AWS KMS Amazon IAM Encrypted EC2 EBS Volumes

Security

When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared responsibility model reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, visit AWS Cloud Security.

AWS KMS

The solution creates an AWS managed Customer managed key, which is used to configure server-side encryption for the SNS topic and the DynamoDB tables.

Amazon IAM

The solution's Lambda functions require permissions to access hub account resources and access to get/put Systems Manager parameters, access to CloudWatch log groups, AWS KMS key encryption/decryption, and publish messages to SNS. In addition, Instance Scheduler on AWS will also create Scheduling Roles in all managed accounts that will provide access to start/stop EC2, RDS, Autoscaling resurces, DB instances, modify instance attributes, and update tags for those resources. All the necessary permissions are provided by the solution to Lambda service role created as part of the solution template.

On deployment Instance Scheduler on AWS will deploy scoped down IAM roles for each of its Lambda functions along with Scheduler Roles that can be assumed only by specific scheduling Lambdas in the deployed hub template. These schedule roles will have names following the pattern {namespace}-Scheduler-Role, and {namespace}-ASG-Scheduling-Role.

For detailed information about the permission provided to each service role, refer to the CloudFormation templates.

Encrypted EC2 EBS Volumes

When scheduling EC2 instances attached to EBS volumes encrypted by AWS KMS, you must grant Instance Scheduler on AWS permission to use the associated AWS KMS key(s). This allows Amazon EC2 to decrypt the attached EBS volumes during the started function. This permission must be granted to the scheduling role in the same account as the EC2 instance(s) using the key.

To grant permission to use an AWS KMS key with Instance Scheduler on AWS, add the AWS KMS key's ARN to the Instance Scheduler on AWS stack (hub or spoke) in the same account as the EC2 instance(s) using the key(s):

KMS Ket Arns for EC2

This will automatically generate the following policy and add it to the scheduling role for that account:


 {

   "Version": "2012-10-17",
   "Statement": [
      {
        "Condition": {
            "StringLike": {
               "kms:ViaService": "ec2.*.amazonaws.com"
         },
        "Null": {
              "kms:EncryptionContextKeys": "false",
              "kms:GrantOperations": "false"
         },
        "ForAllValues:StringEquals": {
            "kms:EncryptionContextKeys": [
                 "aws:ebs:id"
              ],
              "kms:GrantOperations": [
                 "Decrypt"
              ]
        },
        "Bool": {
                 "kms:GrantIsForAWSResource": "true"
              }
        },
        "Action": "kms:CreateGrant",
        "Resource": [
             "Your-KMS-ARNs-Here"
        ],
        "Effect": "Allow"
      }
   ]
 }

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS services used in this solution

Getting started