发表新帖
发表新帖

How to automate EBS encryption with Elastic Beanstalk

前端 未结
关注
2 913
自闭症患者
自闭症患者 2020-12-18 08:06

I am looking to encrypt my root EBS volumes for new EC2 environments that I create. I know that I can do this from the AWS console and from CloudFormation, but would like to

相关标签:
2条回答
  • 你的背包
    2020-12-18 08:41

    As of May 23, 2019, you can Opt-in to Default Encryption for New EBS Volumes. Both EBS's (root/docker data) were encrypted on launch. This feature needs to be enabled per region.

    Test Setup

    Platform Version and Solution Stack Name: Single Container Docker 18.06 version 2.12.11

    AWS Console

    EC2 Console > Settings > Always encrypt new EBS volumes

    AWS CLI

    upgrade awscli first

    pip install awscli --upgrade

    enable

    aws ec2 enable-ebs-encryption-by-default --region us-east-1
{
    "EbsEncryptionByDefault": true
}

    disable

    aws ec2 disable-ebs-encryption-by-default --region us-east-1
{
    "EbsEncryptionByDefault": false
}

    get status

    aws ec2 get-ebs-encryption-by-default --region us-east-1
{
    "EbsEncryptionByDefault": false
}

    https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/

    0 讨论(0)
  • 暗喜
    2020-12-18 08:41

    You cannot specify to encrypt a root volume using either CloudFormation or Beanstalk. The key is to use an AMI that has an encrypted root volume. This means copying the AMI that you want to use and encrypting it during the AMI copy process. Once you have an encrypted AMI, you would use that AMI Id in CloudFormation or Beanstalk to launch instances.

    To encrypt a root volume:

    • Select the AMI that you want to create your EC2 instance in the console.
    • Copy the AMI selecting "encrypt" in the options. This will create a new AMI that has an encrypted root volume.
    • Specify the new AMI when creating the instance.

    This is the only method available on AWS to encrypt the root volume on an EC2 instance. Once you have an encrypted AMI, you can use this with any service where you can specify the AMI ImageId to create instances.

    The encrypted volume will use KMS to manage the encryption keys. Note: there is a minor charge for each KMS key and usage charges.

    You can also create an encrypted AMI using the CLI.

    aws ec2 copy-image -r source_region -s source_ami_id \
  [-n ami_name] [-d ami_description] [-c token] \
  [--encrypted] [--kmsKeyID keyid]

    Do not use AMIs created from snapshots when creating an encrypted AMI. AWS states that this can cause boot failures.

    For Elastic Beanstalk here is a link to use a custom AMI:

    Using a Custom Amazon Machine Image (AMI)

    0 讨论(0)
 看不清?
提交回复
热议问题