Aws-cdk: Encrypted EBS volumes for EC2 instances
Support encrypted EBS volumes for EC2 instances.
Use Case
We are using the CDK to generate EC2 fleets with EBS volumes that will contain customer sensitive information. We want customers to be able to use AMIs that we make available; the way to have a public AMI launch an encrypted instance is through this new EBS functionality.
Proposed Solution
I think that the option is via AWS::EC2::Instance → BlockDeviceMappings→ebs→ Encrypted/KmsKeyId, or
AWS::EC2::LaunchTempate→BlockDeviceMappings..., or
AWS::EC2::SpotFleet→ BlockDeviceMappings...
There does not appear to be a way to specify information that would feed into the BlockDeviceMapping in the L2 ec2.Instance construct
Other
Details: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html
- [ ] :wave: I may be able to implement this feature request
- [ ] :warning: This feature might incur a breaking change
This is a :rocket: Feature Request
ccfife
All 10 comments
Indeed, It'll be good to create EbsVolumes and be able to set a CMK (Alias/Key).
Actually I have to create a "ec2.CfnLaunchTemplate" to do that.
Cloudrage
on 20 Apr 2020
Any news about adding encryption & use of CMK in BlockDeviceVolume of an aws-autoscaling for example ?
https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-autoscaling.BlockDeviceVolume.html
Cloudrage
on 18 May 2020
Any news about adding encryption & use of CMK in BlockDeviceVolume of an aws-autoscaling for example ?
https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-autoscaling.BlockDeviceVolume.html
@Cloudrage The API in the docs you reference are eventually used to create a LaunchConfiguration for the AutoScalingGroup, unfortunately, LaunchConfiguration doesn't support this property:
It is however supported in LaunchTemplate: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-blockdevicemapping-ebs.html
but aws-autoscaling still doesn't support LaunchTemplates.
There is an outstanding PR to add LaunchTemplate support though, so once its merged I believe this functionality will be available as well.
iliapolo
on 15 Jun 2020
That's the deal, I'm requesting/waiting for those 2 supports :
- LaunchTemplates
Encryptionprop for BlockDeviceVolume
Keep waiting...
Cloudrage
on 2 Jul 2020
The ability to add CMK to BlockDeviceVolume is much needed. I can specify a CMK while creating EC2 via AWS Console. Just need the same ability in CDK.
shuvabrata
on 17 Jul 2020
Is there any progress on this?
lpipiska
on 16 Dec 2020
FWIW, you can use the AWS-Managed key by setting the corresponding property in EbsDeviceOptions:
blockDevices: [
{
deviceName: '/dev/xvda',
mappingEnabled: true,
volume: ec2.BlockDeviceVolume.ebs(30, {
deleteOnTermination: true,
volumeType: ec2.EbsDeviceVolumeType.GP2,
encrypted: true
})
}
]
shamelesscookie
on 16 Dec 2020
FWIW, you can use the AWS-Managed key by setting the corresponding property in
EbsDeviceOptions:blockDevices: [ { deviceName: '/dev/xvda', mappingEnabled: true, volume: ec2.BlockDeviceVolume.ebs(30, { deleteOnTermination: true, volumeType: ec2.EbsDeviceVolumeType.GP2, encrypted: true }) } ]
Thanks for quick reply but how can I use my own KMS key (CMK) for encryption? I do not seem to have any option here?
lpipiska
on 16 Dec 2020
FWIW, you can use the AWS-Managed key by setting the corresponding property in
EbsDeviceOptions:blockDevices: [ { deviceName: '/dev/xvda', mappingEnabled: true, volume: ec2.BlockDeviceVolume.ebs(30, { deleteOnTermination: true, volumeType: ec2.EbsDeviceVolumeType.GP2, encrypted: true }) } ]Thanks for quick reply but how can I use my own KMS key (CMK) for encryption? I do not seem to have any option here?
Building on top of what @shamelesscookie pointed out, as this creates a good foundation in the underlying CloudFormation template, in Java CDK (and probably other languages) you can utilize the concept of IAspect & CfnResource to override/extended provided implementation, and in this case encrypt the root device using CMK.
Conceptually what you basically have to do is the following:
- Make accessible the KmsKeyId you want to use from your Stack (if you are creating one as part of the Stack), or just pass the input if the key already exists.
- In the
visit(IConstruct node)method of the aspect implementation class you can do something like:
if (node != null && node instanceof Instance) {
CfnResource cfnResource = (CfnResource) node.getNode().findChild("Resource");
cfnResource.addPropertyOverride("BlockDeviceMappings.0.Ebs.KmsKeyId", this.kmsKeyId);
}
- In the App class of your CDK, add this after your instantiating both your stack and encryption aspect
Aspects.of(myStack).add(encryptionAspectClass);
This will encrypt your root device volume with the CMK, and every other volume you can provision using the Volume construct which does take custom encryption key. The concept of overriding properties in form of Escape Hatches is also explained here. You can check it out for more details. Hope it helps.
hgrgic
on 16 Dec 2020
I think the PR is up for grabs since it wasn't updated for a long time by the original contributor.
iliapolo
on 18 Dec 2020
Related issues
abelmokadem
·
3Comments
NukaCody
·
3Comments
pepastach
·
3Comments
Kent1
·
3Comments
kawamoto
·
3Comments
Most helpful comment
Building on top of what @shamelesscookie pointed out, as this creates a good foundation in the underlying CloudFormation template, in Java CDK (and probably other languages) you can utilize the concept of
IAspect&CfnResourceto override/extended provided implementation, and in this case encrypt the root device using CMK.Conceptually what you basically have to do is the following:
visit(IConstruct node)method of the aspect implementation class you can do something like:Aspects.of(myStack).add(encryptionAspectClass);This will encrypt your root device volume with the CMK, and every other volume you can provision using the
Volumeconstruct which does take custom encryption key. The concept of overriding properties in form of Escape Hatches is also explained here. You can check it out for more details. Hope it helps.