At "AWS console > KMS > AWS managed keys", I see "aws/ebs" under some regions and some regions do not have AWS managed "aws/ebs" key. I understand that we can create "Customer managed keys". But how can I create or initiate an aws managed key so that I've "aws/ebs" on all the regions I wanted?
Asked
Active
Viewed 265 times
2 Answers
1
aws/ebs is an AWS managed key. It's created automatically in any region where you create an EBS volume with AWS managed keys.
You can also create your own Customer Managed Key (CMK) in any region and tell EBS to use that key for encryption. The main difference is you can set the KMS key policy however you want it, to lock down administration and use, and you're charged $1 / month / backing key. You're not charged the $1/month for AWS managed keys, but you're charged key usage regardless of who manages the key.
Tim
- 30,383
- 6
- 47
- 77
0
To be precise, this appears to be creating the AWS managed keys:
aws ec2 create-volume \
--volume-type gp2 \
--size 80 \
--encrypted \
--availability-zone us-east-1a
This follwing is used when we already have a kms key in hand:
aws ec2 create-volume \
--volume-type gp2 \
--size 80 \
--encrypted \
--kms-key-id 0ea3fef3-80a7-4778-9d8c-1c0c6EXAMPLE \
--availability-zone us-east-1a
james
- 33
- 4
-
Yes, that's one implementation for the concepts I described above. – Tim Nov 06 '20 at 01:26