Create an AWS Cloud9 IDE that uses Amazon EBS volumes with default encryption - AWS Prescriptive Guidance

Create an AWS Cloud9 IDE that uses Amazon EBS volumes with default encryption

Created by Janardhan Malyala (AWS) and Dhrubajyoti Mukherjee (AWS)

Environment: Production

Technologies: Management & governance

Workload: All other workloads

AWS services: AWS Cloud9; AWS KMS

Summary

Notice: AWS Cloud9 is no longer available to new customers. Existing customers of AWS Cloud9 can continue to use the service as normal. Learn more

You can use encryption by default to enforce the encryption of your Amazon Elastic Block Store (Amazon EBS) volumes and snapshot copies on the Amazon Web Services (AWS) Cloud. 

You can create an AWS Cloud9 integrated development environment (IDE) that uses EBS volumes encrypted by default. However, the AWS Identity and Access Management (IAM) service-linked role for AWS Cloud9 requires access to the AWS Key Management Service (AWS KMS) key for these EBS volumes. If access is not provided, the AWS Cloud9 IDE might fail to launch and debugging might be difficult. 

This pattern provides the steps to add the service-linked role for AWS Cloud9 to the AWS KMS key that is used by your EBS volumes. The setup described by this pattern helps you successfully create and launch an IDE that uses EBS volumes with encryption by default.

Prerequisites and limitations

Prerequisites  

  • An active AWS account.

  • Default encryption turned on for EBS volumes. For more information about encryption by default, see Amazon EBS encryption in the Amazon Elastic Compute Cloud (Amazon EC2) documentation.

  • An existing customer managed KMS key for encrypting your EBS volumes.

Note: You don't need to create the service-linked role for AWS Cloud9. When you create an AWS Cloud9 development environment, AWS Cloud9 creates the service-linked role for you.

Architecture

Using an AWS Cloud9 IDE to enforce the encryption of EBS volumes and snapshots.

Technology stack

  • AWS Cloud9

  • IAM

  • AWS KMS

Tools

Epics

TaskDescriptionSkills required

Record the default encryption key value for the EBS volumes.

Sign in to the AWS Management Console and open the Amazon EC2 console. Choose EC2 dashboard, and then choose Data protection and security in Account attributes. In EBS encryption section, copy and record the value in Default encryption key.

Cloud architect, DevOps engineer
TaskDescriptionSkills required

Provide AWS Cloud9 with access to the KMS key for EBS volumes.

  1. Open the AWS KMS console, and then choose Customer managed keys. Select the AWS KMS key used for Amazon EBS encryption, and then choose View key.

  2. On the Key policy tab, confirm that you can see the text form of the key policy. If you cannot see the text form, choose Switch to policy view.

  3. Choose Edit. Add the code in the Additional information section to the policy, and then choose Save changes. The policy changes permit the service-linked role for AWS Cloud9, AWSServiceRoleForAWSCloud9, to access the key.

For more information about updating a key policy, see How to change a key policy (AWS KMS documentation).

Important: The service-linked role for AWS Cloud9 is automatically created when you launch your first IDE. For more information, see Creating a service-linked role in the AWS Cloud9 documentation. 

Cloud architect, DevOps engineer
TaskDescriptionSkills required

Create and launch the AWS Cloud9 IDE.

Open the AWS Cloud9 console and choose Create environment. Configure IDE according to your requirements by following the steps from Creating an EC2 environment in the AWS Cloud9 documentation. 

Cloud architect, DevOps engineer

Related resources

Additional information

AWS KMS key policy updates

Replace <aws_accountid> with your AWS account ID.

{ "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<aws_accountid>:role/aws-service-role/cloud9.amazonaws.com/AWSServiceRoleForAWSCloud9" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<aws_accountid>:role/aws-service-role/cloud9.amazonaws.com/AWSServiceRoleForAWSCloud9" }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } } }

Using a cross-account key

If you want to use a cross-account KMS key, you must use a grant in combination with the KMS key policy. This enables cross-account access to the key. In the same account that you used to create the Cloud9 environment, run the following command in the terminal.

aws kms create-grant \ --region <Region where Cloud9 environment is created> \ --key-id <The cross-account KMS key ARN> \ --grantee-principal arn:aws:iam::<The account where Cloud9 environment is created>:role/aws-service-role/cloud9.amazonaws.com/AWSServiceRoleForAWSCloud9 \ --operations "Encrypt" "Decrypt" "ReEncryptFrom" "ReEncryptTo" "GenerateDataKey" "GenerateDataKeyWithoutPlaintext" "DescribeKey" "CreateGrant"

After you run this command, you can create Cloud9 environments by using EBS encryption with a key in a different account.