Creating encrypted (root volume encrypted) ec2 instance but still SCP blocking launch of instance

0

Hi Team, here is the situation -

I have scp on my account which would block "ec2:runInstance" if ebs is not encrypted. Now I am using CFT where I specifically used encryption key to encrypt the default root volume while creating the ec2, but seems like still I am not able to launch the ec2 instance and while i decrypted the error message its saying that my SCP ( Deny on "ec2:RunInstances" is blocking that ). I am wondering why this is happening , though I have created KMS key and used that for block level encryption, I am attaching the CFT below. Please let me know if any questions

AWSTemplateFormatVersion: "2010-09-09"
Description: This Template creates an AWS::EC2 resource, 

Parameters:

  ImageId:
    Description: An ImageId for Ec2 instance
    Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
    Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'
  SubnetId:
    Description: Provide subnet on which ec2 will be launched
    Type: AWS::EC2::Subnet::Id
  VPCId:
    Description: Provide the VPC id on which ec2 will be launched
    Type: AWS::EC2::VPC::Id



Resources:

  Ec2SsmIamRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: inspect-ec2-role 
      AssumeRolePolicyDocument: 
        Statement:
          - Effect: Allow
            Principal:
              Service: [ec2.amazonaws.com]
            Action: ['sts:AssumeRole']
      Path: /
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore

  Ec2SsmInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      InstanceProfileName: inspect-ec2-profile 
      Path: /
      Roles: [!Ref Ec2SsmIamRole]

  WebServerSecGroup:
      Type: AWS::EC2::SecurityGroup
      Properties:
          GroupDescription: Allow http 
          VpcId: !Ref VPCId
          SecurityGroupIngress:
          -   IpProtocol: tcp
              FromPort: 80
              ToPort: 80
              CidrIp: 0.0.0.0/0
          -   IpProtocol: tcp
              FromPort: 22
              ToPort: 22
              CidrIp: 0.0.0.0/0
          -   IpProtocol: tcp
              FromPort: 443
              ToPort: 443
              CidrIp: 0.0.0.0/0
          -   IpProtocol: icmp
              FromPort: -1
              ToPort: -1
              CidrIp: 0.0.0.0/0
          -   IpProtocol: udp
              FromPort: 53
              ToPort: 53
              CidrIp: 10.0.0.0/8                                              
          SecurityGroupEgress:
          -   IpProtocol: tcp
              FromPort: 0
              ToPort: 65535
              CidrIp: 0.0.0.0/0
          -   IpProtocol: icmp
              FromPort: -1
              ToPort: -1
              CidrIp: 0.0.0.0/0
          -   IpProtocol: udp
              FromPort: 53
              ToPort: 53
              CidrIp: 10.0.0.0/8     

  KMSKeyforEBSencryption:
    Type: AWS::KMS::Key
    Properties:
         Description: KMS key for EBS encryption
         Enabled: true
         EnableKeyRotation: true
         KeyPolicy: 
           Version: 2012-10-17
           Statement:
             - Sid: Enable IAM User Permissions
               Effect: Allow
               Principal:
                 AWS: !Join [ "", [ "arn:aws:iam::", !Ref "AWS::AccountId", ":root" ] ]
               Action: kms:*
               Resource: "*"
                   
  RequiredTagsLaunchTemplate:
      Type: AWS::EC2::LaunchTemplate
      Properties:
        LaunchTemplateName: ec2-template
        LaunchTemplateData:
          MetadataOptions:
            HttpTokens: required
          TagSpecifications:
            - ResourceType: volume
              Tags:
                - Key: UAI
                  Value: test 
            - ResourceType: instance
              Tags:
                - Key: UAI
                  Value: test       
  Ec2Private1Instance: 
      Type: AWS::EC2::Instance
      Properties:
          UserData:
              Fn::Base64: !Sub |
                  #!/bin/bash
                  sudo su
                  yum update -y
                  yum install -y httpd.x86_64
                  systemctl start httpd.service
                  systemctl enable httpd.service
                  echo "Hello! Yes we can talk, from $(hostname -f)" > /var/www/html/index.html
          ImageId: !Ref ImageId
          IamInstanceProfile: !Ref Ec2SsmInstanceProfile
          SecurityGroupIds: 
            - !Ref WebServerSecGroup
          InstanceType: t2.micro
          SubnetId: !Ref SubnetId  
          LaunchTemplate: 
            LaunchTemplateName: ec2-template
            Version: 1             
          BlockDeviceMappings:
          - DeviceName: "/dev/sdk"
            Ebs:
              VolumeSize: '10' #10GB
              VolumeType: gp3
              DeleteOnTermination: true
              Encrypted: 'true'
  #            KmsKeyId: !Ref KMSKeyforEBSencryption
          Tags:
            - Key: Name
              Value: core-connectivity-test

========================================= SCP I have as below...

    {
      "Sid": "DenyUnencryptedEC2Volumes",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "ec2:Encrypted": "false"
        }
      }
    },
    {
      "Sid": "DenyUnencryptedEBSVolumeCreation",
      "Effect": "Deny",
      "Action": [
        "ec2:CreateVolume",
        "ec2:AttachVolume"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "ec2:Encrypted": "false"
        }
      }
    },
  • Hi @Siva, yeah I did that too but not helped. Wondering what other mistake I am making here .

1 Answer
0
Accepted Answer

Your instance declaration defines one volume mapped to /dev/sdk, but I think it will additionally receive /dev/xvda for the root drive from the AMI. Since nothing is specified for it, it will be created unencrypted, unless you have default EBS encryption enabled in your account and region (https://docs.aws.amazon.com/ebs/latest/userguide/work-with-ebs-encr.html#encryption-by-default).

I suggest you try including the /dev/xvda root device in the BlockDeviceMappings property of the instance and specify the proper encryption setting for it. If that doesn't help, I suggest double-checking which device name is included in the AMI you are using and specifying the encryption setting for it.

EXPERT
Leo K
answered 5 months ago
profile pictureAWS
EXPERT
reviewed 5 months ago
  • 100% correct , it /dev/xvda should need to be mapped and encrypted part of ebs vols. It works fine after the changes you recommended. Thanks Leo, much appreciated.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions