Encryption at rest can be achieved on AWS with encrypted volumes with KMS keys
...
- Alias: core-nex-uat or core-nex-prd
- Description: Encryption for Nex! volumes
- Key material origin: KMS
- Tags: environment => uat
- Key Admins: gapps-superadmin, gapps-poweruser
- Key usage: mcluster_dev, gapps-superadmin, gapps-poweruser
Authorise KMS Policy
The Nex! Orchestrator IAM User must be allowed to access the KMS key. Ensure the Nex! Orchestrator policy contains the action "kms:*"
Code Block |
---|
{ "Statement": [ { "Sid": "Stmt1340424171166", "Action": [ "ec2:*", "elasticloadbalancing:*", "kms:*" ], "Effect": "Allow", "Resource": [ "*" ] } ] } |
Configure Nex! Orchestrator
The KMS key ARN must be set in the Nex! configuration. Get the ARN from the AWS Console key details (eg: arn:aws:kms:us-east-1:681271161082:key/50997aaf-7603-421f-8514-4e758738eeb7)
In Nex! configuration, set the parameter
Code Block |
---|
compute:
lxc:
...
encrypted: true
volume_encryption_key_id: arn:aws:kms:us-east-1:681271161082:key/50997aaf-7603-421f-8514-4e758738eeb7
...
docker:
...
encrypted: true
volume_encryption_key_id: arn:aws:kms:us-east-1:681271161082:key/50997aaf-7603-421f-8514-4e758738eeb7
... |