I am looking to encrypt my root EBS volumes for new EC2 environments that I create. I know that I can do this from the AWS console and from CloudFormation, but would like to be able to do so via an Elastic Beanstalk config file.
I have tried by setting the EBS volume in the launch configuration, however this only creates additional volumes from the root volume:
Type: AWS::AutoScaling::LaunchConfiguration
Properties:
BlockDeviceMappings: [ DeviceName: "/dev/sdf1", Ebs: { Encrypted: true, VolumeSize: 8, VolumeType: gp2}]
I have also tried to create a new EBS volume on environment creation, however I am unsure how to dynamically get the EC2 instance's logical name (I used MyEC2 here for reference):
Type: AWS::EC2::Volume
Properties:
AutoEnableIO: true
AvailabilityZone: { "Fn::GetAtt" : [ "MyEC2", "AvailabilityZone" ] }
Encrypted: true
KmsKeyId: mykey
Size: 8
VolumeType: gp2
Essentially I need to be able to create a new environment with an encrypted root volume. Any help would be greatly appreciated!
Encrypt unencrypted resourcesIf you enable encryption by default, Amazon EBS automatically encrypts new volumes and snapshots using your default KMS key for EBS encryption.
You can now choose an EBS General Purpose (SSD) or EBS Provisioned IOPS (SSD) volume as the boot device when setting up your Elastic Beanstalk environment. Amazon Elastic Block Store (EBS) provides block storage volumes for use with Amazon EC2 instances.
Your AWS Elastic Beanstalk environment includes an Auto Scaling group that manages the Amazon EC2 instances in your environment. In a single-instance environment, the Auto Scaling group ensures that there is always one instance running.
As of May 23, 2019, you can Opt-in to Default Encryption for New EBS Volumes. Both EBS's (root/docker data) were encrypted on launch. This feature needs to be enabled per region.
Test Setup
Platform Version and Solution Stack Name: Single Container Docker 18.06 version 2.12.11
AWS Console
EC2 Console > Settings > Always encrypt new EBS volumes
AWS CLI
upgrade awscli first
pip install awscli --upgrade
enable
aws ec2 enable-ebs-encryption-by-default --region us-east-1
{
"EbsEncryptionByDefault": true
}
disable
aws ec2 disable-ebs-encryption-by-default --region us-east-1
{
"EbsEncryptionByDefault": false
}
get status
aws ec2 get-ebs-encryption-by-default --region us-east-1
{
"EbsEncryptionByDefault": false
}
https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/
You cannot specify to encrypt a root volume using either CloudFormation or Beanstalk. The key is to use an AMI that has an encrypted root volume. This means copying the AMI that you want to use and encrypting it during the AMI copy process. Once you have an encrypted AMI, you would use that AMI Id in CloudFormation or Beanstalk to launch instances.
To encrypt a root volume:
This is the only method available on AWS to encrypt the root volume on an EC2 instance. Once you have an encrypted AMI, you can use this with any service where you can specify the AMI ImageId to create instances.
The encrypted volume will use KMS to manage the encryption keys. Note: there is a minor charge for each KMS key and usage charges.
You can also create an encrypted AMI using the CLI.
aws ec2 copy-image -r source_region -s source_ami_id \
[-n ami_name] [-d ami_description] [-c token] \
[--encrypted] [--kmsKeyID keyid]
Do not use AMIs created from snapshots when creating an encrypted AMI. AWS states that this can cause boot failures.
For Elastic Beanstalk here is a link to use a custom AMI:
Using a Custom Amazon Machine Image (AMI)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With