AWS CloudFormation Autoscaling create encrypted EBS root volume with customer key

Question

As a requirement I need to have all my EBS volume encrypted with a customer KMS (and not de fault aws/ebs one)

In the LaunchConfig's BlockDeviceMappings properties I do see a property "Encrypted" but I do not see anyway of specifying a custom KMS I see a snapshotId property which could allow me to point to an encrypted snapshot but how will this behave? Will each box that spin create an empty volume from that snapshot ?

What is the best way to achieve this ? Is my only option to create volume in the user-data and attach it there ?

AWS has not filled this gap in ages. – Asdfg Feb 01 '18 at 19:24 — Asdfg, Feb 01 '18 at 19:24

score 1 · Answer 1 · answered Feb 01 '18 at 20:06

AWS AutoScaling groups does not support specifying alternate KMS keys when EC2 instances are launched.

When you run an EC2 instance via ec2:RunInstances, ec2:RequestSpotFleet, or ec2:RequestSpotInstances, you can specify a alternate KMS key to use to encrypt the EBS volumes. When this KMS key is omitted, the KMS key used to encrypt the EBS snapshot is used instead.

However, Auto Scaling launch configurations does not support the KMS key specification. So it's not possible to use an alternative KMS key when launching Auto Scaling groups. The KMS key used to encrypt the snapshots will always be used.

Source: https://docs.aws.amazon.com/autoscaling/ec2/APIReference/API_Ebs.html

yes this is sadly what I thought. I'm gonna try create volumes in the user-data wait for completion and attach the volume in there — Johny19, Feb 01 '18 at 23:06

AWS CloudFormation Autoscaling create encrypted EBS root volume with customer key

1 Answers1