Skip to content
This repository was archived by the owner on Oct 4, 2024. It is now read-only.
This repository was archived by the owner on Oct 4, 2024. It is now read-only.

DC1: Encrypt storage gateway EC2 AMI root(non-EBS) /dev/xvda volume to adhere AWS SEA deny rule on encryption: false #33

Description

@obriensystems

This is one of the encryption flags - the other root (non-EBS) volume is hidden because it comes with the unencrypted snapshot backing the AMI
see
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html

https://github.com/aws-quickstart/quickstart-uipath-orchestrator/blob/main/templates/storage.template.yaml#L296

API: ec2:RunInstances You are not authorized to perform this operation.
"DecodedMessage": "{"allowed":false,"explicitDeny":true,"matchedStatements":
{"items":[{"statementId":
"PreventEc2MountUnencryptedVolume"
,"effect":"DENY","principals":
{"items":[{"value":"ARO....HWH"}]},"principalGroups":{"items":[]},"actions":
{"items":[{"value":"ec2:RunInstances"}]},"resources":{"items"
:[{"value":"arn:aws:ec2:::volume/*"}]},"conditions":{"items":
[{"key":"ec2:Encrypted","values":{"items":
[{"value":"false"
}]}}]}}]},

other fixes - ha template
add to ha template
HAMaster:
Type: 'AWS::EC2::Instance'
Properties:

  BlockDeviceMappings:
    - DeviceName: /dev/sda1
      Ebs:
        DeleteOnTermination: true
        Encrypted: true
        VolumeSize: 100
        VolumeType: gp2

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions