To use KMS to encrypt ECS resources such as disks, snapshots, and images, you must grant ECS permissions to access KMS keys. When you share encrypted images or snapshots with another Alibaba Cloud account, you must grant the recipient's ECS service permission to access the KMS keys in your account.
Encrypt ECS resources
To encrypt ECS resources such as disks, snapshots, or images, select a KMS key and use KMS envelope encryption. You can use a service key from KMS or a customer master key (CMK) that you create. For more information about encryption keys, see Encrypt a disk.
Use service keys
You can use the ECS service key to encrypt specific resources in your ECS instances. Because ECS creates the service key, it can use the key directly without requiring additional permissions from you.
Use customer master keys (CMKs)
If you prefer not to use a service key, you can use a customer master key (CMK) that you create and manage. In this case, you must authorize ECS to use the CMK. The authorization process is as follows:
When you grant authorization, the system creates a system RAM role named
AliyunECSDiskEncryptDefaultRolein your account. This role has permissions to access KMS.ECS assumes this role to use the CMK in KMS.
The following describes the authorization procedure:
The first time you select a CMK to encrypt an ECS resource, such as when creating an encrypted disk, you are prompted to grant authorization.
Click Authorize. The system automatically creates the
AliyunECSDiskEncryptDefaultRolerole and grants it the required permissions.
After authorization is complete, you can select your CMKs from KMS when configuring ECS resources.
Share encrypted resources across accounts
To share an encrypted image or snapshot with another Alibaba Cloud account or resource directory, you must allow the recipient to use the KMS key from your account that was used for encryption. This is accomplished by creating a RAM role in your account that the recipient's ECS service is trusted to assume. This role grants the recipient's ECS service the necessary permissions to access your KMS key.
1. Create a RAM role
In the account that owns the shared resource, create a RAM role that specifies an Alibaba Cloud account as the trusted entity. The role name must be specific to whether you are sharing an encrypted snapshot or an encrypted image. For more information, see Create a RAM role for a trusted Alibaba Cloud account.
To share an encrypted snapshot, create a RAM role named AliyunECSShareEncryptSnapshotDefaultRole.
To share an encrypted image, create a RAM role named AliyunECSShareEncryptImageDefaultRole.
2. Modify the trust policy of the RAM role
On the Trust Policy tab, modify the trust policy to allow the ECS services of the recipient accounts or resource directories to assume the role. For more information, see Modify the trust policy of a RAM role. The following examples show modified trust policies.
Scenario 1: Share with other Alibaba Cloud accounts
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"<UID1>@ecs.aliyuncs.com",
"<UID2>@ecs.aliyuncs.com"
]
}
}
],
"Version": "1"
}The placeholders <UID1> and <UID2> represent the UIDs of the recipient Alibaba Cloud accounts. To share the snapshot or image with multiple accounts, add an entry for each UID.
Scenario 2: Share with a resource directory
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "*@ecs.aliyuncs.com"
},
"Condition": {
"StringEquals": {
"sts:ServiceOwnerRDId": "<resource-directory-id>"
}
}
}
],
"Version": "1"
}The placeholder <resource-directory-id> represents the ID of the recipient resource directory. To learn how to view the ID of a resource directory, see View basic information about a resource directory.
Scenario 3: Share with a folder in a resource directory
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "*@ecs.aliyuncs.com"
},
"Condition": {
"StringLike": {
"sts:ServiceOwnerRDPath": "<resource-directory-id>/<root-folder-id>/.../<current-folder-id*>"
}
}
}
],
"Version": "1"
}The placeholder <resource-directory-id>/<root-folder-id>/.../<current-folder-id*> represents the RDPath of the recipient folder. To learn how to view the RDPath of a folder, see View the basic information about a folder.
3. Create and attach a permissions policy
If your image or snapshot is encrypted with a CMK, you must create a custom permissions policy and attach it to the RAM role. This policy grants ECS permission to use the specified KMS key. To learn how to manage the permissions of a RAM role, see Manage the permissions of a RAM role. The following code is an example policy:
If your image is encrypted with a service key, attach the AliyunKMSFullAccess system policy to the RAM role. For the policy content, see AliyunKMSFullAccess.
{
"Version": "1",
"Statement": [
{
"Action": "kms:List*",
"Resource": "acs:kms:<region-id>:<account-id>:key",
"Effect": "Allow"
},
{
"Action": [
"kms:DescribeKey",
"kms:TagResource",
"kms:UntagResource",
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "acs:kms:<region-id>:<account-id>:key/<key-id>",
"Effect": "Allow"
}
]
}Replace the placeholders <region-id>, <account-id>, and <key-id> with the key's region ID, the key owner's Alibaba Cloud account ID, and the key ID, respectively.
4. Share resources with other accounts
For the next steps on sharing the resource, see the following topics:
To share an encrypted snapshot, see Share a snapshot.
To share an encrypted image, see Share a custom image.