Amazon EC2 example two
In the following example, an IAM principal running an Amazon EC2 instance creates and mounts a data volume that is encrypted under a KMS key. This action generates multiple CloudTrail log records.
When the volume is created, Amazon EC2, acting on behalf of the customer, gets an encrypted data
key from AWS KMS (GenerateDataKeyWithoutPlaintext). Then it creates a grant
(CreateGrant) that allows it to decrypt the data key. When the volume is mounted,
Amazon EC2 calls AWS KMS to decrypt the data key (Decrypt).
The instanceId of the Amazon EC2 instance, "i-81e2f56c", appears in the
RunInstances event. The same instance ID qualifies the
granteePrincipal of the grant that is created
("111122223333:aws:ec2-infrastructure:i-81e2f56c") and the assumed role that is
the principal in the Decrypt call
("arn:aws:sts::111122223333:assumed-role/aws:ec2-infrastructure/i-81e2f56c").
The key ARN of the KMS key that protects the data volume,
arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab,
appears in all three AWS KMS calls (CreateGrant,
GenerateDataKeyWithoutPlaintext, and Decrypt).
{ "Records": [ { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-11-05T21:35:27Z", "eventSource": "ec2.amazonaws.com", "eventName": "RunInstances", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "instancesSet": { "items": [ { "imageId": "ami-b66ed3de", "minCount": 1, "maxCount": 1 } ] }, "groupSet": { "items": [ { "groupId": "sg-98b6e0f2" } ] }, "instanceType": "m3.medium", "blockDeviceMapping": { "items": [ { "deviceName": "/dev/xvda", "ebs": { "volumeSize": 8, "deleteOnTermination": true, "volumeType": "gp2" } }, { "deviceName": "/dev/sdb", "ebs": { "volumeSize": 8, "deleteOnTermination": false, "volumeType": "gp2", "encrypted": true } } ] }, "monitoring": { "enabled": false }, "disableApiTermination": false, "instanceInitiatedShutdownBehavior": "stop", "clientToken": "XdKUT141516171819", "ebsOptimized": false }, "responseElements": { "reservationId": "r-5ebc9f74", "ownerId": "111122223333", "groupSet": { "items": [ { "groupId": "sg-98b6e0f2", "groupName": "launch-wizard-2" } ] }, "instancesSet": { "items": [ { "instanceId": "i-81e2f56c", "imageId": "ami-b66ed3de", "instanceState": { "code": 0, "name": "pending" }, "amiLaunchIndex": 0, "productCodes": { }, "instanceType": "m3.medium", "launchTime": 1415223328000, "placement": { "availabilityZone": "us-east-1a", "tenancy": "default" }, "monitoring": { "state": "disabled" }, "stateReason": { "code": "pending", "message": "pending" }, "architecture": "x86_64", "rootDeviceType": "ebs", "rootDeviceName": "/dev/xvda", "blockDeviceMapping": { }, "virtualizationType": "hvm", "hypervisor": "xen", "clientToken": "XdKUT1415223327917", "groupSet": { "items": [ { "groupId": "sg-98b6e0f2", "groupName": "launch-wizard-2" } ] }, "networkInterfaceSet": { }, "ebsOptimized": false } ] } }, "requestID": "41c4b4f7-8bce-4773-bf0e-5ae3bb5cbce2", "eventID": "cd75a605-2fee-4fda-b847-9c3d330ebaae", "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }, { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-11-05T21:35:35Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateGrant", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "constraints": { "encryptionContextSubset": { "aws:ebs:id": "vol-f67bafb2" } }, "granteePrincipal": "111122223333:aws:ec2-infrastructure:i-81e2f56c", "keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, "responseElements": { "grantId": "abcde1237f76e4ba7987489ac329fbfba6ad343d6f7075dbd1ef191f0120514a" }, "requestID": "41c4b4f7-8bce-4773-bf0e-5ae3bb5cbce2", "eventID": "c1ad79e3-0d3f-402a-b119-d5c31d7c6a6c", "readOnly": false, "resources": [ { "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }, { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-11-05T21:35:32Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKeyWithoutPlaintext", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "encryptionContext": { "aws:ebs:id": "vol-f67bafb2" }, "numberOfBytes": 64, "keyId": "alias/aws/ebs" }, "responseElements": null, "requestID": "create-111122223333-758247346-1415223332", "eventID": "ac3cab10-ce93-4953-9d62-0b6e5cba651d", "readOnly": true, "resources": [ { "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }, { "eventVersion": "1.02", "userIdentity": { "type": "AssumedRole", "principalId": "111122223333:aws:ec2-infrastructure:i-81e2f56c", "arn": "arn:aws:sts::111122223333:assumed-role/aws:ec2-infrastructure/i-81e2f56c", "accountId": "111122223333", "accessKeyId": "", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2014-11-05T21:35:38Z" }, "sessionIssuer": { "type": "Role", "principalId": "111122223333:aws:ec2-infrastructure", "arn": "arn:aws:iam::111122223333:role/aws:ec2-infrastructure", "accountId": "111122223333", "userName": "aws:ec2-infrastructure" } } }, "eventTime": "2014-11-05T21:35:47Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "requestParameters": { "encryptionContext": { "aws:ebs:id": "vol-f67bafb2" } }, "responseElements": null, "requestID": "b4b27883-6533-11e4-b4d9-751f1761e9e5", "eventID": "edb65380-0a3e-4123-bbc8-3d1b7cff49b0", "readOnly": true, "resources": [ { "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" } ] }
