Search code examples
amazon-ec2aws-cloudformationamazon-kms

AWS: Start EC2 Instance with Cloudformation and encrypt BlockDevices with specific KMS Key

When starting EC2 instances via aws cli I can specify a KmsKeyId for BlockDevices. When starting an EC2 instance via Cloudformation (either directly or via ASG/LaunchConfiguration) this option does not exist.

How can I encrypt the block devices of my EC2 instances started via Cloudformation with a specific KMS Key?

Solution

  • It looks like the chain is:

    Instance > [ BlockDeviceMapping ] > Ebs > KmsKeyId

    enter image description here