Create an encrypted AMI for AWS Batch with this handy guide from the in-house experts at Bobcares.

At Bobcares, we offer solutions for every query, big and small, as a part of our AWS Support Services.

Let’s take a look at how our Support Team is ready to help customers with creating an encrypted AMI for AWS Batch

How to create an encrypted AMI for AWS Batch

If you are looking for a way to encrypt your AMI keys, you are in the right place. Our Support Team is here to help you do this by using custom AWS Key Management Service keys. Furthermore, we can also launch AWS Batch Instances with these encrypted AMIs.

How to create a snapshot of an Amazon ECS-optimized AMI

1. First, we have to launch an Amazon EC2 instance based on the AMI.
2. Next, we will create a snapshot via the EC2 instance’s root volume from the previous step.
3. Finally, we have to delete the EC2 instance from step 1 to avoid changes.

How to encrypt snapshot & create an AMI

1. First, we have to open the Amazon EC2 console.
2. Next, we will select Snapshots from the Elastic Block Store section in the navigation pane.
3. After that, we will choose the snapshot we made earlier and click Actions and then select Copy.
4. Here we will come across the Copy Snapshot window. We have to select Encrypt this snapshot option for Encryption.
5. Then. we have to choose the customer-managed AWS KMS key for Root Key.
6. Next, we will select Copy and then Close.
7. Once the encrypted snapshot moves to completed status, we have to select Actions followed by Create Image.

We can now use the encrypted AMI to launch the AWS Batch Instances.

How to offer service-linked role access to KMS key

Once we specify a customer-managed KMS key for Amazon EBS encryption, we have to offer the correct service linker role access to that key. Additionally, it permits Amazon EC2 AutoScaling to launch instances on our behalf. However, we have to modify the key policy of the KMS key to provide access.

Our Support Engineers recommend setting AWSServiceRoleForAutoScaling as the key user for the KMS key before updating the policy.

For instance, here is an example policy:

{
    "Id": "key-consolepolicy-3",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}

In case we are using a spot compute environment, we have to use AWSServiceRoleForEC2SpotFleet rather than AWSServiceRoleForAutoScaling in the above key policy.

[Looking for a solution to another query? We are just a click away.]

Conclusion

To sum up, our skilled Support Engineers at Bobcares demonstrated how to create an encrypted AMI for AWS Batch.