Hi Team, here is the situation -
I have scp on my account which would block "ec2:runInstance" if ebs is not encrypted. Now I am using CFT where I specifically used encryption key to encrypt the default root volume while creating the ec2, but seems like still I am not able to launch the ec2 instance and while i decrypted the error message its saying that my SCP ( Deny on "ec2:RunInstances" is blocking that ). I am wondering why this is happening , though I have created KMS key and used that for block level encryption, I am attaching the CFT below. Please let me know if any questions
AWSTemplateFormatVersion: "2010-09-09"
Description: This Template creates an AWS::EC2 resource,
Parameters:
ImageId:
Description: An ImageId for Ec2 instance
Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'
SubnetId:
Description: Provide subnet on which ec2 will be launched
Type: AWS::EC2::Subnet::Id
VPCId:
Description: Provide the VPC id on which ec2 will be launched
Type: AWS::EC2::VPC::Id
Resources:
Ec2SsmIamRole:
Type: AWS::IAM::Role
Properties:
RoleName: inspect-ec2-role
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ec2.amazonaws.com]
Action: ['sts:AssumeRole']
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
Ec2SsmInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
InstanceProfileName: inspect-ec2-profile
Path: /
Roles: [!Ref Ec2SsmIamRole]
WebServerSecGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http
VpcId: !Ref VPCId
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
- IpProtocol: icmp
FromPort: -1
ToPort: -1
CidrIp: 0.0.0.0/0
- IpProtocol: udp
FromPort: 53
ToPort: 53
CidrIp: 10.0.0.0/8
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 0
ToPort: 65535
CidrIp: 0.0.0.0/0
- IpProtocol: icmp
FromPort: -1
ToPort: -1
CidrIp: 0.0.0.0/0
- IpProtocol: udp
FromPort: 53
ToPort: 53
CidrIp: 10.0.0.0/8
KMSKeyforEBSencryption:
Type: AWS::KMS::Key
Properties:
Description: KMS key for EBS encryption
Enabled: true
EnableKeyRotation: true
KeyPolicy:
Version: 2012-10-17
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Join [ "", [ "arn:aws:iam::", !Ref "AWS::AccountId", ":root" ] ]
Action: kms:*
Resource: "*"
RequiredTagsLaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: ec2-template
LaunchTemplateData:
MetadataOptions:
HttpTokens: required
TagSpecifications:
- ResourceType: volume
Tags:
- Key: UAI
Value: test
- ResourceType: instance
Tags:
- Key: UAI
Value: test
Ec2Private1Instance:
Type: AWS::EC2::Instance
Properties:
UserData:
Fn::Base64: !Sub |
#!/bin/bash
sudo su
yum update -y
yum install -y httpd.x86_64
systemctl start httpd.service
systemctl enable httpd.service
echo "Hello! Yes we can talk, from $(hostname -f)" > /var/www/html/index.html
ImageId: !Ref ImageId
IamInstanceProfile: !Ref Ec2SsmInstanceProfile
SecurityGroupIds:
- !Ref WebServerSecGroup
InstanceType: t2.micro
SubnetId: !Ref SubnetId
LaunchTemplate:
LaunchTemplateName: ec2-template
Version: 1
BlockDeviceMappings:
- DeviceName: "/dev/sdk"
Ebs:
VolumeSize: '10' #10GB
VolumeType: gp3
DeleteOnTermination: true
Encrypted: 'true'
# KmsKeyId: !Ref KMSKeyforEBSencryption
Tags:
- Key: Name
Value: core-connectivity-test
=========================================
SCP I have as below...
{
"Sid": "DenyUnencryptedEC2Volumes",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"Bool": {
"ec2:Encrypted": "false"
}
}
},
{
"Sid": "DenyUnencryptedEBSVolumeCreation",
"Effect": "Deny",
"Action": [
"ec2:CreateVolume",
"ec2:AttachVolume"
],
"Resource": "*",
"Condition": {
"Bool": {
"ec2:Encrypted": "false"
}
}
},
Hi @Siva, yeah I did that too but not helped. Wondering what other mistake I am making here .