Configuring shared storage encryption with an Amazon KMS key
Learn how to set up a customer managed Amazon KMS key to encrypt and protect your data in the cluster file storage systems that are configured for Amazon ParallelCluster.
When using the Amazon ParallelCluster command line interface (CLI) or API, you only pay for the Amazon resources that are created when you create or update Amazon ParallelCluster images and clusters. For more information, see Amazon services used by Amazon ParallelCluster.
The Amazon ParallelCluster UI is built on a serverless architecture and you can use it within the Amazon Free Tier category for most cases. For more information, see Amazon ParallelCluster UI costs.
Amazon ParallelCluster supports following shared storage configuration options:
You can use these options to provide a customer managed Amazon KMS key for Amazon EBS, Amazon EFS, and FSx for Lustre shared storage system encryption. To use them, you must create and configure an IAM policy for the following:
Prerequisites
-
Amazon ParallelCluster is installed.
-
The Amazon CLI is installed and configured.
-
You have an EC2 key pair.
-
You have an IAM role with the permissions that are required to run the pcluster CLI.
Create the policy
Create a policy.
-
Go to the IAM Console: https://console.amazonaws.cn/iam/home
. -
Choose Policies.
-
Choose Create policy.
-
Choose the JSON tab and paste in the following policy. Make sure to replace all occurrences of
123456789012{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:ReEncrypt*", "kms:CreateGrant", "kms:Decrypt" ], "Resource": [ "arn:aws:kms:region-id:123456789012:key/abcd1234-ef56-gh78-ij90-abcd1234efgh5678" ] } ] } -
For this tutorial, name the policy
ParallelClusterKmsPolicy, and then choose Create Policy. -
Make a note of the policy ARN. You need it to configure your cluster.
Configure and create the cluster
The following is an example cluster configuration that includes an Amazon Elastic Block Store shared file system with encryption.
Region:eu-west-1Image: Os: alinux2 HeadNode: InstanceType: t2.micro Networking: SubnetId: subnet-abcdef01234567890Ssh: KeyName:my-ssh-keyIam: AdditionalIamPolicies: - Policy: arn:aws:iam::123456789012:policy/ParallelClusterKmsPolicy Scheduling: Scheduler: slurm SlurmQueues: - Name:q1ComputeResources: - Name: t2micro InstanceType: t2.micro MinCount: 0 MaxCount: 10 Networking: SubnetIds: - subnet-abcdef01234567890Iam: AdditionalIamPolicies: - Policy: arn:aws:iam::123456789012:policy/ParallelClusterKmsPolicy SharedStorage: - MountDir: /shared/ebs1Name:shared-ebs1StorageType: Ebs EbsSettings: Encrypted: True KmsKeyId:abcd1234-ef56-gh78-ij90-abcd1234efgh5678
Replace the items in red text with your own values. Then, create a cluster that uses your Amazon KMS key to encrypt your data in Amazon EBS.
The configuration is similar for Amazon EFS and FSx for Lustre file systems.
The Amazon EFS SharedStorage configuration is as follows.
... SharedStorage: - MountDir: /shared/efs1Name:shared-efs1StorageType: Efs EfsSettings: Encrypted: True KmsKeyId:abcd1234-ef56-gh78-ij90-abcd1234efgh5678
The FSx for Lustre SharedStorage configuration is as follows.
... SharedStorage: - MountDir: /shared/fsx1Name:shared-fsx1StorageType: FsxLustre FsxLustreSettings: StorageCapacity:1200DeploymentType:PERSISTENT_1PerUnitStorageThroughput:200KmsKeyId:abcd1234-ef56-gh78-ij90-abcd1234efgh5678