1 Answer
- Newest
- Most votes
- Most comments
2
Hello,
You can use the AWS::NoValue parameter when you want to encrypt the EBS using a custom CustomKMSKeyArn if it's provided as an input parameter. If the condition evaluates to false, CloudFormation removes the KmsKeyId property and encrypted using default EBS Kms key.
I also found one more issue with CF template, You need to create an InstanceProfile resource to attach the IAM Role to the EC2 instance.
AWSTemplateFormatVersion: '2010-09-09'
Description: Create an EC2 instance with EBS encryption using a custom or default KMS key
Parameters:
KeyName:
Type: AWS::EC2::KeyPair::KeyName
Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
InstanceType:
Type: String
Default: t2.micro
Description: EC2 instance type
ImageId:
Type: AWS::EC2::Image::Id
Default: ami-0c94755bb95c71c99
Description: AMI ID for the EC2 instance
CustomKMSKeyArn:
Type: String
Default: ''
Description: (Optional) ARN of a custom KMS key to use for EBS encryption
Conditions:
UseCustomKMSKey: !Not [!Equals [!Ref CustomKMSKeyArn, '']]
Resources:
IAMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: 'sts:AssumeRole'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEC2FullAccess
- arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser
InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Roles:
- !Ref IAMRole
EC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: !Ref ImageId
InstanceType: !Ref InstanceType
KeyName: !Ref KeyName
IamInstanceProfile: !Ref InstanceProfile
BlockDeviceMappings:
- DeviceName: /dev/xvda
Ebs:
VolumeSize: 20
Encrypted: true
KmsKeyId: !If
- UseCustomKMSKey
- !Ref CustomKMSKeyArn
- !Ref 'AWS::NoValue'
Outputs:
InstanceId:
Description: The ID of the EC2 instance
Value: !Ref EC2Instance
Export:
Name: ec2-instance-id
Relevant content
- Accepted Answerasked 2 years ago
- asked 6 months ago
- Accepted Answerasked 4 months ago
- Accepted Answerasked 6 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago