Requirements for Amazon EBS encryption
Before you begin, verify that the following requirements are met.
Requirements
Supported volume types
Encryption is supported by all EBS volume types. You can expect the same IOPS performance on encrypted volumes as on unencrypted volumes, with a minimal effect on latency. You can access encrypted volumes the same way that you access unencrypted volumes. Encryption and decryption are handled transparently, and they require no additional action from you or your applications.
Supported instance types
Amazon EBS encryption is available on all current generation and previous generation instance types.
Permissions for users
When you use a KMS key for EBS encryption, the KMS key policy allows any user with access to the required Amazon KMS actions to use this KMS key to encrypt or decrypt EBS resources. You must grant users permission to call the following actions in order to use EBS encryption:
-
kms:CreateGrant -
kms:Decrypt -
kms:DescribeKey -
kms:GenerateDataKeyWithoutPlainText -
kms:ReEncrypt
Tip
To follow the principle of least privilege, do not allow full access to kms:CreateGrant.
Instead, use the kms:GrantIsForAWSResource condition key to allow the user to create grants
on the KMS key only when the grant is created on the user's behalf by an Amazon service, as shown in
the following example.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": [ "arn:aws-cn:kms:us-west-2:123456789012:key/abcd1234-a123-456d-a12b-a123b4cd56ef" ], "Condition": { "Bool": { "kms:GrantIsForAWSResource": true } } } ] }
For more information, see Allows access to the Amazon account and enables IAM policies in the Default key policy section in the Amazon Key Management Service Developer Guide.
Permissions for instances
When an instance attempts to interact with an encrypted AMI, volume, or snapshot, a KMS key grant is issued to the instance's identity-only role. The identity-only role is an IAM role that is used by the instance to interact with encrypted AMIs, volumes, or snapshots on your behalf.
Identity-only roles do not need to be manually created or deleted, and they have no policies associated with them. Additionally, you can't access the identity-only role credentials.
Note
Identity-only roles are not used by applications on your instance to access other Amazon KMS encrypted resources, such as Amazon S3 objects or Dynamo DB tables. These operations are done using the credentials of an Amazon EC2 instance role, or other Amazon credentials that you have configured on your instance.
Identity-only roles are subject to service control policies (SCPs), and KMS key policies. If an SCP or KMS key denies the identity-only role access to a KMS key, you may fail to launch EC2 instances with encrypted volumes, or using encrypted AMIs or snapshots.
If you are creating an SCP or key policy that denies access based on network location using
the aws:SourceIp, aws:VpcSourceIp, aws:SourceVpc, or
aws:SourceVpce Amazon global condition keys, then you must ensure that these policy
statements do not apply to instance-only roles. For example policies, see
Data
Perimeter Policy Examples
Identity-only role ARNs use the following format:
arn:aws-partition:iam::account_id:role/aws:ec2-infrastructure/instance_id
When a key grant is issued to an instance, the key grant is issued to the assumed-role session specific to that instance. The grantee principal ARN uses the following format:
arn:aws-partition:sts::account_id:assumed-role/aws:ec2-infrastructure/instance_id