amazon aws

1. Create Amazon S3 bucket: amazon ec2

The created S3 bucket stores the encrypted password file. Encryption of the file system happens using such a password or key. When a boot happens for an Amazon EC2 instance, the files are copied, the encrypted password is read, the password is decrypted, and the plaintext password is retrieved. Utilization of this password happens when encrypting the file system on the instance store disk. Through the first step, the creation of an S# bucket occurs to enable the storage of the encrypted password file on it. Application of necessary permissions happens afterward. Additional permissions to the bucket to enable endpoint access are necessary whenever using Amazon VPC endpoint for Amazon S3.

  1. Sign into the S3 bucket and select “Create Bucket”.
  2. Then, enter the bucket name in the box named “Bucket Name”, then click on “Create”.
  3. All the details of the newly created bucket will appear in the right pane.

2. Configure the IAM roles and permission for the created S3 bucket

Using AWS Key Management Service (KMS), the encrypted password could be decrypted after essentially the encrypted password file being read from S3. One could assume a role with the right access permissions to the bucket of S3 by applying the IAM policy which that is configured in this step. “your-bucket-name” is that bucket used for the purpose of saving and storing the password file on it.

  1. Sign into the AWS Management Console to reach the IAM console.
  2. Then go to the navigation pane to and select “policies”
  3. Afterward, click the “Create Policy” option.
  4. Then, select the “Create Your Own Policy” option.
  5. Get a name for the policy and a great description for it then proceed with the next step.
  6. Copy and paste the following policy at this point.
        "Version": "2012-10-17",
        "Statement": [
                "Sid": "Stmt1478729875000",
                "Effect": "Allow",
                "Action": [
                "Resource": [
  7. Then, select “Create Policy”.

  8. To elaborate on the previous policy, the bucket is granted through such policy to read. In other words, the encrypted password could be read because it is stored inside such bucket. The IAM role then needs configuration now since EC2 fundamentally uses the previous policy.
  9. One should select “Roles”  inside the IAM console.
  10. Choose “Create New Role” now.

  11. Inside the first step of “Role Name”, create a name for the role and then press “Next Step”.
  12. Inside the second step of “Select Role Type”, select “Amazon EC2” and then press “Next Step”.
  13. Inside the third step of “Established Trust”, press “Next Step”.
  14. Inside the fourth step of “Attach Policy”, select the policy created in the first step. The following figure illustrates this point in a more concise way. amazon ec2
  15. Inside the fifth step of “Review”, review the configuration before finishing the steps. The IAM role which we just created can be used now with any new launch of EC2 instances, having an access permission on encrypted password file stored in the S3 bucket.
  16. The newly created IAM role becomes listed on the page of “Roles” there.
  17. Finally, select “Roles” and then select the newly created role as illustrated by the upcoming image. class=

3.Encrypt a secret password with KMS and store it inside S3 bucket

In order to accomplish this step successfully, one has to utilize AWS CLI. Fortunately, EC2 Amazon Linux instances already have AWS CLI by default on them. One could further install it on Windows, Mac, or Linux systems as well.

  1. Type the following command in AWS CLI. It will make use of KMS to encrypt the password. Note that you should replace “region name” with your region. In addition, creating keys and putting objects in S3 requires specific permissions that must be present before typing this command.
    aws --region us-east-one kms encrypt --key-id 'alias/EncFSForEC2InternalStorageKey' --plaintext "ThisIs-a-SecretPassword" --query CiphertextBlob --output text | base64 --decode > LuksInternalStorageKey
    aws s3 cp LuksInternalStorageKey s3://<bucket-name>/LuksInternalStorageKey
  2. The file name “LuksInternalStorageKey” will have the encrypted password as per the last used command.
  3. The key alias or name, which is useful for identifying diverse keys, has the name “EncFSForEC2InternalStorageKey”


  1. Make the KMS key accessible by the role

  1. Get to the IAM console and especially the navigation pane and choose “Encryption keys”.
  2. Then, choose the key alias named “EncFSForEC2InternalStorageKey”.
  3. If a new role is desired to get installed, and it is actually desired, then “Key Policy” should be scrolled down to it where “Add” should be selected under “Key Users” amazon ec2
  4. At this step, choose the newly created role and then press “Attach”.
  5. Now, this grants the access permission of the key to the role.


  1. Configure EC2 with role and configurations run

  1. Launch a new instance inside the EC2 console. But inside the third step “Configure Instance Details”, the IAM role has to be selected as shown in the following figure. amazoon ec2
  2. Expand the section of “Advanced Details” to the previously displayed screen.
  3. Inside “User Data, keep “As text” checked as it is by default. Then, copy and paste the following script into the text box.

    ## Initial setup to be executed on boot
    # Create an empty file. This file will be used to host the file system.
    # In this example we create a 2 GB file called secretfs (Secret File System).
    dd of=secretfs bs=1G count=0 seek=2
    # Lock down normal access to the file.
    chmod 600 secretfs
    # Associate a loopback device with the file.
    losetup /dev/loop0 secretfs
    #Copy encrypted password file from S3. The password is used to configure LUKE later on.
    aws s3 cp s3://an-internalstoragekeybucket/LuksInternalStorageKey .
    # Decrypt the password from the file with KMS, save the secret password in LuksClearTextKey
    LuksClearTextKey=$(aws --region us-east-1 kms decrypt --ciphertext-blob fileb://LuksInternalStorageKey --output text --query Plaintext | base64 --decode)
    # Encrypt storage in the device. cryptsetup will use the Linux
    # device mapper to create, in this case, /dev/mapper/secretfs.
    # Initialize the volume and set an initial key.
    echo "$LuksClearTextKey" | cryptsetup -y luksFormat /dev/loop0
    # Open the partition, and create a mapping to /dev/mapper/secretfs.
    echo "$LuksClearTextKey" | cryptsetup luksOpen /dev/loop0 secretfs
    # Clear the LuksClearTextKey variable because we don't need it anymore.
    unset LuksClearTextKey
    # Check its status (optional).
    cryptsetup status secretfs
    # Zero out the new encrypted device.
    dd if=/dev/zero of=/dev/mapper/secretfs
    # Create a file system and verify its status.
    mke2fs -j -O dir_index /dev/mapper/secretfs
    # List file system configuration (optional).
    tune2fs -l /dev/mapper/secretfs
    # Mount the new file system to /mnt/secretfs.
    mkdir /mnt/secretfs
    mount /dev/mapper/secretfs /mnt/secretfs
  4. On your account, enable CloudTrail.
  5. Finally, launch the EC2 instance. Such instance will copy the password file from S3, use KMS to decrypt the file, and configure an encrypted file system.


span class=”span_all”>References


Please enter your comment!
Please enter your name here