DEV Community

Discussion on: AWS EC2 - EBS Volume Encryption

Collapse
 
dineshrathee12 profile image
Dinesh Rathee • Edited

That's a good approach πŸ‘Œ
Also, just curious to share what I've come across something interesting earlier which can achieve this task with in a single settings in AWS account.

You can now specify that you want all newly created EBS volumes to be created in encrypted form, with the option to use the default key provided by AWS, or a key that you create.

Please take a look on this :
aws.amazon.com/blogs/aws/new-opt-i...

Collapse
 
chefgs profile image
Saravanan Gnanaguru • Edited

Yes, Dinesh. Thanks for sharing the doc url. My article mainly focus on encrypting ebs volume of already created ec2 instance.

Collapse
 
dineshrathee12 profile image
Dinesh Rathee • Edited

Thanks Saravanan, Actually I did some test over this doc and also verified that this will also ensure when you "launch a new Instance" its root volume will be encrypted automatically on launch.

Just written Blog post :

  • Blog Post
  • Probably this will explain a bit more on this :)

    Thread Thread
     
    chefgs profile image
    Saravanan Gnanaguru • Edited

    Dinesh I just wanted to clarify that, there are two parts in this article,

    1. Encrypt EBS - After Creating the EC2 instance
    2. Encrypt EBS - Before Creating the EC2 instance..

    So the new option provided by AWS solves the purpose of 2nd part of the article (encrypt volume before creating instance)
    Where as the part 1. Encrypt EBS - After Creating the EC2 instance still needs manually encrypting the ec2 instance and my article and script can be used to achieve the same thing in automated way using the script.

    Hope this clarifies.

    Thread Thread
     
    dineshrathee12 profile image
    Dinesh Rathee

    That's correct , Actually mainly I was focusing on Part #2 which focuses upon "Encrypt EBS - Before Creating the EC2 instance" using this feature instead of doing it via a script.

    The interesting part is like a scenario when we use Public AMIs , the Snapshot present on S3 in public domain and the OS (root volume) gets created and by default it will be unencrypted and if we use this Account Attributes feature setting for a region, it will definitely save overhead of (stop,copy snapshot,encrypt,AMI,and use that AMI for launch) process which could be done by simply applying Account level region encryption setting without any intervention from a user