DEV Community

AWS Community Builders profile image Revathi Joshi
Revathi Joshi for AWS Community Builders

Posted on

EC2 instance of a launched Cloud9 environment and its EBS Volume encryption with AWS Managed Key

#customermanagedkeys #cloud9 #ebs #ec2

In this article, I am going to show you how to encrypt EBS volume of the EC2 instance from an already launched Cloud9 environment using AWS Managed key.

What is AWS Cloud9?

AWS Cloud9 is an integrated development environment, or IDE. It runs in a web browser on your local computer which connects with your AWS Cloud9 environment. When you create Cloud9 environment, it creates a EC2 instance on your computer. You can store all your project's files in the Cloud9 environment locally on the server. You can also store the files on a remote AWS CodeCommit which you cloned into your environment.

What is Amazon Elastic Compute Cloud (Amazon EC2)?

Amazon Elastic Compute Cloud (Amazon EC2) is a scalable computing capacity in the Amazon Web Services (AWS) Cloud.

These are some of the EC2 features that are going to be explored in this article.

1. Instance: A virtual computing server in the AWS Cloud.

2. Amazon Machine Image (AMI): You launch an instance from pre-configured templates such as an Amazon Machine Image (AMI). The AMI provides the operating system, and additional software.

3. Amazon Elastic Block Store (Amazon EBS): A block level, persistent storage volume device, attached to an EC2 instance in the same Availability Zone. Can be used as a physical hard drive - root. You can attach multiple EBS volumes to a single instance. But the volume and instance must be in the same Availability Zone.

4. Regions and Availability Zones: Physical locations for your resources, such as instances and Amazon EBS volumes.

What are AWS Managed Keys?

AWS managed keys are KMS keys in your account that are created, managed, and used on your behalf by an AWS service (in this article, I am using EBS) integrated with AWS KMS.

  • Can be identified by their aliases - the format aws/service-name (aws/ebs)
  • Are automatically rotated every year. You cannot change their rotation schedule.
  • No monthly fee.
  • AWS KMS key, by default, uses symmetric encryption, where the same key is used for encryption and decryption.

Please visit my GitHub Repository for EBS articles on various topics being updated on constant basis.

Let’s get started!

Objectives:

1. Create and Locate the EC2 and EBS instance of Cloud9 Environment

2. Create a snapshot of the EBS volume

3. Copy snapshot (unencrypted) to an encrypted copy using AWS Managed Key

4. Create a new EBS volume from the encrypted snapshot in the same Availability Zone as your EC2 instance

5. Stop the (unencrpted) EC2 instance of Cloud9 environment

6. Detach existing (unencrypted) volume from the Amazon Instance

7. Attach the new (encrypted) volume to the Amazon EC2 instance

8. Restart the encrypted EC2 instance

Pre-requisites:

  • AWS user account with admin access, not a root account.
  • Cloud9 IDE with AWS CLI.

Resources Used:

Create an EC2 environment with the console

Encrypt an existing Amazon EBS volume used by AWS Cloud9

Steps for implementation to this project:

1. Create and Locate the EC2 and EBS instance of Cloud9 Environment

In AWS Cloud9 Console / Create environment / Under Details /

Name: test

Create

You have to wait 3-4 min to complete creating the Cloud9 environment.

Cloud9 environment - test

Image description

Volume for "test" Cloud9 environment - not encrypted

  • From the EC2 Console / Choose Volumes /

  • name it as test-volume

Image description

  • From the EC2 Console

Image description

Note:
1. Take note of the Device name - /dev/xvda and
2. Availability zone - us-east-1f

2. Create a snapshot of the EBS volume

On the EC2 console / Under Elastic Block Store / choose Snapshots / Create snapshot / Under Create snapshot / Snapshot settings /

Resource type: Volume
Volume ID: select the existing volume - test-volume
Create snapshot

  • name it as test-snap-unencrypt

Image description

3. Copy snapshot (unencrypted) to an encrypted copy using AWS Managed Key

On Amazon EC2 console / choose Snapshots / Select the Snapshot that you just now created / Under Actions drop-down / Select copy snapshot / Under Copy snapshot

Encryption: Check the box for Encrypt this snapshot
KMS key: select aws/ebs
Copy snapshot

  • name it as test-snap-encrypt
  • Wait till Snapshot status: shows - Completed

Image description

4. Create a new EBS volume from the encrypted snapshot in the same Availability Zone as your EC2 instance

  • New EBS volumes that are created from encrypted snapshots are automatically encrypted.

  • For Availability Zone, choose the Availability Zone in which to create the volume. A volume can be attached only to instances that are in the same Availability Zone.

On Amazon EC2 console / choose Snapshots / Select the encrypted Snapshot that you just now created / Under Actions drop-down / Select Create volume from snapshot / Under Volume settings

Availability Zone: Choose the same Availability Zone where the EC2 Instance for Cloud9 is - us-east-1f

Create volume

  • From the EC2 Console / Choose Volumes /

  • name it as test-volume-encrypt

Image description

5. Stop the (unencrpted) EC2 instance of Cloud9 environment

On the Amazon EC2 console/ Check the box for EC2 instance of Cloud9 environment test / Under Instance state / Stop instance

Stop

  • Wait till Instance status: shows - Stopped

Image description

6. Detach existing (unencrypted) volume from the Amazon Instance

On the Amazon EC2 console/ Under Elastic Block Store / Volumes / Choose test-volume (unencrypted) / Under Actions / Detach volume

Note:
1. Attached instances - Nil and
2. Encryption - Not Encrypted

Image description

7. Attach the new (encrypted) volume to the Amazon EC2 instance

Note: The volume must be attached to an instance in the same Availability Zone.

On EC2 console / Under Elastic Block Store / Check the box test-volume-encrypt / Under Actions drop-down / Attach Volume
Under Attach volume / Under Basic details / Instance / select "Cloud9 test instance" which is stopped /

Availability Zone: us-east-1f (is already selected)
Device name: /dev/xvda (which is noted from Step 1)

Attach volume

Note:
1. Attached instances - shows aws-cloud9 instances attached to the device /dev/xvda
2. Encryption - Encrypted
3. Availability Zone:** us-east-1f

Image description

  • From the EC2 Console Instance state Stopped

Image description

  • From the EC2 Console / Under Storage tab

Device name: /dev/xvda
Attachment status: Attached
Encrypted: Yes

Image description

8. Restart the encrypted EC2 instance

On the Amazon EC2 console/ Check the box for EC2 instance of Cloud9 environment test / Under Instance state / Start instance

  • Wait till Instance status: shows - Running

Image description

Cleanup

  • Delete Cloud9 environment test
  • Delete Volumes for test
  • Delete Snapshots for test

What we have done so far

First, We have successfully encrypted the snapshot of an existing unencrypted Amazon EBS volume by an AWS Managed Key used by AWS Cloud9 EC2 instance.

Next, after stopping the EC2 instance, we detached it and attached the encrypted volume.

Lastly, We have started the encrypted EC2 Instance of Cloud9.

Top comments (0)

Read next

leemeganj profile image

Jest adoption guide: Overview, examples, and alternatives

Megan Lee -

alexanderisora profile image

If you are planning to build yet another SaaS boilerplate to earn Internet money, please don't.

Alexander Isora 🦄 -

dindustack profile image

JavaScript Quiz - Part 2

Chinwendu Agbaetuo -

duxtech profile image

Ibuprofeno.py💊| #84: Explica este código Python

Cristian Fernando -