Disk encryption with a custom KMS Key - Amazon ParallelCluster
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Disk encryption with a custom KMS Key

Amazon ParallelCluster supports the configuration options ebs_kms_key_id and fsx_kms_key_id. These options allow you to provide a custom Amazon KMS key for Amazon EBS Disk encryption or FSx for Lustre. To use them, you specify an ec2_iam_role.

In order for the cluster to create, the Amazon KMS key must know the name of the cluster's role. This prevents you from using the role created on cluster create, requiring a custom ec2_iam_role.


Creating the role

First you create a policy:

  1. Go to the IAM Console: https://console.amazonaws.cn/iam/home.

  2. Under Policies, Create policy, click the JSON tab.

  3. As the policy's body, paste in the Instance Policy. Make sure to replace all occurrences of <Amazon ACCOUNT ID> and <REGION>.

  4. Name the policy ParallelClusterInstancePolicy, and then click Create Policy.

Next create a role:

  1. Under Roles, create a role.

  2. Click EC2 as the trusted entity.

  3. Under Permissions, search for the ParallelClusterInstancePolicy role that you just created, and attach it.

  4. Name the role ParallelClusterInstanceRole, and then click Create Role.

Give your key permissions

In the Amazon KMS Console > Customer managed keys > click your key's Alias or Key ID.

Click the Add button in the Key users box, underneath the Key policy tab, and search for the ParallelClusterInstanceRole you just created. Attach it.

Creating the cluster

Now create a cluster. The following is an example of a cluster with encrypted Raid 0 drives:

[cluster default] ... raid_settings = rs ec2_iam_role = ParallelClusterInstanceRole [raid rs] shared_dir = raid raid_type = 0 num_of_raid_volumes = 2 volume_size = 100 encrypted = true ebs_kms_key_id = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

The following is an example with the FSx for Lustre file system:

[cluster default] ... fsx_settings = fs ec2_iam_role = ParallelClusterInstanceRole [fsx fs] shared_dir = /fsx storage_capacity = 3600 imported_file_chunk_size = 1024 export_path = s3://bucket/folder import_path = s3://bucket weekly_maintenance_start_time = 1:00:00 fsx_kms_key_id = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Similar configurations apply to Amazon EBS and Amazon FSx based file systems.