问题
I am looking to encrypt my root EBS volumes for new EC2 environments that I create. I know that I can do this from the AWS console and from CloudFormation, but would like to be able to do so via an Elastic Beanstalk config file.
I have tried by setting the EBS volume in the launch configuration, however this only creates additional volumes from the root volume:
Type: AWS::AutoScaling::LaunchConfiguration
Properties:
BlockDeviceMappings: [ DeviceName: "/dev/sdf1", Ebs: { Encrypted: true, VolumeSize: 8, VolumeType: gp2}]
I have also tried to create a new EBS volume on environment creation, however I am unsure how to dynamically get the EC2 instance's logical name (I used MyEC2 here for reference):
Type: AWS::EC2::Volume
Properties:
AutoEnableIO: true
AvailabilityZone: { "Fn::GetAtt" : [ "MyEC2", "AvailabilityZone" ] }
Encrypted: true
KmsKeyId: mykey
Size: 8
VolumeType: gp2
Essentially I need to be able to create a new environment with an encrypted root volume. Any help would be greatly appreciated!
回答1:
You cannot specify to encrypt a root volume using either CloudFormation or Beanstalk. The key is to use an AMI that has an encrypted root volume. This means copying the AMI that you want to use and encrypting it during the AMI copy process. Once you have an encrypted AMI, you would use that AMI Id in CloudFormation or Beanstalk to launch instances.
To encrypt a root volume:
- Select the AMI that you want to create your EC2 instance in the console.
- Copy the AMI selecting "encrypt" in the options. This will create a new AMI that has an encrypted root volume.
- Specify the new AMI when creating the instance.
This is the only method available on AWS to encrypt the root volume on an EC2 instance. Once you have an encrypted AMI, you can use this with any service where you can specify the AMI ImageId to create instances.
The encrypted volume will use KMS to manage the encryption keys. Note: there is a minor charge for each KMS key and usage charges.
You can also create an encrypted AMI using the CLI.
aws ec2 copy-image -r source_region -s source_ami_id \
[-n ami_name] [-d ami_description] [-c token] \
[--encrypted] [--kmsKeyID keyid]
Do not use AMIs created from snapshots when creating an encrypted AMI. AWS states that this can cause boot failures.
For Elastic Beanstalk here is a link to use a custom AMI:
Using a Custom Amazon Machine Image (AMI)
回答2:
As of May 23, 2019, you can Opt-in to Default Encryption for New EBS Volumes. Both EBS's (root/docker data) were encrypted on launch. This feature needs to be enabled per region.
Test Setup
Platform Version and Solution Stack Name: Single Container Docker 18.06 version 2.12.11
AWS Console
EC2 Console > Settings > Always encrypt new EBS volumes
AWS CLI
upgrade awscli first
pip install awscli --upgrade
enable
aws ec2 enable-ebs-encryption-by-default --region us-east-1
{
"EbsEncryptionByDefault": true
}
disable
aws ec2 disable-ebs-encryption-by-default --region us-east-1
{
"EbsEncryptionByDefault": false
}
get status
aws ec2 get-ebs-encryption-by-default --region us-east-1
{
"EbsEncryptionByDefault": false
}
https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/
来源:https://stackoverflow.com/questions/52231052/how-to-automate-ebs-encryption-with-elastic-beanstalk