Encryption Key Management for EC2 Compute Clusters

Question

Pulumi · Accepted Answer

When managing encryption for EC2 compute clusters on AWS, you would typically use AWS Key Management Service (KMS). KMS allows you to create and manage cryptographic keys and control their use across a wide range of AWS services and applications. The keys are used to encrypt and decrypt data, and you can set policies to control access to them.

To get started, we'll create a KMS key and an alias for easier reference. Then, we will configure an EC2 instance to use this key, ensuring that the volumes attached to the EC2 instances (like the root device volume or additional EBS volumes) are encrypted with this key.

Here's how you can accomplish this with Pulumi in Python:

```python
import pulumi
import pulumi_aws as aws

# Create a KMS Key for encrypting your data.
kms_key = aws.kms.Key("my-cluster-kms-key",
                      description="KMS key for EC2 cluster",
                      policy="""{
                          "Version": "2012-10-17",
                          "Statement": [{
                              "Effect": "Allow",
                              "Principal": {"AWS": "arn:aws:iam::ACCOUNT_ID:root"},
                              "Action": "kms:*",
                              "Resource": "*"
                          }]
                      }""")

# Create an alias for the key for easier reference.
kms_alias = aws.kms.Alias("my-cluster-kms-key-alias",
                          target_key_id=kms_key.id,
                          name="alias/myClusterKey")

# Provision an EC2 instance using the KMS key for volume encryption.
ec2_instance = aws.ec2.Instance("my-cluster-instance",
                                instance_type="t2.micro",
                                ami="ami-0c55b159cbfafe1f0",  # Example AMI ID; replace with a valid one.
                                key_name="my-key-pair",
                                root_block_device=aws.ec2.InstanceRootBlockDeviceArgs(
                                    encrypted=True,
                                    kms_key_id=kms_key.id,
                                ))

# Export the KMS Key ID and EC2 instance ID as stack outputs.
pulumi.export('kms_key_id', kms_key.id)
pulumi.export('ec2_instance_id', ec2_instance.id)
```

In this program, we first create a KMS key, using a policy that grants full access to the key to the AWS root user. We also attach a human-readable alias to the key for easier management.

Next, we provision an EC2 instance, `t2.micro` in this case, and specify an AMI. For the root block device (which is the boot volume), we set `encrypted=True` and pass the `kms_key_id`. This ensures that the root volume is encrypted with our KMS key.

Finally, we export the KMS Key ID and the EC2 instance ID as stack outputs, which can be helpful for managing and referencing the infrastructure outside of Pulumi.

Remember to replace `"ami-0c55b159cbfafe1f0"` with a valid AMI ID from your AWS region, and `"my-key-pair"` with the name of an SSH key pair already uploaded to AWS if you want to SSH into the instance.

This program assumes you have already configured Pulumi with the appropriate AWS credentials and settings. If you're new to Pulumi, you can follow the [Get Started with AWS](https://www.pulumi.com/docs/get-started/aws/) guide to set up your environment.