Shelvery Encryption Enhancements
Previously when sharing kms encrypted snapshots with the databunker the same key was used to encrypt the snapshot copy in the databunker account. This creates a single point of failure, because if the kms key is compromised or deleted the we could loose all of the data in both the production and databunker accounts.
With Shelvery 0.9.5 you can now encrypt databunker snapshots with a separate KMS key removing the single point of failure of the single KMS key and provides improved security and confidence in the databunker snapshots.
Also with this latest Shelvery release you can now encrypt all unencrypted snapshots in the databunker account either via a global encryption flag or via resource tags.
Read further on how to implement these changes.
Copy Encrypted Snapshots to New Key
To enable the copying of snapshots to a new key, first we have to create a new KMS key in the databunker account. Here is some example cloudformation and note the key policy.
DatabunkerKey:
Type: AWS::KMS::Key
Properties:
Description: KMS CMK for testing shelvery encrypted snapshots
KeyPolicy:
Version: '2012-10-17'
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action: kms:*
Resource: '*'
- Sid: Allow use of the key by shelvery databunker account
Effect: Allow
Principal:
AWS: !Ref DatabunkerShelveryRole
Action:
- kms:DescribeKey
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt*
- kms:GenerateDataKey
- kms:GenerateDataKeyWithoutPlaintext
Resource: '*'
- Sid: Allow attachment of persistent resources from the databunker account
Effect: Allow
Principal:
AWS: !Ref DatabunkerShelveryRole
Action:
- kms:CreateGrant
- kms:ListGrants
- kms:RevokeGrant
Resource: '*'
Condition:
Bool:
kms:GrantIsForAWSResource: 'true'
Note that when copying to a new key, shelvery in the databunker account requires access to both the new key and the original key.
Next we need to tell shelvery to copy to the mew key. We can do this at the global level on the databunker account by setting the bearse parameter.
ShelveryCopyKmsKeyId=<databunker-kms-key-arn>
Alternatively this can be set on the resource tag using the tag key value.
Tags:
- Key: shelver:config:shelvery_copy_kms_key_id
Value: ${DatabunkerKmsKeyArn}
Copy Unencrypted Snapshots
To enabled encryption of un encrypted snapshots in the databunker account you can set on a global level by providing the bearse parameters
ShelveryEncryptCopy=true
ShelveryCopyKmsKeyId=<databunker-kms-key-arn>
Alternatively this can be set via resource tags using the tags
Tags:
- Key: shelver:config:shelvery_encrypt_copy
Value: 'true'
- Key: shelver:config:shelvery_copy_kms_key_id
Value: ${DatabunkerKmsKeyArn}
Source