Intellipaat Back

Explore Courses Blog Tutorials Interview Questions
0 votes
2 views
in AWS by (19.1k points)

In the AWS Key Management Service Best Practices whitepaper, in the section on Data at Rest Encryption with Amazon EBS, it states:

There are two methods to ensure that EBS volumes are always encrypted. You can verify that the encryption flag as part of the CreateVolume context is set to “true” through an IAM policy. If the flag is not “true” then the IAM policy can prevent an individual from creating the EBS volume

How can I do this? I'd imagine the policy would look something like:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "Stmt1509465260000",

      "Effect": "Allow",

      "Action": [

        "ec2:CreateVolume"

      ],

      "Condition": {

        "Bool": {

          "ec2:Encrypted": "true"

        }

      },

      "Resource": [

        "*"

      ]

    }

  ]

}

Based on the whitepaper and the docs, the Bool condition on the ec2:Encrypted key makes the most sense, but when trying to create an encrypted volume, I'm getting access denied.

What am I missing in the statement?

1 Answer

0 votes
by (44.4k points)

You will need more permissions to create these encrypted volumes:

1) ec2:DescribeAvailabilityZones

2) kms:*

Example policy:

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Effect": "Allow",

            "Action": [

                "kms:*"

            ],

            "Resource": "*"

        },

        {

            "Effect": "Allow",

            "Action": [

                "ec2:DescribeAvailabilityZones"

            ],

            "Resource": "*"

        },

        {

            "Sid": "Stmt1509465260000",

            "Effect": "Allow",

            "Action": [

                "ec2:CreateVolume"

            ],

            "Condition": {

                "Bool": {

                    "ec2:Encrypted": "true"

                }

            },

            "Resource": [

                "*"

            ]

        }

    ]

}

Related questions

Want to get 50% Hike on your Salary?

Learn how we helped 50,000+ professionals like you !

0 votes
1 answer
asked Mar 12, 2020 in AWS by chandra (29.3k points)

31k questions

32.8k answers

501 comments

693 users

Browse Categories

...