By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Noob question about KMS and EC2

0

Why my EC2 instances are able to start, using an encrypted root volume (with a CMK), if the EC2 instance does not have any role attached?

  • I created an EC2 instance, and stop it
  • I created a snapshot from the root volume
  • Then I created a new encrypted volume from the snapshot, using a CMK which only allows one specific role for cryptographic operations
  • Then I detached the unencrypted volume, and attached the encrypted volume as root for the EC2 instance (xvda)
  • After starting again the EC2, everything worked fine, why?

Thanks.

Topics
Security, Identity, & ComplianceCompute
Tags
AWS Key Management ServiceAmazon EC2
Language
English
GusaGusa27
asked a year ago211 views
2 Answers
1

From How EBS encryption works when the snapshot is encrypted

When you attach the encrypted volume to an instance, Amazon EC2 sends a CreateGrant request to AWS KMS so that it can decrypt the data key.
profile pictureAWS
EXPERT
kentrad
answered a year ago
0

You are invoking "StartInstances" API with your IAM user or Role which has enough privileges on KMS which is the reason EC2 instance is starting all the time with encrypted volumes. If your user ID or Role does not have access to KMS then Ec2 instance will not launch and Ec2 running status will change from Pending to Stopped state every time after starting instance.

AWS
Ajay
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content