AWS Security ChangesHomeSearch

AWS AmazonECS medium security documentation change

Service: AmazonECS · 2025-05-16 · Security-related medium

File: AmazonECS/latest/developerguide/ebs-kms-encryption.md

Summary

Enhanced documentation about EBS encryption hierarchy and cluster-level encryption configuration. Added key precedence rules and clarified encryption behavior when settings conflict.

Security assessment

The changes clarify encryption enforcement mechanisms (including mandatory encryption when EBS default is enabled) and key management hierarchy. The added note about volumes remaining encrypted even when 'encrypted: false' is specified prevents potential misconfigurations that could lead to unintended data exposure.

Diff

diff --git a/AmazonECS/latest/developerguide/ebs-kms-encryption.md b/AmazonECS/latest/developerguide/ebs-kms-encryption.md
index d9e54f409..8122e7c29 100644
--- a//AmazonECS/latest/developerguide/ebs-kms-encryption.md
+++ b//AmazonECS/latest/developerguide/ebs-kms-encryption.md
@@ -7 +7 @@ Customer managed KMS key policy
-# Encrypt data stored in Amazon EBS volumes for Amazon ECS
+# Encrypt data stored in Amazon EBS volumes attached to Amazon ECS tasks
@@ -17 +17 @@ You can use AWS Key Management Service (AWS KMS) to make and manage cryptographi
-  * New volumes created from snapshots
+  * New volumes created from encrypted snapshots
@@ -22 +22,19 @@ You can use AWS Key Management Service (AWS KMS) to make and manage cryptographi
-You can configure Amazon EBS encryption by default so that all new volumes created and attached to a task are encrypted by using the KMS key that you configure for your account. For more information about Amazon EBS encryption and encryption by default, see [Amazon EBS encryption](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-encryption.html) in the _Amazon EC2 User Guide_.
+Amazon EBS volumes that are attached to tasks can be encrypted by using either a default AWS managed key with the alias `alias/aws/ebs`, or a symmetric customer managed key specified in the volume configuration. Default AWS managed keys are unique to each AWS account per AWS Region and are created automatically. To create a symmetric customer managed key, follow the steps in [Creating symmetric encryption KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-symmetric-cmk) in the _AWS KMS Developer Guide_.
+
+You can configure Amazon EBS encryption by default so that all new volumes created and attached to a task in a specific AWS Region are encrypted by using the KMS key that you specify for your account. For more information about Amazon EBS encryption and encryption by default, see [Amazon EBS encryption](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-encryption.html) in the _Amazon EBS User Guide_.
+
+You can also set up Amazon ECS cluster-level encryption for Amazon ECS managed storage when you create or update a cluster. Cluster-level encryption can be used to encrypt all Amazon EBS volumes attached to tasks running in a specific cluster by using the KMS key specified at the cluster level. For more information about configuring encryption at the cluster level, see [ManagedStorageConfiguration](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ManagedStorageConfiguration.html) in the _Amazon ECS API reference_.
+
+You can configure any combination of these keys. The order of precedence of KMS keys is as follows:
+
+  1. The KMS key specified in the volume configuration. When you specify a KMS key in the volume configuration, it overrides the Amazon EBS default and any KMS key that is specified at the cluster level.
+
+  2. The KMS key specified at the cluster level. When you specify a KMS key for cluster-level encryption of Amazon ECS managed storage, it overrides Amazon EBS default encryption but does not override any KMS key that is specified in the volume configuration.
+
+  3. Amazon EBS default encryption. Default encryption applies when you don't specify either a cluster-level KMS key or a key in the volume configuration. If you enable Amazon EBS encryption by default, the default is the KMS key you specify for encryption by default. Otherwise, the default is the AWS managed key with the alias `alias/aws/ebs`.
+
+###### Note
+
+If you set `encrypted` to `false` in your volume configuration, specify no cluster-level KMS key, and enable Amazon EBS encryption by default, the volume will still be encrypted with the key specified for Amazon EBS encryption by default.
+
+
@@ -24 +41,0 @@ You can configure Amazon EBS encryption by default so that all new volumes creat
-Amazon EBS volumes that are attached to tasks can be encrypted by using either a default AWS managed key with the alias `alias/aws/ebs`, or a symmetric customer managed key. Default AWS managed keys are unique to each AWS account per AWS Region and are created automatically. To create a symmetric customer managed key, follow the steps in [Creating symmetric encryption KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-symmetric-cmk) in the _AWS KMS Developer Guide_.
@@ -28 +45 @@ Amazon EBS volumes that are attached to tasks can be encrypted by using either a
-To encrypt an EBS volume that's attached to your task by using your customer managed key, you must configure your KMS key policy to ensure that the IAM role that you use for volume configuration has the necessary permissions to use the key. The key policy must include the `kms:CreateGrant` and `kms:GenerateDataKey*` permissions. The `kms:ReEncryptTo` and `kms:ReEncryptFrom` permissions are necessary for encrypting volumes that are created using snapshots. If you want to configure and encrypt only new, empty volumes for attachment, you can exclude the `kms:ReEncryptTo` and `kms:ReEncryptFrom` permissions. 
+To encrypt an EBS volume that's attached to your task by using a customer managed key, you must configure your KMS key policy to ensure that the IAM role that you use for volume configuration has the necessary permissions to use the key. The key policy must include the `kms:CreateGrant` and `kms:GenerateDataKey*` permissions. The `kms:ReEncryptTo` and `kms:ReEncryptFrom` permissions are necessary for encrypting volumes that are created using snapshots. If you want to configure and encrypt only new, empty volumes for attachment, you can exclude the `kms:ReEncryptTo` and `kms:ReEncryptFrom` permissions.