Encryption at rest can be achieved on AWS with encrypted volumes with KMS keys
...
- Alias: core-nex-uat or core-nex-prd
- Description: Encryption for Nex! volumes
- Key material origin: KMS
- Tags: environment => uat
- Key Admins: gapps-superadmin, gapps-poweruser
- Key usage: mcluster_dev, gapps-superadmin, gapps-poweruser
Authorise KMS Policy
The Nex! Orchestrator IAM User must be allowed to access the KMS key. Ensure the Nex! Orchestrator policy contains the action "kms:*"
Code Block |
---|
{ "Statement": [ { "Sid": "Stmt1340424171166", "Action": [ "ec2:*", "elasticloadbalancing:*", "kms:*" ], "Effect": "Allow", "Resource": [ "*" ] } ] } |
Configure Nex! Orchestrator
The KMS key ARN must be set in the Nex! configuration. Get the ARN from the AWS Console key details (eg: arn:aws:kms:us-east-1:681271161082:key/50997aaf-7603-421f-8514-4e758738eeb7)
In Nex! configuration, set the parameter
Code Block |
---|
compute: lxc: ... encrypted: true volume_encryption_key_id: southeast-1: arn:aws:kms:usap-eastsoutheast-1:681271161082:key/50997aaf53bd91c9-76030156-421f4e1a-8514b9b3-4e758738eeb76789052078fc ... docker: ... encrypted: true volume_encryption_key_id: southeast-1: arn:aws:kms:usap-eastsoutheast-1:681271161082:key/50997aaf53bd91c9-76030156-421f4e1a-8514b9b3-4e758738eeb76789052078fc ... |