Encrypting Turbot's web and worker server AMI

This article will detail how to encrypt the Turbot AMI using a KMS key, either the AWS default key (ADK) or a Customer Managed Key (CMK) and setting the appropriate policies on the CMK.  AWS provides documentation on how EBS volumes use KMS as well as key policies the Autoscaling Service.

If there is any question about what policies need to be set, contact Turbot support at help@turbot.com for assistance.

Important note - be sure to have a break glass login with the AWS console in case any connectivity issues arise.

Encrypting the Turbot AMI

  1. Create CMK in the Turbot Master region, if desired.
  2. Encrypt the AMI. These instructions assume use of the ADK but the encryption process is the same when using a CMK.
    • Navigate to the default Turbot region in the Master AWS account. 
    • Go to the EC2 service in the AWS console.
    • Select AMI on the left side.
    • Adjust the Owned by me drop down menu to Private images.
    •  Select the latest Turbot AMI, click Actions then Copy AMI.
    • Choose the target region to be the same region that the AMI currently lives in.
    • Check the Encryption box.  If using a CMK, select it.
    • Click Copy AMI.
  3. The AMI will now be copied and encrypted. This process can take a few minutes. Make a note of the new encrypted AMI ID. 
  4. Get a copy of the Turbot-Console template: Navigate to CloudFormation in the default Turbot region and make a copy of the template used in the console stack. The latest version of the Turbot-Console CloudFormation template can be found at the Turbot v3 Releases page.
  5. Insert the encrypted AMI into the Turbot-Console template: Users must select a Turbot version number when running the template in CloudFormation. The template contains a reference to the current Turbot AMI and must be modified to include the new, encrypted AMI.
    • Within the CloudFormation template, there will be a section that looks like the following:
      "VersionMap": {
          "v3.58.0": {
           "APNE2""ami-0c040ea6dbccbf001",
            "EUCE1""ami-0d777f67ca03c5a06",
            "EUWE1""ami-076b3c1a6a17a20ef",
            "USEA1""ami-0f601470b10e6c78c",
            "USEA2""ami-069ba46d7f6b77f0a",
            "USWE2""ami-04c31e029c48bacdc"
      },
    • Copy a version stanza to give it a new version number, such as "v3.58.0.K".  Designating a distinct version number makes it easier to select the unencrypted version, should a rollback be necessary. Note: CloudFormation places a 100 item limit on the number of Versions. If this limit is exceeded, remove the oldest versions to make room. Paste in the new encrypted AMI for USEA1 to get: 
    • "VersionMap": {
          "v3.58.0.K": {
           "APNE2": "ami-0c040ea6dbccbf001",
            "EUCE1": "ami-0d777f67ca03c5a06",
            "EUWE1": "ami-076b3c1a6a17a20ef",
            "USEA1": "ami-0eaec6ed68e88e33c",
            "USEA2": "ami-069ba46d7f6b77f0a",
            "USWE2": "ami-04c31e029c48bacdc"
      },
          "v3.58.0": {
           "APNE2": "ami-0c040ea6dbccbf001",
            "EUCE1": "ami-0d777f67ca03c5a06",
            "EUWE1": "ami-076b3c1a6a17a20ef",
            "USEA1": "ami-0f601470b10e6c78c",
            "USEA2": "ami-069ba46d7f6b77f0a",
            "USWE2": "ami-04c31e029c48bacdc"
      },
    • To make the new encrypted version appear in the versions drop-down menu, add the new version value to the section of the Turbot-Console CFN that looks like:
       "Version": {
      "Type": "String",
      "Description": "Version of Turbot to be installed.",
      "Default": "v3.58.0",
      "AllowedValues": [
      "v3.58.0.K",
      "v3.58.0",
      "v3.57.0",
      "v3.56.3",
    • Save the CloudFormation Template.
  6. If using a CMK, follow the instructions below to apply the right key policy. When using the ADK, no key policies need to be set as AWS services get automatic access to the ADK.
  7. Run the upgrade: Select Upload a template file and upload the modified template. On the next page, select the Version in the drop down menu that corresponds to the new, encrypted AMI, in this example "v3.58.0.K".
  8. Generally, no other adjustments need to be made. Scroll to the bottom of the page, select Next, then Next, then check the box at the bottom of the page and click Next again. AWS will update the autoscaling rules and Turbot servers will begin a rolling restart. 
  9. Confirm in the AWS EC2 dashboard that the new Turbot Web and Worker servers are using the new, encrypted AMI. 
  10. Navigate to the Turbot URL. Verify that connectivity is maintained. 

CMK Specific Instructions

In addition to encrypting the AMI, the Autoscaling service needs permission to use the CMK.  Add the policy statements described below to the CMK policy.


{
  
"Version""2012-10-17",
  
"Statement"[
   /*{ "Sid": "Permissions for Administrators", ..., ...}*/

    
{
      
"Sid""Allow use of the key",
      
"Effect""Allow",
      
"Principal"{
        
"AWS"[
          
"arn:aws:iam::{AWSAccountId}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
          
"arn:aws:iam::account:role/turbot-console"
        
]
      }
,
      
"Action"[
        
"kms:Encrypt",
        
"kms:Decrypt",
        
"kms:ReEncrypt*",
        
"kms:GenerateDataKey*",
        
"kms:DescribeKey"
      
],
      
"Resource""*"
    
},
    
{
      
"Sid""Allow attachment of persistent resources",
      
"Effect""Allow",
      
"Principal"{
        
"AWS""arn:aws:iam::{AWSAccountId}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
      
},
      
"Action""kms:CreateGrant",
      
"Resource""*",
      
"Condition"{
        
"Bool"{
          
"kms:GrantIsForAWSResource""true"
        
}
      }
    }
  ]
}

 

Was this article helpful?
0 out of 0 found this helpful