How do I create an encrypted AMI for AWS Batch?

Last updated: 2021-02-10

I want to create an encrypted Amazon Machine Image (AMI) for AWS Batch.

Short description

You can use custom AWS Key Management Service (AWS KMS) keys to encrypt your AMIs, and then use encrypted AMIs to launch AWS Batch instances.

Resolution

Create a snapshot of an AMI that's optimized for Amazon Elastic Container Service (Amazon ECS)

1.    Launch an Amazon Elastic Compute Cloud (Amazon EC2) instance based on an Amazon ECS-optimized AMI.

Note: To choose an AMI, see Linux Amazon ECS-optimized AMIs.

2.    Create a snapshot from the root volume of the EC2 instance that you launched in step 1.

3.    To avoid charges, delete the EC2 instance created in step 1.

Encrypt the snapshot and create an AMI of the encrypted snapshot

1.    Open the Amazon EC2 console.

2.    From the Elastic Block Store section of the navigation pane, choose Snapshots.

3.    Select the snapshot that you created earlier, choose Actions, and then choose Copy.

4.    In the Copy Snapshot window, for Encryption, select the Encrypt this snapshot check box.

5.    For Root Key, choose your own customer managed AWS KMS key.

Note: The key used for encryption in these steps is a symmetric key.

6.    Choose Copy, and then select Close.

7.    Select the encrypted snapshot after it moves to completed status, choose Actions, and then choose Create Image.

Now you have an encrypted AMI that you can use to launch your AWS Batch instances.

Note: You can view the AMI from the Amazon EC2 console. From the Images section of the navigation pane, choose AMIs.

Give the service-linked role access to the KMS key<br>

If you specify a customer managed KMS key for Amazon Elastic Block Store (Amazon EBS) encryption, you must give the appropriate service-linked role access to the KMS key. This allows Amazon EC2 Auto Scaling to launch instances on your behalf. To provide this access, you must modify the key policy of your KMS key.

When you update the policy, be sure to set AWSServiceRoleForAutoScaling as the key user for the KMS key.

If you use this policy, replace the Amazon Resource Name (ARN) with the ARN of the appropriate service-linked role that is allowed access to the KMS key. See the following example policy:

{
    "Id": "key-consolepolicy-3",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}

Note: If you're using the spot compute environment with a best fit strategy, then use AWSServiceRoleForEC2SpotFleet instead of AWSServiceRoleForAutoScaling in the preceding key policy.

Create a new compute environment

Create a new compute environment.

Important: When you create your compute environment, you must select the Enable user-specified Ami ID check box. Then, enter your AMI ID in the AMI ID box that appears, and choose Validate AMI.


Did this article help?


Do you need billing or technical support?