AWS EC2 KMS (Key Management Service) support
When using AWS Customer Managed Keys (CMK) for encryption with your EC2 instances, you'll need to grant Aikido's scanning role access to these keys. This guide walks you through the necessary steps.
Prerequisites
You have EC2 instances encrypted with CMK
You have access to AWS KMS (Key Management Service)
Steps to Grant Access
Navigate to AWS KMS → Customer managed keys
Locate and click on the CMK you use for EC2 encryption
In the key details page, scroll to the Key users section
Click Add to include a new key user
Search for and select the Aikido scanning role: arn:aws:iam::881830977366:role/aws-ebs-scanner-role
Save your changes
Verification
✅ Once you've added the Aikido role as a key user, our scanning functionality will work as expected with your CMK-encrypted instances.
Important Notes
⚠️ Without this permission, Aikido cannot properly scan EC2 instances encrypted with your CMK
🔒 This permission is specifically scoped to allow only the necessary access for scanning purposes
✋ If you remove this permission later, scanning capabilities will be affected
Troubleshooting
If you encounter scanning issues with CMK-encrypted instances, verify that:
The correct CMK is selected
The Aikido role is properly added as a key user
The key policy hasn't been modified to remove the permission