Encryption in AWS - how to do it
Encryption cat can haz all your keys

Okay, so the cute puss-cat has nothing to do with encryption in AWS, but it got your attention, right?

Now that I’ve got you, let’s talk about the amazing work AWS have been doing recently to help us encrypt everything. Their mission is to make encryption the standard, not the exception. We think that’s a pretty rockin’ idea, but what are the tools for encryption, and how can we use them? Let’s look at Elastic Block Store (EBS) encryption, how we can mandate it inside our environment, and how to remediate unencrypted volumes we’re currently using.

EBS volumes

Encrypting EBS volumes is an example of encryption at rest, and forms part of the security pillar of the AWS Well Architected Framework. The Well Architected Framework sounds dull, but honestly, go check it out. It will absolutely help you build better cloud platforms wherever you choose to do it.

AWS recently made it super easy to ensure any new volume created within an account is automatically encrypted. If it’s the default, who’s going to turn it off? Because keys are managed per-region for the EC2 service, we need to make this change once per region too, but here’s how to switch on EBS encryption in AWS;

To enable encryption by default for a Region

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  2. From the navigation bar, select the Region.
  3. From the navigation pane, select EC2 Dashboard.
  4. In the upper-right corner of the page, choose Account AttributesSettings.
  5. Under EBS Storage, select Always encrypt new EBS volumes.
  6. Choose Update.

 

Converting an existing unencrypted volume to be encrypted is a little more involved, but here are the steps:

To enable encryption for existing EBS volumes

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  2. From the navigation bar, select Volumes.
  3. Select the volume to be encrypted, and click Actions from the top of the console and select Create Snapshot.
  4. From the navigation bar, select Snapshots.
  5. Select the snapshot we just created, and once complete, click Actions and Copy.
  6. From the pop up menu, tick the all important Encrypt this snapshot option. Unless you have a requirement to use a specific key (discussed later), use the default master key and click Copy.
  7. Now you can select the copied snapshot you just created, click actions and select Create Volume.
  8. Fill in all the details from the page which opens up, and notice the tick in the Encryption option, which you can’t change. Click Create Volume to finish the process.
  9. At this stage, you’re ready to replace your unencrypted volume with your shiny new encrypted one and restart your server.
  10. Don’t forget to delete the unencrypted copies of the volume from before, including the snapshot we took, once you’re happy everything is running as expected.

Stay tuned for more in our Encryption in AWS; Let’s do some series! We also have loads of helpful security posts to help you out on your AWS journey too.

Menu