Issue :
➜ I want to get information about my AMI to know if it is Encrypted or not and If yes, then with which key it is encrypted with (AWS Managed CMK or Customer Manager CMK) so that I can utilize this information while sharing my AMI with another account without any issues.
Solution
➜ We can get this information using AWS Console as well as AWS CLI which could be useful while troubleshooting Encrypted AMI/Snapshots and KMS co-relation
How can I check using AWS CLI Commands:
You can use below APIs to get the information :
- describe-images ( this can be used to get the block devices information of the AMI which also provides you a snapshot id associated with that device).
- describe-snapshots (this can be used to get the information about each snapshot in order to get the encryption parameter "true" or "false" and the corresponding keyid)
- describe-key ( if the snapshot is encrypted , you can check the details of the Key whether it is "AWS Managed CMK" or "Customer Manager CMK" )
Example:
I want to get the details of My AMI (ami-0xxxxxx) located in region (eu-west-1). I would like to know if this AMI is encrypted and if yes, then which keys are being used for Encryption so that I can decide further on allowing access to other accounts to use it.
[1] Checking AMI Block Mappings to See Snapshots associated :
# aws ec2 describe-images --image-ids ami-0xxxxxx --region eu-west-1 --query "Images[*].BlockDeviceMappings" [ [ { "DeviceName": "/dev/xvda", "Ebs": { "DeleteOnTermination": true, "SnapshotId": "snap-xxxxxxxxxxxxx", "VolumeSize": 8, "VolumeType": "gp2", "Encrypted": true } } ] ]
[2] Checking Snapshots details to find the key and encryption details :
# aws ec2 describe-snapshots --snapshot-ids "snap-xxxxxxxxxxxxx" --region eu-west-1 { "Snapshots": [ { "Description": "Copied for DestinationAmi ami-0xxxxxx from SourceAmi ami-. Task created on 1,579,611,950,318.", "Encrypted": true, "KmsKeyId": "arn:aws:kms:eu-west-1:xxxxxxxxxxxx:key/dcd4xxxxxxxxxxxxxxxxxx", "OwnerId": "xxxxxxxxxxxx", "Progress": "100%", "SnapshotId": "snap-xxxxxxxxxxxxx", "StartTime": "2020-01-21T13:05:53.887Z", "State": "completed", "VolumeId": "vol-ffffffff", "VolumeSize": 8 } ] }
[3] Now, Checking If its encrypted using AWS Managed Key or Customer Managed Key:
# aws kms describe-key --key-id "dcd4dcd4xxxxxxxxxxxxxxxxxx" --region eu-west-1 { "KeyMetadata": { "AWSAccountId": "xxxxxxxxxxxx", "KeyId": "dcd4dcd4xxxxxxxxxxxxxxxxxx", "Arn": "arn:aws:kms:eu-west-1:xxxxxxxxxxxx:key/dcd4dcd4xxxxxxxxxxxxxxxxxx", "CreationDate": 1579611763.538, "Enabled": true, "Description": "02-ratheed-CMK", "KeyUsage": "ENCRYPT_DECRYPT", "KeyState": "Enabled", "Origin": "AWS_KMS", "KeyManager": "CUSTOMER", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ] } }
How can I check using AWS Console:
- Go to AWS Console - EC2 - Navigate to Images section and click "AMIs" or Click here
- Copy the AMI id whose information you would like to know.
- Navigate to "Elastic Block Store" and Navigate to "Snapshots" page or click here and you can paste the AMI id in the search box available which you've copied (it will show you the associated Snapshots for this AMI )
- To know the Snapshot Encryption Status check Description below and you will find details such as :
Encryption : Encrypted
KMS Key ID : dcd4dxxxxxxxxxx
KMS Key ARN : arn:aws:kms:eu-west-1:920ssss:key/dcd4dxxxxxxxxxx
➜It means the AMI is Encrypted (means have Encrypted Snapshot) with a Key id (dcd4dxxxxxxxxxx) - And you can make a note of this to check the Key Type further.
<< Now, we don't have the details about the Key whether it is (AWS Managed CMK or Customer Manager CMK) >>
To find out this , Please follow below steps:
- Go to AWS Console - KMS - and there on the left hand side you have all the keys available:
- AWS managed keys
- Customer managed keys
➜ Now, you can click on one of the above choices to filter for the Key Id which you have noted above in below to verify the type of key whether it is (AWS Managed CMK or Customer Manager CMK).
Now, you can use above information for further use such as sharing this AMI with another account
**Please Note**
➜You can't share the AMIs which are encrypted with AWS Managed Key (which is the aws default key to encrypt) which is also documented here:
[+] Considerations : https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html#share-snapshot-considerations
Also, To know more on "Customer Managed CMKs" & "AWS Managed CMKs" , please refer :
[+] AWS Key Management Service Concepts : https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
Top comments (0)