Skip to main content
Virtual Machines
AWS EC2 KMS (Key Management Service) support

AWS EC2 KMS (Key Management Service) support

When using AWS Customer Managed Keys (CMK) for encryption with your EC2 instances, you'll need to grant Aikido's scanning role access to these keys. This guide walks you through the necessary steps.

Prerequisites

  • You have EC2 instances encrypted with CMK

  • You have access to AWS KMS (Key Management Service)

Steps to Grant Access

  1. Navigate to AWS KMSCustomer managed keys

  2. Locate and click on the CMK you use for EC2 encryption

  3. In the key details page, scroll to the Key users section

  4. Click Add to include a new key user

  5. Search for and select the Aikido scanning role: arn:aws:iam::881830977366:role/aws-ebs-scanner-role

  6. Save your changes

Verification

✅ Once you've added the Aikido role as a key user, our scanning functionality will work as expected with your CMK-encrypted instances.

Important Notes

  • ⚠️ Without this permission, Aikido cannot properly scan EC2 instances encrypted with your CMK

  • 🔒 This permission is specifically scoped to allow only the necessary access for scanning purposes

  • ✋ If you remove this permission later, scanning capabilities will be affected

Troubleshooting

If you encounter scanning issues with CMK-encrypted instances, verify that:

  • The correct CMK is selected

  • The Aikido role is properly added as a key user

  • The key policy hasn't been modified to remove the permission