amazon-genomics-cli
amazon-genomics-cli copied to clipboard
No KMS Support For Default EBS Encryption
Description
When default ebs encryption is enabled in a region, workflows will be stuck in a runnable state.
The workaround is to manually add KMS permissions to the BatchTaskBatchBatchRoleE role. Once this is done, everything runs fine.
The additional problem here is that manually adding the kms permissions blocks the context destroy action as cloudformation will not delete the role resource if there is a policy attached from outside of cloudformation. So, the policy needs to manually be removed in order to destroy the context
Use Case
It's good security practice to turn on default ebs encryption in a region. We'd like to be both secure, and run our agc workflows
Proposed Solution
Create a means to add the necessary kms policies to the BatchTaskBatchBatchRoleE role. It would be helpful if there was a parameter that could be used to specify the kms key that we wish to use as well.