7

In the AWS Key Management Service Best Practices whitepaper, in the section on Data at Rest Encryption with Amazon EBS, it states:

There are two methods to ensure that EBS volumes are always encrypted. You can verify that the encryption flag as part of the CreateVolume context is set to “true” through an IAM policy. If the flag is not “true” then the IAM policy can prevent an individual from creating the EBS volume

How can I do this? I'd imagine the policy would look something like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1509465260000",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVolume"
      ],
      "Condition": {
        "Bool": {
          "ec2:Encrypted": "true"
        }
      },
      "Resource": [
        "*"
      ]
    }
  ]
}

Based on the whitepaper and the docs, the Bool condition on the ec2:Encrypted key makes the most sense, but when trying to create an encrypted volume, I'm getting access denied.

What am I missing in the statement?

maafk
  • 6,176
  • 5
  • 35
  • 58

3 Answers3

5

You will need additional permissions to create encrypted volumes:

1) ec2:DescribeAvailabilityZones

2) kms:*

Note: I did not drill down into KMS for the minimum permissions to use KMS encryption keys. If you want to create volumes from snapshots then you will need to add ec2:DescribeSnapshots.

Example policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeAvailabilityZones"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Stmt1509465260000",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVolume"
            ],
            "Condition": {
                "Bool": {
                    "ec2:Encrypted": "true"
                }
            },
            "Resource": [
                "*"
            ]
        }
    ]
}
John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • 1
    Thank you! I had to add a few more Actions for my use case. Will post an answer showing exactly what I did – maafk Oct 31 '17 at 18:06
  • 2
    Thank you for posting the final solution. This will help others to better understand IAM policies. The principles of least privilege are very import with cloud security. – John Hanley Oct 31 '17 at 18:14
  • 1
    No problem! Are you aware of any good frameworks for IAM/KMS governance for organizations with multiple applications/development teams using the same AWS account? It's easy to agree on 'principal of least privilege', but can be tough to implement and manage over time. – maafk Oct 31 '17 at 18:42
  • @tkwargs. Sorry I don't know of any better solutions from third parties. There are a lot of companies in this arena to review. – John Hanley Nov 02 '17 at 00:11
  • Are these Service Control Policies? It doesn't specify where these are applied. – Scott Crooks Aug 16 '19 at 18:01
  • @ScottCrooks - This is applied to the user's IAM policy. This policy gives the user permission to create a volume AND the condition that the volume must be encrypted. – John Hanley Aug 16 '19 at 18:12
4

John Hanley had it right

The full policy I ended up using looked like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt2222222222222",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVolume"
      ],
      "Condition": {
        "Bool": {
          "ec2:Encrypted": "true"
        }
      },
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "Stmt1111111111111",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVolumes",
        "ec2:DescribeAvailabilityZones",
        "ec2:CreateTags",
        "kms:ListAliases"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "allowKmsKey",
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt"
      ],
      "Resource": [
        "arn:aws:kms:us-east-1:999999999999:alias/aws/ebs"
      ]
    }
  ]
}
maafk
  • 6,176
  • 5
  • 35
  • 58
1

"kms:encrypt" alone doesn't work anymore for creating encrypted ebs. Found a working solution in the following links

https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html

Permissions for creating and attaching EBS Volume to an EC2Resource i AWS Data Pipeline

To use without doing a wildcard kms action ("kms":*), include the following under Action

"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"

along with 

"ec2:CreateVolume",
"ec2:CreateTags",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVolumes",
"ec2:DescribeAvailabilityZones",
"ec2:EnableVolumeIO"
Ajay Singh
  • 692
  • 8
  • 19