01 Define the access policy that enables the specified IAM users and/or roles to manage the new KMS Customer Master Key and to encrypt/decrypt volume data using the AWS KMS API. Create a new policy document, name it sg-volume-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):
{
"Version": "2012-10-17",
"Id": "sg-volume-custom-key-policy",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root
"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Grant access to CMK manager",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/SGVolumeManager
"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow the use of the CMK",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/SGVolumeAdmin
"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/SGVolumeAdmin
"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
02 Run create-key command (OSX/Linux/UNIX) using the file name of the policy document created at the previous step (i.e. sg-volume-cmk-policy.json) as command parameter to create the new Amazon KMS CMK:
aws kms create-key
--region us-east-1
--description 'KMS CMK for encrypting Storage Gateway volume data.'
--policy file://sg-volume-cmk-policy.json
03 The command output should return the new KMS CMK metadata. Copy the key Amazon Resource Name (Arn parameter value - highlighted) as this information will be required later when you have to specify the key required for volume data encryption:
{
"KeyMetadata": {
"Origin": "AWS_KMS",
"KeyId": "1234abcd-abcd-1234-abcd-1234abcd1234",
"Description": "KMS CMK for encrypting Storage Gateway volume data.",
"Enabled": true,
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"CreationDate": 1517237159.150,
"Arn": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-abcd-1234-abcd-1234abcd1234
",
"AWSAccountId": "123456789012"
}
}
04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command does not return an output):
aws kms create-alias
--region us-east-1
--alias-name alias/SGVolumeCustomCMK
--target-key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-abcd-1234-abcd-1234abcd1234
05 Based on the type of the volume (cached or stored) that you want to re-create, execute one of the following CLI commands:
- Run create-cached-iscsi-volume command (OSX/Linux/UNIX) to create a new cached volume for the specified volume gateway. Use the ARN of the newly created Customer Master Key (CMK) as value for the --kms-key parameter, to enable encryption at rest using customer-managed keys:
aws storagegateway create-cached-iscsi-volume
--region us-east-1
--gateway-arn arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12341234
--volume-size-in-bytes 161061273600
--target-name cc-cached-volume
--network-interface-id 172.30.50.15
--client-token AABBCCDD
--kms-encrypted
--kms-key arn:aws:kms:us-east-1:123456789012:key/1234abcd-abcd-1234-abcd-1234abcd1234
- The output should return the command request metadata:
{
"TargetARN": "arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12341234/target/iqn.1995-15.com.amazon:cc-cached-volume",
"VolumeARN": "arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12341234/volume/vol-01234AABB1234CCDD"
}
- Run create-stored-iscsi-volume command (OSX/Linux/UNIX) to create a new stored volume for the specified AWS Storage Gateway volume gateway. Use the ARN of the Customer Master Key (CMK) created earlier in the process as value for the --kms-key parameter, to enable data encryption using customer-managed keys:
aws storagegateway create-stored-iscsi-volume
--region us-east-1
--gateway-arn arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12341234
--target-name cc-stored-volume
--network-interface-id 172.200.10.75
--preserve-existing-data
--disk-id aaaabbbb-cccc-aaaa-bbbb-aaaabbbbcccc
--kms-encrypted
--kms-key arn:aws:kms:us-east-1:123456789012:key/1234abcd-abcd-1234-abcd-1234abcd1234
- The command output should return the create-stored-iscsi-volume request metadata:
{
"TargetARN": "arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12341234/target/iqn.1997-10.com.amazon:cc-stored-volume",
"VolumeSizeInBytes": 161061273600,
"VolumeARN": "arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12341234/volume/vol-01234123412341234"
}
06 Repeat step no. 5 to configure encryption at rest using AWS KMS Customer Master Keys for other Amazon Storage Gateway volumes available in the selected region.
07 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 6 to perform the process for other regions.