amazon-web-servicesaws-cloudformationamazon-kmsaws-ebsaws-cdk

Encrypted volume and own KMS key with AWS CDK fails


I'm trying to create a EBS Volume with the AWS CDK that is encrypted by my own KMS key in C#, with this snippet:

var kmsProps = new EncryptionKeyProps
{
    Description = "Encryption key for Storage",
    EnableKeyRotation = true,
    Enabled = true,
    Retain = true
};

var kms = new EncryptionKey(stack, "kms-storage", kmsProps);

var kmsAlias = kms.AddAlias("alias/" + stack.StackName + "/storage");

var storageVolume = new CfnVolume(stack, "server-storage-encrypted", new CfnVolumeProps
{
    AvailabilityZone = privateSubnet1.AvailabilityZone,
    KmsKeyId = kmsAlias.AliasName,
    Size = 30,
    Encrypted = true,
    Tags = new ICfnTag[]
    {
        new CfnTag {Key = "Name", Value = "Server Storage"}
    },
    VolumeType = "gp2"
}); 

But the deploy command fails with a Volume vol-0e88979f5568c16fa is still creating error

Any idea if i'm doing something wrong the the KMS policy etc? Tried looking for it, only thing i found was that auto scaling needed access to the key, nothing about EBS/EC2


Solution

  • I ran to this issue today. It turned out using alias in KmsKeyId was causing the issue. The stack was created successfully after changing alias to the actual key ID. Although the documentation says alias can be used, it didn't work for me.

    https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ebs-volume.html