Adding a Custom EBS Encryption Key

Kion versions 2.32.3+.

Enabling EBS volume encryption for the Kion application nodes in the installation AWS CloudFormation template uses the default AWS\EBS KMS key. Default AWS KMS keys are convenient and allow you to achieve a baseline of encryption without a lot of configuration.

However, if you have strict requirements around cryptographic material, custom encryption keys might be required to meet your security standards. For example, you can't delete or change the key policy for a default AWS managed KMS key, which conflicts with the Department of Defense Cloud Security Requirements Guide (DoD Cloud SRG) for controlling cryptographic material.

To use a custom KMS key for encrypting EBS volumes:

1. Log in to the AWS console.
2. If one doesn't exist, create an AWS service linked role for auto scaling. The installation AWS CloudFormation template uses the default role, so this must be named AWSServiceRoleForAutoScaling and can not have a custom suffix. For more information, see Amazon's article Service-linked roles for Amazon EC2 Auto Scaling.
3. Create a customer managed KMS Key to use for EBS volume encryption. You can configure the key name, description, and tags as you like, but you must include the following configurations:
   • Key type. Symmetric.
   • Key usage permissions. AWSServiceRoleForAutoScaling. This AWS service role is required. You cannot use a custom service role for this functionality.
4. Configure the KMS key policy to allow the AutoScaling service linked role to leverage the key. For details on key policies, see Amazon's article Required AWS KMS key policy for use with encrypted volumes.
5. Deploy or update the Kion application stack with the following configurations:
   • Encrypt Volume. True.
   • Customer Managed Key for Volume Encryption. Paste in the ARN of the key you created above. The ARN can be found in the AWS console by navigating to KMS > Customer managed keys and clicking on the key.