How do I create an encrypted AMI for Batch?

3 minute read
0

I want to create an encrypted Amazon Machine Image (AMI) for AWS Batch.

Short description

You can use custom AWS Key Management Service (AWS KMS) keys to encrypt your AMIs, and then use encrypted AMIs to launch AWS Batch instances.

Resolution

Create a snapshot of an AMI that's optimized for Amazon ECS

Complete the following steps:

  1. Launch an Amazon Elastic Compute Cloud (Amazon EC2) instance based on an Amazon Elastic Container Service (Amazon ECS)-optimized AMI.
    Note: To choose an AMI, see Amazon ECS-optimized Linux AMIs.
  2. Create a snapshot from the root volume of the EC2 instance that you launched.
  3. To avoid charges, delete the EC2 instance that you created.

Encrypt the snapshot and create an AMI of the encrypted snapshot

Complete the following steps:

  1. Open the Amazon EC2 console.
  2. In the navigation pane, under Elastic Block Store, choose Snapshots.
  3. Select the snapshot that you created, choose Actions, and then choose Copy.
  4. In the Copy Snapshot window, for Encryption, select Encrypt this snapshot.
  5. For KMS key, choose your own customer managed AWS KMS key.
    Note: The key used for encryption in these steps is a symmetric key.
  6. Choose Copy snapshot.
  7. Select the encrypted snapshot after it moves to completed status, choose Actions, and then choose Create Image from snapshot.

Note: You can view the AMI from the Amazon EC2 console. From the Images section of the navigation pane, choose AMIs.

Give the service linked role access to the KMS key

To specify a customer managed AWS KMS key for Amazon Elastic Block Store (Amazon EBS) encryption, give the service linked role access to the key. This access allows Amazon EC2 Auto Scaling to launch instances on your behalf. To provide this access, you must modify the key policy of your KMS key.

When you update the policy, set AWSServiceRoleForAutoScaling as the key user for the KMS key.

To use this policy, replace the Amazon Resource Name (ARN) with the ARN of the service linked role that can access the KMS key.

Example policy:

{
  "Id": "key-consolepolicy-3",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

Note: If you use the spot compute environment with a best fit strategy, then use AWSServiceRoleForEC2SpotFleet instead of AWSServiceRoleForAutoScaling in the preceding key policy.

Create a new compute environment

Create a new compute environment.

Important: When you create your compute environment, you must select the Enable user-specified Ami ID option. Then, enter your AMI ID in the AMI ID box that appears, and choose Validate AMI.

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago