tkwargs. Sorry I don't know of any better solutions from third parties. There are a lot of companies in this arena to review. – Pup 2/11, 2017 at 0:11

Are these Service Control Policies? It doesn't specify where these are applied. – Achromatin 16/8, 2019 at 18:1

@ScottCrooks - This is applied to the user's IAM policy. This policy gives the user permission to create a volume AND the condition that the volume must be encrypted. – Pup 16/8, 2019 at 18:12

John Hanley had it right

The full policy I ended up using looked like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt2222222222222",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVolume"
      ],
      "Condition": {
        "Bool": {
          "ec2:Encrypted": "true"
        }
      },
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "Stmt1111111111111",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVolumes",
        "ec2:DescribeAvailabilityZones",
        "ec2:CreateTags",
        "kms:ListAliases"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "allowKmsKey",
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt"
      ],
      "Resource": [
        "arn:aws:kms:us-east-1:999999999999:alias/aws/ebs"
      ]
    }
  ]
}

Tempt answered 31/10, 2017 at 18:9 Comment(0)

"kms:encrypt" alone doesn't work anymore for creating encrypted ebs. Found a working solution in the following links

https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html

Permissions for creating and attaching EBS Volume to an EC2Resource i AWS Data Pipeline

To use without doing a wildcard kms action ("kms":*), include the following under Action

"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"

along with

"ec2:CreateVolume",
"ec2:CreateTags",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVolumes",
"ec2:DescribeAvailabilityZones",
"ec2:EnableVolumeIO"

Partite answered 10/1, 2020 at 20:15 Comment(0)

Recommended topics

Hot tags