Encrypt data stored in Amazon EBS volumes for Amazon ECS - Amazon Elastic Container Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Encrypt data stored in Amazon EBS volumes for Amazon ECS

You can use Amazon Key Management Service (Amazon KMS) to make and manage cryptographic keys that protect your data. Amazon EBS volumes are encrypted at rest by using Amazon KMS keys. The following types of data are encrypted:

  • Data stored at rest on the volume

  • Disk I/O

  • Snapshots created from the volume

  • New volumes created from snapshots

You can configure Amazon EBS encryption by default so that all new volumes created and attached to a task are encrypted by using the KMS key that you configure for your account. For more information about Amazon EBS encryption and encryption by default, see Amazon EBS encryption in the Amazon EC2 User Guide.

Amazon EBS volumes that are attached to tasks can be encrypted by using either a default Amazon managed key with the alias alias/aws/ebs, or a symmetric customer managed key. Default Amazon managed keys are unique to each Amazon Web Services account per Amazon Web Services Region and are created automatically. To create a symmetric customer managed key, follow the steps in Creating symmetric encryption KMS keys in the Amazon KMS Developer Guide.

Customer managed KMS key policy

To encrypt an EBS volume that's attached to your task by using your customer managed key, you must configure your KMS key policy to ensure that the IAM role that you use for volume configuration has the necessary permissions to use the key. The key policy must include the kms:CreateGrant and kms:GenerateDataKey* permissions. The kms:ReEncryptTo and kms:ReEncryptFrom permissions are necessary for encrypting volumes that are created using snapshots. If you want to configure and encrypt only new, empty volumes for attachment, you can exclude the kms:ReEncryptTo and kms:ReEncryptFrom permissions.

The following JSON snippet shows key policy statements that you can attach to your KMS key policy. Using these statements will provide access for ECS to use the key for encrypting the EBS volume. To use the example policy statements, replace the user input placeholders with your own information. As always, only configure the permissions that you need.

{ "Effect": "Allow", "Principal": { "AWS": "arn:aws-cn:iam::111122223333:role/ecsInfrastructureRole" }, "Action": "kms:DescribeKey", "Resource":"*" }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws-cn:iam::111122223333:role/ecsInfrastructureRole" }, "Action": [ "kms:GenerateDataKey*", "kms:ReEncryptTo", "kms:ReEncryptFrom" ], "Resource":"*", "Condition": { "StringEquals": { "kms:CallerAccount": "aws_account_id", "kms:ViaService": "ec2.region.amazonaws.com" }, "ForAnyValue:StringEquals": { "kms:EncryptionContextKeys": "aws:ebs:id" } } }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws-cn:iam::111122223333:role/ecsInfrastructureRole" }, "Action": "kms:CreateGrant", "Resource":"*", "Condition": { "StringEquals": { "kms:CallerAccount": "aws_account_id", "kms:ViaService": "ec2.region.amazonaws.com" }, "ForAnyValue:StringEquals": { "kms:EncryptionContextKeys": "aws:ebs:id" }, "Bool": { "kms:GrantIsForAWSResource": true } } }

For more information about key policies and permissions, see Key policies in Amazon KMS and Amazon KMS permissions in the Amazon KMS Developer Guide. For troubleshooting EBS volume attachment issues related to key permissions, see Troubleshooting Amazon EBS volume attachments to Amazon ECS tasks .