Amazon-Web-Services
如何使用加密的根卷自動擴展 ec2 實例?
我正在嘗試在 AWS 中配置自動縮放設置,其中節點啟動模板包括加密根卷 (EBS)。我已經根據文件配置了一個服務相關角色,以及一個帶有 IAM 策略的 Amazon KMS 中的 CMK 。
但是,當 ASG 希望創建實例時,我收到以下錯誤:
Launching a new EC2 instance: i-0123456789xxx. Status Reason: Instance became unhealthy while waiting for instance to be in InService state. Termination Reason: Client.InternalError: Client error on launch
故障排除文件只是指向原始文件並建議 IAM 策略配置不正確 - 我正在努力找出不正確的地方。
服務相關角色在 ASG 上配置:SLR on ASG,並且 SLR 在 IAM 策略中具有用於加密卷的密鑰的正確權限:
{ "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::0123456789:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" }, "Action": [ "kms: Encrypt", "kms: Decrypt", "kms: ReEncrypt*", "kms: GenerateDataKey*", "kms: DescribeKey" ], "Resource": "*" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::0123456789:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" }, "Action": [ "kms: CreateGrant", "kms: ListGrants", "kms: RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } } }
請注意,手動啟動相同的 AMI,指定根卷使用相同的密鑰進行加密,是可行的。這可能表明單反相機有問題?
或者,我是否需要創建根卷已加密的 AMI?
2020 年 11 月 5 日更新:
原來有一個格式錯誤 - 在操作部分的每個冒號後面都有一個空格。刪除它已修復它,它現在按預期工作。
{ "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::0123456789:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::0123456789:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } } }
原來有一個格式錯誤 - 在操作部分的每個冒號後面都有一個空格。刪除它已修復它,它現在按預期工作。
{ "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::0123456789:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::0123456789:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } } }
我遇到了同樣的問題,並通過將 Auto Scaling 的服務相關角色添加到相關密鑰的密鑰策略(AWS 控制台 -> KMS -> 客戶管理的密鑰 -> YOUR_KEY -> 密鑰策略選項卡下的“編輯”)來解決它) 如下:
{ "Version": "2012-10-17", "Id": "key-default-1", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::READCTED:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::REDACTED:root" ] }, "Action": "kms:*", "Resource": "*" } ] }