Amazon-Web-Services

如何使用加密的根卷自動擴展 ec2 實例?

  • May 11, 2020

我正在嘗試在 AWS 中配置自動縮放設置,其中節點啟動模板包括加密根卷 (EBS)。我已經根據文件配置了一個服務相關角色,以及一個帶有 IAM 策略的 Amazon KMS 中的 CMK 。

但是,當 ASG 希望創建實例時,我收到以下錯誤:

Launching a new EC2 instance: i-0123456789xxx. Status Reason: Instance became unhealthy while waiting for instance to be in InService state. Termination Reason: Client.InternalError: Client error on launch

故障排除文件只是指向原始文件並建議 IAM 策略配置不正確 - 我正在努力找出不正確的地方。

服務相關角色在 ASG 上配置:SLR on ASG,並且 SLR 在 IAM 策略中具有用於加密卷的密鑰的正確權限:

{
       "Sid": "Allow use of the key",
       "Effect": "Allow",
       "Principal": {
           "AWS": "arn:aws:iam::0123456789:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
       },
       "Action": [
           "kms: Encrypt",
           "kms: Decrypt",
           "kms: ReEncrypt*",
           "kms: GenerateDataKey*",
           "kms: DescribeKey"
       ],
       "Resource": "*"
   },
   {
       "Sid": "Allow attachment of persistent resources",
       "Effect": "Allow",
       "Principal": {
           "AWS": "arn:aws:iam::0123456789:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
       },
       "Action": [
           "kms: CreateGrant",
           "kms: ListGrants",
           "kms: RevokeGrant"
       ],
       "Resource": "*",
       "Condition": {
           "Bool": {
               "kms:GrantIsForAWSResource": "true"
           }
       }
   }

請注意,手動啟動相同的 AMI,指定根卷使用相同的密鑰進行加密,是可行的。這可能表明單反相機有問題?

或者,我是否需要創建根卷已加密的 AMI?

2020 年 11 月 5 日更新

原來有一個格式錯誤 - 在操作部分的每個冒號後面都有一個空格。刪除它已修復它,它現在按預期工作。

{
       "Sid": "Allow use of the key",
       "Effect": "Allow",
       "Principal": {
           "AWS": "arn:aws:iam::0123456789:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
       },
       "Action": [
           "kms:Encrypt",
           "kms:Decrypt",
           "kms:ReEncrypt*",
           "kms:GenerateDataKey*",
           "kms:DescribeKey"
       ],
       "Resource": "*"
   },
   {
       "Sid": "Allow attachment of persistent resources",
       "Effect": "Allow",
       "Principal": {
           "AWS": "arn:aws:iam::0123456789:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
       },
       "Action": [
           "kms:CreateGrant",
           "kms:ListGrants",
           "kms:RevokeGrant"
       ],
       "Resource": "*",
       "Condition": {
           "Bool": {
               "kms:GrantIsForAWSResource": "true"
           }
       }
   }

原來有一個格式錯誤 - 在操作部分的每個冒號後面都有一個空格。刪除它已修復它,它現在按預期工作。

{
       "Sid": "Allow use of the key",
       "Effect": "Allow",
       "Principal": {
           "AWS": "arn:aws:iam::0123456789:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
       },
       "Action": [
           "kms:Encrypt",
           "kms:Decrypt",
           "kms:ReEncrypt*",
           "kms:GenerateDataKey*",
           "kms:DescribeKey"
       ],
       "Resource": "*"
   },
   {
       "Sid": "Allow attachment of persistent resources",
       "Effect": "Allow",
       "Principal": {
           "AWS": "arn:aws:iam::0123456789:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
       },
       "Action": [
           "kms:CreateGrant",
           "kms:ListGrants",
           "kms:RevokeGrant"
       ],
       "Resource": "*",
       "Condition": {
           "Bool": {
               "kms:GrantIsForAWSResource": "true"
           }
       }
   }

我遇到了同樣的問題,並通過將 Auto Scaling 的服務相關角色添加到相關密鑰的密鑰策略AWS 控制台 -> KMS -> 客戶管理的密鑰 -> YOUR_KEY -> 密鑰策略選項卡下的“編輯”)來解決它) 如下:

{
   "Version": "2012-10-17",
   "Id": "key-default-1",
   "Statement": [
       {
           "Sid": "Enable IAM User Permissions",
           "Effect": "Allow",
           "Principal": {
               "AWS": [
                   "arn:aws:iam::READCTED:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
                   "arn:aws:iam::REDACTED:root"
               ]
           },
           "Action": "kms:*",
           "Resource": "*"
       }
   ]
}

引用自:https://serverfault.com/questions/1000686