All Products
Search

This Product

    Elastic Compute Service:Grant access to KMS keys through RAM roles

    Document Center

    Elastic Compute Service:Grant access to KMS keys through RAM roles

    Last Updated:Aug 06, 2024

    When you need to use Key Management Service (KMS) to encrypt Elastic Compute Service (ECS) resources (such as disks, snapshots or images), you have to grant ECS access to KMS through a Resource Access Management (RAM) role. Additionally, if you want to share encrypted snapshots or images with other Alibaba Cloud accounts, you must firstly grant the shared account access to KMS keys. This document mainly describes the scenarios of using KMS encryption on ECS and the required RAM roles and permissions.

    For more information about RAM roles, see Identities.

    Encryption permission for ECS resources

    • Permission description

      When you use a KMS master key to encrypt ECS resources for the first time, you need to grant ECS access to the KMS key.

      Note

      When you encrypt ECS resources in a region for the first time, the system automatically creates a service key dedicated to ECS in the KMS of the current region. The service key is named as Default Service CMK (aliased alias/acs/ecs). Authorization is not required when using the service key for encryption.

    • RAM role

      AliyunECSDiskEncryptDefaultRole

    • Configuration method

      1. Activate the KMS. For specific operations, see Purchase and enable a KMS instance.

      2. When you initially choose a KMS master key to encrypt ECS resources, such as creating an encrypted disk, you are prompted to grant permissions to the RAM role. You need to follow the guidance to complete the authorization. The system will automatically create the AliyunECSDiskEncryptDefaultRole role and grant permissions.

        image

      After authorization is completed, you can use the master key that you created to encrypt ECS resources.

    Cross-account access to encrypted resources

    • Permission description: If you want to share encrypted snapshots or images with other Alibaba Cloud accounts, you must grant ECS access to KMS keys through the AliyunECSDiskEncryptDefaultRole role. Additionally you must create a RAM role and attach a policy to grant the required permissions to the RAM role. Then you can share encrypted snapshots or images with other Alibaba Cloud accounts.

    • Role names

      • Share encrypted snapshots: AliyunECSShareEncryptSnapshotDefaultRole

      • Share encrypted images: AliyunECSShareEncryptImageDefaultRole

    • Configuration method