amazon-genomics-cli icon indicating copy to clipboard operation
amazon-genomics-cli copied to clipboard

Published 20 hours ago verified publisher icon aws

No KMS Support For Default EBS Encryption

Open privorhart opened this issue 1 year ago • 0 comments

Description

When default ebs encryption is enabled in a region, workflows will be stuck in a runnable state.

The workaround is to manually add KMS permissions to the BatchTaskBatchBatchRoleE role. Once this is done, everything runs fine.

The additional problem here is that manually adding the kms permissions blocks the context destroy action as cloudformation will not delete the role resource if there is a policy attached from outside of cloudformation. So, the policy needs to manually be removed in order to destroy the context

Use Case

It's good security practice to turn on default ebs encryption in a region. We'd like to be both secure, and run our agc workflows

Proposed Solution

Create a means to add the necessary kms policies to the BatchTaskBatchBatchRoleE role. It would be helpful if there was a parameter that could be used to specify the kms key that we wish to use as well.

privorhart avatar Jun 01 '23 01:06 privorhart