# AWS EC2 KMS (Key Management Service) Support
When using AWS Customer Managed Keys (CMK) for encryption with your EC2 instances, you'll need to grant Aikido's scanning role access to these keys. This guide walks you through the necessary steps.
## Prerequisites
* You have EC2 instances encrypted with CMK.
* You have access to the key used for EBS encryption in AWS KMS.
* You have [enabled EC2 scanning in Aikido](/virtual-machine-scanning/aws/aws-ec2-virtual-machine-scanning-setup.md#getting-started). You will need the role ARN.
## Steps to Grant Access
1. Navigate to **AWS KMS** → **Customer managed keys**
2. Locate and click on the CMK you use for EC2 encryption
3. In the key details page, scroll to the **Key users** section
4. Click **Add** to include a new key user
5. Search for and select the Aikido VM scanning role
6. Save your changes
### JSON Policy
Alternatively, if you manage your KMS keys using infrastructure as code, add the following statements to the JSON policy of the key used for EBS encryption, replacing `arn:aws:iam::112233445566:role/aikido-security-ec2` with your Aikido VM scanning role ARN:
```json
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::112233445566:role/aikido-security-ec2" // Replace this
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::112233445566:role/aikido-security-ec2" // Replace this
},
"Action": ["kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant"],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
```
## Verification
✅ Once you've added the Aikido role as a key user, Aikido should be able to scan your CMK-encrypted EC2 instances.
## Important Notes
* ⚠️ Without these permissions, Aikido cannot scan EC2 instances encrypted with your CMK.
* 🔒 This permission is specifically scoped to allow only the necessary access for scanning purposes.
* ✋ If you remove these permissions later, scanning capabilities will be affected.
## Troubleshooting
If you encounter scanning issues with CMK-encrypted instances, verify that:
* The correct CMK is selected
* The Aikido role is properly added as a key user
* The key policy hasn't been modified to remove the permission
## Managing which VMs are scanned
Aikido supports [inclusion and exclusion model for VM scanning](/virtual-machine-scanning/aws/managing-which-vms-are-scanned.md).
## Scanning Frequency
Each day, 10% of all VMs enabled for scanning are rescanned, so on average, every VM is scanned once every 10 days.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://help.aikido.dev/virtual-machine-scanning/aws/aws-ec2-kms-key-management-service-support.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.