AWS IAM policy to enforce new EBS volumes are encrypted

You will need additional permissions to create encrypted volumes:

1) ec2:DescribeAvailabilityZones

2) kms:*

Note: I did not drill down into KMS for the minimum permissions to use KMS encryption keys. If you want to create volumes from snapshots then you will need to add ec2:DescribeSnapshots.

Example policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeAvailabilityZones"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Stmt1509465260000",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVolume"
            ],
            "Condition": {
                "Bool": {
                    "ec2:Encrypted": "true"
                }
            },
            "Resource": [
                "*"
            ]
        }
    ]
}

John Hanley had it right

The full policy I ended up using looked like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt2222222222222",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVolume"
      ],
      "Condition": {
        "Bool": {
          "ec2:Encrypted": "true"
        }
      },
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "Stmt1111111111111",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVolumes",
        "ec2:DescribeAvailabilityZones",
        "ec2:CreateTags",
        "kms:ListAliases"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "allowKmsKey",
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt"
      ],
      "Resource": [
        "arn:aws:kms:us-east-1:999999999999:alias/aws/ebs"
      ]
    }
  ]
}

Tags:

Amazon Web Services

Amazon Ebs

Amazon Iam

Recent Posts