fbpx

Introduction

AWS Key Management Service (KMS) is a service that makes it easy for you to create and control the encryption keys used to encrypt your data. You can easily use encrypted volumes with spot instances provisioned by Spotinst. In order for Spotinst to be able to utilize your encrypted volumes, you need to grant permissions to access the custom KMS used to encrypt the volumes.

How to use custom keys with Spotinst?

Using custom keys requires adjusting the custom keys permissions to include the spotinst required roles.

Step 1: Login to your AWS IAM management console

Login to your AWS console and navigate to the IAM management console:

Step 2: Click on Encryption keys

Step 3: Click on the custom key you want to encrypt your volumes with

Step 4: Scroll down to Key Users

You should add two roles to this custom key:

  • AWSServiceRoleForEC2Spot (Linked-Service role that AWS creates automatically for each account)
  • Spotinst cross-account IAM role (The one you created when entering credentials to Spotinst)

You can find your Spotinst cross-account IAM role in the Spotinst settings under the Account menu available via this link: https://console.spotinst.com/#/settings/account/general

 

Step 5: Configuring the Key in the Elastigroup Block Device Mapping 

You can add the required Key to the Elastigorup Block device mapping configuration. for more information please see: Setting Block Device Mapping

Adding the following:

kmsKeyId – String – ID for a user managed CMK under which the EBS Volume is encrypted

Example 1:

"blockDeviceMappings": [
   {
     "deviceName": "/dev/sdf",
     "ebs": {
       "encrypted": true,
       "kmsKeyId": "bajkadk-12345-1234-1234-1234567",
       "volumeSize": 20
     }
   }
 ]

Example 2:

In case you have a snapshot which is encrypted by the Custom KMS key:

"blockDeviceMappings": [
    {
      "deviceName": "/dev/xvdb",
      "ebs": {
        "deleteOnTermination": false,
        "encrypted": true,
        "snapshotId": "snap-90gh20c09281b1234",
        "volumeType": "gp2"
      }
    }
  ]