Grant ECS access to KMS keys for encrypting disks, snapshots, and images, or for sharing encrypted resources across accounts.
Encrypt ECS resources
ECS uses KMS envelope encryption for disks, snapshots, and images. Two key types are available:
| Key type | Managed by | Permission setup required |
|---|---|---|
| Service key | Alibaba Cloud (free) | None — ECS uses it automatically |
| Customer master key (CMK) | You | Yes — grant ECS access via a RAM role |
Use service keys
Alibaba Cloud creates and manages service keys free of charge. ECS uses them directly with no permission setup.
In the disk configuration section, in the Settings column, select Encryption. The system automatically uses the service key alias/acs/ecs.
Use CMKs
To use a CMK, grant ECS permission to access it. The authorization flow:
-
Alibaba Cloud creates a system RAM role named
AliyunECSDiskEncryptDefaultRolein your account with permission to access KMS resources. -
ECS assumes this RAM role to access your CMK in KMS.
Confirm the authorization:
-
When you first select a CMK to encrypt an ECS resource (for example, when creating an encrypted disk), the If you want to select more keys, grant permissions to the RAM role message appears.
In the disk configuration section, select the Encryption check box, select a key from the Service Key drop-down list (default:
alias/acs/ecs), and then click Confirm Authorization to complete authorization. -
Click Confirm Authorization Policy. The system creates
AliyunECSDiskEncryptDefaultRoleand grants it the required permissions.
After confirmation, you can select any CMK from KMS when configuring ECS resources in the console.
Share encrypted resources across accounts
To share an encrypted image or snapshot with another account or resource directory, grant the sharee access to the sharer's KMS key. Complete these steps in the sharer's account.
Prerequisites
Ensure that you have:
-
An encrypted image or snapshot in the sharer's account
-
Permission to create and manage RAM roles in the sharer's account
Step 1: Create a RAM role
In the sharer's account, create a RAM role with the sharer's account as the trusted entity. See Create a RAM role for a trusted Alibaba Cloud account.
Use the role name that matches the resource type:
| Resource type | RAM role name |
|---|---|
| Encrypted snapshot | AliyunECSShareEncryptSnapshotDefaultRole |
| Encrypted image | AliyunECSShareEncryptImageDefaultRole |
Step 2: Modify the trust policy
On the Trust Policy tab of the RAM role, update the policy to specify the sharee. See Modify a RAM role's trust policy.
Choose the policy for your sharing scenario:
Scenario 1: Share with other Alibaba Cloud accounts
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"<UID1>@ecs.aliyuncs.com",
"<UID2>@ecs.aliyuncs.com"
]
}
}
],
"Version": "1"
}
Replace <UID1> and <UID2> with the sharee account IDs. Add one entry per account.
Scenario 2: Share with a resource directory
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "*@ecs.aliyuncs.com"
},
"Condition": {
"StringEquals": {
"sts:ServiceOwnerRDId": "<ID of the resource directory>"
}
}
}
],
"Version": "1"
}
Replace <ID of the resource directory> with your resource directory ID. See View the basic information about a resource directory.
Scenario 3: Share with a specific folder in a resource directory
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "*@ecs.aliyuncs.com"
},
"Condition": {
"StringLike": {
"sts:ServiceOwnerRDPath": "<ID of the resource directory>/<Root folder ID>/.../<Current folder ID*>"
}
}
}
],
"Version": "1"
}
Replace <ID of the resource directory>, <Root folder ID>, and <Current folder ID> with actual values. See View the basic information of a folder.
Step 3: Attach a policy to the RAM role
The policy depends on the encryption key type:
-
Service key: Attach the
AliyunKMSFullAccesssystem policy. See AliyunKMSFullAccess. -
CMK: Create and attach a custom policy. See Manage a RAM role's permissions.
Custom policy template:
{
"Version": "1",
"Statement": [
{
"Action": "kms:List*",
"Resource": "acs:kms:<region-id>:<account-id>:key",
"Effect": "Allow"
},
{
"Action": [
"kms:DescribeKey",
"kms:TagResource",
"kms:UntagResource",
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "acs:kms:<region-id>:<account-id>:key/<cmk-id>",
"Effect": "Allow"
}
]
}
Replace the placeholders:
| Placeholder | Description |
|---|---|
<region-id> |
The region where the CMK resides |
<account-id> |
The Alibaba Cloud account that owns the CMK |
<cmk-id> |
The CMK used to encrypt the ECS resource |
Step 4: Share the resource
Share the encrypted resource with the sharee: