How can I view encryption information about my AMI or snapshot?

3 minute read
0

I want to know if my Amazon Machine Image (AMI) or snapshot is encrypted. If it is, then I want to know if it uses an AWS Key Management Service (AWS KMS) managed key or a customer managed key.

Resolution

Note:

Use AWS CLI commands to view encryption information

1.    To view the snapshots that are associated with the AMI, run the describe-images command with the BlockDeviceMappings query filter. In the following example, replace image-ids and region with the ID and AWS Region of your AMI.

# aws ec2 describe - images--image - ids ami - xxxxxxxxx--region eu - west - 1--query "Images[*].BlockDeviceMappings" [
	[{
		"DeviceName": "/dev/xvda",
		"Ebs": {
			"DeleteOnTermination": true,
			"SnapshotId": "snap-xxxxxxxxx",
			"VolumeSize": 8,
			"VolumeType": "gp2",
			"Encrypted": true
		}
	}]
]

The preceding example output shows the snapshot that's associated with the AMI. The Encrypted parameter of the snapshot is set to true.

2.    Run the describe-snapshots command. Use the snapshot-id of the snapshot that's listed in the output of the describe-images command:

# aws ec2 describe - snapshots--snapshot - ids snap - xxxxxxxxx--region eu - west - 1 {
	"Snapshots": [{
		"Description": "Copied for DestinationAmi ami-xxxxxxxxx from SourceAmi ami-xxxxxxxxx for SourceSnapshot snap-xxxxxxxxx. Task created on 1,579,611,950,318.",
		"Encrypted": true,
		"KmsKeyId": "arn:aws:kms:eu-west-1:9208xxxxxxxxx:key/dcd4d062-xxxxxxxxx-xxxxxxxxxx",
		"OwnerId": "111122223333",
		"Progress": "100%",
		"SnapshotId": "snap-xxxxxxxxx",
		"StartTime": "2020-01-21T13:05:53.887Z",
		"State": "completed",
		"VolumeId": "vol-ffffffff",
		"VolumeSize": 8
	}]
}

In the command output, note the KMSKeyId.

3.    To determine whether the key is an AWS KMS key or a customer managed key, run the describe-key command. In the following command, replace key-id with the KMSKeyId that's listed in the describe-snapshot command. Replace region with the snapshot's Region.

# aws kms describe - key--key - id dcd4d062 - xxxxxxxxx - xxxxxxxxx--region eu - west - 1 {
	"KeyMetadata": {
		"AWSAccountId": "92xxxxxxxxx",
		"KeyId": "dcd4d062-xxxxxxxxx-xxxxxxxx",
		"Arn": "arn:aws:kms:eu-west-1:92xxxxxxxxx:key/dcd4d062-xxxxxxxxx-xxxxxxx",
		"CreationDate": 1579611763.538,
		"Enabled": true,
		"Description": "02-example-CMK",
		"KeyUsage": "ENCRYPT_DECRYPT",
		"KeyState": "Enabled",
		"Origin": "AWS_KMS",
		"KeyManager": "CUSTOMER",
		"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
		"EncryptionAlgorithms": ["SYMMETRIC_DEFAULT"]
	}
}

In the preceding example output, the KeyManager parameter is Customer. This indicates that the key is a customer managed key. For an AWS KMS key, the KeyManager parameter is AWS.

Use the console to view encryption information

  1. Open the Amazon Elastic Compute Cloud (Amazon EC2) console, and then choose AMIs.
  2. Copy the ID of the AMI that you want details for.
  3. Under Elastic Block Store, choose Snapshots.
  4. Enter the AMI ID, and then press ENTER.
  5. Select the snapshot, and then on the Description tab, verify if Encryption is set to Encrypted or Not Encrypted. If the snapshot is encrypted, then note the KMS Key ID and KMS Key ARN.
  6. Open the AWS KMS console.
  7. Choose AWS managed keys, and then enter the KMS Key ID. If no results appear, then choose Customer managed keys, and then enter the KMS Key ID.

Note: You can't share AMIs that are encrypted with an AWS managed key. For more information, see Before you share a snapshot.

Related information

AWS KMS concepts

AWS OFFICIAL
AWS OFFICIALUpdated 8 months ago