AWS AmazonECS documentation change
Summary
Added detailed sections explaining KMS key precedence hierarchy and encryption behavior differences between ECS Managed Instances and non-ECS Managed Instances
Security assessment
The changes provide clarification about encryption configuration priorities and default behaviors, which helps users properly secure EBS volumes. While encryption is a security feature, there's no evidence this change addresses a specific vulnerability or security incident - it primarily enhances documentation about existing security controls.
Diff
diff --git a/AmazonECS/latest/developerguide/ebs-kms-encryption.md b/AmazonECS/latest/developerguide/ebs-kms-encryption.md index 8122e7c29..e163c8829 100644 --- a//AmazonECS/latest/developerguide/ebs-kms-encryption.md +++ b//AmazonECS/latest/developerguide/ebs-kms-encryption.md @@ -5 +5 @@ -Customer managed KMS key policy +Amazon ECS Managed Instances behaviorNon-Amazon ECS Managed Instances behaviorCustomer managed KMS key policy @@ -26 +26,22 @@ You can configure Amazon EBS encryption by default so that all new volumes creat -You can also set up Amazon ECS cluster-level encryption for Amazon ECS managed storage when you create or update a cluster. Cluster-level encryption can be used to encrypt all Amazon EBS volumes attached to tasks running in a specific cluster by using the KMS key specified at the cluster level. For more information about configuring encryption at the cluster level, see [ManagedStorageConfiguration](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ManagedStorageConfiguration.html) in the _Amazon ECS API reference_. +## Amazon ECS Managed Instances behavior + +You encrypt Amazon EBS volumes by enabling encryption, either using encryption by default or by enabling encryption when you create a volume that you want to encrypt. For information about how to enable encryption by default (at the account-level, see [Encryption by default](https://docs.aws.amazon.com/ebs/latest/userguide/encryption-by-default.html) in the _Amazon EBS User Guide_. + +You can configure any combination of these keys. The order of precedence of KMS keys is as follows: + + 1. The KMS key specified in the volume configuration. When you specify a KMS key in the volume configuration, it overrides the Amazon EBS default and any KMS key that is specified at the account level. + + 2. The KMS key specified at the account level. When you specify a KMS key for cluster-level encryption of Amazon ECS managed storage, it overrides Amazon EBS default encryption but does not override any KMS key that is specified in the volume configuration. + + 3. Amazon EBS default encryption. Default encryption applies when you don't specify either a account-level KMS key or a key in the volume configuration. If you enable Amazon EBS encryption by default, the default is the KMS key you specify for encryption by default. Otherwise, the default is the AWS managed key with the alias `alias/aws/ebs`. + +###### Note + +If you set `encrypted` to `false` in your volume configuration, specify no account-level KMS key, and enable Amazon EBS encryption by default, the volume will still be encrypted with the key specified for Amazon EBS encryption by default. + + + + +## Non-Amazon ECS Managed Instances behavior + +You can also set up Amazon ECS cluster-level encryption for Amazon ECS managed storage when you create or update a cluster. Cluster-level encryption takes effect at the task level and can be used to encrypt the Amazon EBS volumes attached to each task running in a specific cluster by using the specified KMS key. For more information about configuring encryption at the cluster level for each task, see [ManagedStorageConfiguration](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ManagedStorageConfiguration.html) in the _Amazon ECS API reference_.