How to automate EBS encryption with Elastic Beanstalk

Question

I am looking to encrypt my root EBS volumes for new EC2 environments that I create. I know that I can do this from the AWS console and from CloudFormation, but would like to

Answer 1

You cannot specify to encrypt a root volume using either CloudFormation or Beanstalk. The key is to use an AMI that has an encrypted root volume. This means copying the AMI that you want to use and encrypting it during the AMI copy process. Once you have an encrypted AMI, you would use that AMI Id in CloudFormation or Beanstalk to launch instances.

To encrypt a root volume:

• Select the AMI that you want to create your EC2 instance in the console.
• Copy the AMI selecting "encrypt" in the options. This will create a new AMI that has an encrypted root volume.
• Specify the new AMI when creating the instance.

This is the only method available on AWS to encrypt the root volume on an EC2 instance. Once you have an encrypted AMI, you can use this with any service where you can specify the AMI ImageId to create instances.

The encrypted volume will use KMS to manage the encryption keys. Note: there is a minor charge for each KMS key and usage charges.

You can also create an encrypted AMI using the CLI.

aws ec2 copy-image -r source_region -s source_ami_id \
  [-n ami_name] [-d ami_description] [-c token] \
  [--encrypted] [--kmsKeyID keyid]

Do not use AMIs created from snapshots when creating an encrypted AMI. AWS states that this can cause boot failures.

For Elastic Beanstalk here is a link to use a custom AMI:

Using a Custom Amazon Machine Image (AMI)