How Can I get details of an AMI or Snapshot if It is encrypted and with which key AWS Managed CMK or Customer Manager CMK in AWS

你说的曾经没有我的故事 提交于 2020-01-26 04:42:27

问题


Issue : ➜ I want to get information about my AMI to know if it is Encrypted or not and If yes, then with which key it is encrypted with (AWS Managed CMK or Customer Manager CMK) so that I can utilize this information while sharing my AMI with another account without any issues.


回答1:


Solution:➜

****We can get this information using AWS Console as well as AWS CLI which could be useful while troubleshooting Encrypted AMI/Snapshots and KMS co-relation****

How can I check using AWS CLI Commands:

You can use below APIs to get the information :

  • describe-images ( this can be used to get the block devices information of the AMI which also provides you a snapshot id associated with that device).
  • describe-snapshots (this can be used to get the information about each snapshot in order to get the encryption parameter "true" or "false" and the corresponding keyid)
  • describe-key ( if the snapshot is encrypted , you can check the details of the Key whether it is "AWS Managed CMK" or "Customer Manager CMK" )

Example:

I want to get the details of My AMI (ami-0xxxxxx) located in region (eu-west-1). I would like to know if this AMI is encrypted and if yes, then which keys are being used for Encryption so that I can decide further on allowing access to other accounts to use it.

1 Checking AMI Block Mappings to See Snapshots associated :

# aws ec2 describe-images --image-ids ami-0xxxxxx --region eu-west-1 --query "Images[*].BlockDeviceMappings" 

2 Checking Snapshots details to find the key and encryption details :

 # aws ec2 describe-snapshots --snapshot-ids "snap-xxxxxxxxxxxxx"  --region eu-west-1

3 Now, Checking If its encrypted using AWS Managed Key or Customer Managed Key:

 # aws kms describe-key --key-id "dcd4dcd4xxxxxxxxxxxxxxxxxx"  --region eu-west-1

How can I check using AWS Console:

  • Go to AWS Console - EC2 - Navigate to Images section and click "AMIs" or Click here
  • Copy the AMI id whose information you would like to know. Navigate to "Elastic Block Store" and Navigate to "Snapshots" page or click here and you can paste the AMI id in the search box available which you've copied (it will show you the associated Snapshots for this AMI )
  • To know the Snapshot Encryption Status check Description below and you will find details such as :
    • Encryption : Encrypted
    • KMS Key ID : dcd4dxxxxxxxxxx
    • KMS Key ARN : arn:aws:kms:eu-west-1:920ssss:key/dcd4dxxxxxxxxxx

➜It means the AMI is Encrypted (means have Encrypted Snapshot) with a Key id (dcd4dxxxxxxxxxx) - And you can make a note of this to check the Key Type further.

<< Now, we don't have the details about the Key whether it is (AWS Managed CMK or Customer Manager CMK) >>

To find out this , Please follow below steps:

  • Go to AWS Console - KMS - and there on the left hand side you have all the keys available:
    • AWS managed keys
    • Customer managed keys

➜ Now, you can click on one of the above choices to filter for the Key Id which you have noted above in below to verify the type of key whether it is (AWS Managed CMK or Customer Manager CMK).

Now, you can use above information for further use such as sharing this AMI with another account

*****Please Note*****

➜You can't share the AMIs which are encrypted with AWS Managed Key (which is the aws default key to encrypt) which is also documented here: [+] Considerations : https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html#share-snapshot-considerations

Also, To know more on "Customer Managed CMKs" & "AWS Managed CMKs" , please refer :

[+] AWS Key Management Service Concepts : https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html



来源:https://stackoverflow.com/questions/59846798/how-can-i-get-details-of-an-ami-or-snapshot-if-it-is-encrypted-and-with-which-ke

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!