vikasbanage for AWS Community Builders

Posted on Dec 12

AWS EBS Encryption Simplified : Protecting Your Cloud Data Effectively

#aws #cloud #data #security

When it comes to data storage on the AWS Cloud, AWS offers a variety of services tailored to meet different needs. Two of the most widely used are Amazon S3 (for object storage) and Amazon Elastic Block Store (EBS) (for block storage). If you need a block device for mounting on instances, with fast data access and long-term persistence, EBS is the go-to choice.

Amazon EBS is tightly integrated with services like EC2 and RDS, making it a reliable and versatile option for many workloads.

But here’s the question we all need to ask ourselves: What Should We Care About When Storing Data on AWS?

The simple answer: Security.

AWS follows a shared responsibility model:

AWS’s Responsibility: "Security of the Cloud"
Customer’s Responsibility: "Security in the Cloud"

This means that any data we store on AWS services, including EBS, is our responsibility to protect. If an attacker gains access to your AWS environment, unencrypted data can be an easy target.

So, how do we secure data stored on EBS?

EBS Encryption.

Encrypting your EBS volumes ensures that your data is protected at rest. Encryption also secures all backups created from the volume and snapshots copied from it.

In this blog, we’ll explore two key methods for encrypting EBS volumes:

Default Encryption: Encrypt new volumes automatically during creation.
Encrypt Existing Non-Encrypted Volumes: Add encryption to volumes that were initially created without it.

Enable Default encryption

By default, when account gets created this setting is disabled. We can enable this easily by going to EC2 Dashboard.

Go to EC2 Dashboard → Under Account Attribute — Data protection and security → Manage

Once you click on Manage, you should able to enable encryption by just selecting checkbox. One important thing to note here, KMS Key you will be using. Here I have selected default key, but I would suggest to create Customer Managed KMS key, make sure KMS key policy that should give permission to role/user which going to be used by EC2/Application.

Once you enabled this setting, whenever you create EC2 instance it’s corresponding EBS volume will get encrypted with above key.

BUT, what about the volume which are created without encryption ?

Encrypting existing Non-Encrypted Volume

It may happen that while creating EC2 instance or EBS we didn’t created volume with encryption. This should not be a problem if we discovered earlier before attacker or auditor discovers ;)

Encrypting a non-encrypted volume is a five step process:

Take snapshot of non-encrypted volume.
Copy & Encrypt Snapshot
Create volume from Encrypted Snapshot
Stop EC2 instance & Detach non-encrypted volume.
Attached encrypted volume & Start EC2 instance.

As a part of this blog, I have done this process in my test environment. I would highly recommend to performance this steps in your test environment first and test your application. If all things work in test , only then proceed on production.

Let’s start encrypting a non-encrypted volume.

As a part of this blog, I have spin-up EC2 instance, installed apache server on it and added simple HTML page. One thing also note, Availability Zone in which you created EC2 instance. EBS and EC2 are zone specific. You cannot attach EBS from AZ-1 to EC2 instance in AZ-2.

So make sure to note-down the Availability Zone of EC2, EBS , it will be easy in performing steps.

As you can see in above screenshot, the volume which is attached to EC2 instance is not encrypted.

1. Take snapshot of non-encrypted volume
Part of this step, go to EBS volume attached to EC2 instance. You can easily do this by selecting EC2 → Go to Storage Tab →Click on corresponding EBS volume which start with vol-

In this step it also good to note down device name for respective volume, in this case it /dev/xvda

You will get navigated to below page where you can select from Action to Create Snapshot.

You can find snapshot section on left pane of AWS console. Go to Snapshot console, click on arrange by creation date (it will be easy for us to check recent snapshot if you have too many snapshots.). You will find recent snapshot creation in process.

After some time depending on size, you should able see the status Completed and progress Available. It means snapshot created successfully.

2. Copy & Encrypt Snapshot

Once snapshot is created successfully from step one, it’s time to copy snapshot and also encrypt. To do that, in snapshot console, select snapshot we created earlier → Action → Copy Snapshot.

During this copy process, you can also encrypt snapshot. For encryption you can provide default KMS key or customer managed KMS key. Make sure KMS key you will be selecting should have KMS key policy which grant access to corresponding EC2 role/ user who will be access application.

Here I have selected default KMS key which have permission to users and roles belongs this account only.

Click on Copy Snapshot, this operation should take some time to complete. Depending on size, time can vary. After 2 minute (in my case), I was able to see encrypted snapshot available.

3. Create volume from Encrypted Snapshot
Now we have encrypted snapshot available, we can create encrypted volume. Select encrypted snapshot → Action → Create Volume from Snapshot.

You will get pop-up after you click Create Volume from Snapshot.

On first option, you can select Volume time GP2, GP3, io1/2 etc. But I would recommend not to change volume type in this case. Keep the volume same as it was before like if current EC2 is on GP2 keep GP2 only, if it is on GP3, keep GP3 only. Our goal here is to encrypt volume only, not to play with performance or other parameters of volume. So if size was 8 GiB, keep 8GiB only. In your case if it is 100GiB, keep it that only.

So jumping on to availability zone, make sure to select correct availability zone. If your current EC2 instance is in us-east-1a, you select us-east-1a. In my case I have EC2 instance in us-east-1f so I selected here us-east-1f.

Click on Create Volume. Volume should be available quickly under Volume console. As you can see, Volume state is Avaialble, it means it is not attached to any instance and the one above which is In-use attached to EC2 instance but it is not encrypted.

So our next step is to attached this encrypted volume to EC2 instance. But before that we need to detach Non-encypted volume from EC2.

4. Stop EC2 instance & Detach non-encrypted volume

As this step leads to application downtime or non-avaialblity. I would suggest to have communication to user who access application. Or best way to have high-available application which is behind Load Balancer and do one server at a time.

In this step, we are going to detach non-ecrypted volume. Before that it is recommended to stop EC2 instance first. Go to corresponding EC2 instance → Instance State →Stop Instance.

Once instance stopped, go to corresponding EC2 volume attached to EC2 instance. It should take you to the volume console, select volume → Actions → Detach Volume. You can confirm when pop-up occured.

Once done, volume state should change to available, may be you also need refresh to reflect state.

5. Attached encrypted volume & Start EC2 instance
In this step we will be attaching encrypted volume to EC2 instance.

Select encrypted volume → Actions → Attach volume.

You will get below pop-up.

In instance drop down, select the instance you stopped in pervious step, you can copy instance-id from EC2 console and just search if there are too many instance in drop-down. If you are not able to see instance, check volume availability zone, it may happen EC2 and EBS volume you created from snapshot are in different AZs.

In device name filed, make sure to enter same name that you have noted down in step-1. In my case it is /dev/xvda

Click on attach volume.