In my previous blog I have shown you how to do EBS Volume encryption with AWS Managed Key EC2 instance of a launched Cloud9 environment.
In this article, I am going to show you how to do EBS Volume encryption with AWS Command Line Interface (CLI) using AWS Managed Key
For a detailed description on the EB2 volume encryption process, please visit my previous blog mentioned above.
Let’s get started!
Please visit my GitHub Repository for EBS articles on various topics being updated on constant basis.
Objectives:
1. Create an AWS EC2 instance
2. Create a snapshot of the EBS volume
3. Copy snapshot (unencrypted) to an encrypted copy using AWS Managed Key
4. Create a new EBS volume from the encrypted snapshot in the same Availability Zone as your EC2 instance
5. Attach the new (encrypted) volume to the Amazon EC2 instance on a different device
6. Restart the encrypted EC2 instance
Pre-requisites:
- AWS user account with admin access, not a root account.
- Cloud9 IDE with AWS CLI.
- Create an IAM role with
AmazonEBSCSIDriverPolicyandAmazonEC2FullAccess
Resources Used:
Please visit my previous blog on some of the CLI commands used for EC2 creation.
Steps for implementation to this project:
1. Create an AWS EC2 instance and login to EC2 Instance thru EC2 Connect
- Find an AMI
An Amazon Machine Image (AMI) is an image provided by AWS. It is
a template for the root volume of the instance (for example, an
operating system, an application server, and applications).
On the AWS EC2 console/Instances/Launch an EC2 Instance/Under - Application and OS Images (Amazon Machine Image) - Amazon Linux AWS
Copy Amazon Machine Image (AMI) ID
- Find the EC2 Instance type
There are many instance types which are grouped together based on different compute, memory and storage capabilities. I have chosen t2.micro which is in free-tier.
aws ec2 run-instances --image-id ami-0b5eea76982371e91 --count 1 --instance-type t2.micro --region us-east-1
Take note of the instance ID
Instance ID -
i-077af5f2ecb89c2adname it as myec2
aws ec2 describe-instances
- To get the following values
Note:
1. Take note of the Device name - /dev/xvda
2. Availability zone - us-east-1c
3. Volume ID - vol-0fb860db404da7a11 name it as ec2-vol-unencrypt
aws ec2 describe-instances \
--instance-ids i-077af5f2ecb89c2ad
2. Create a snapshot of the EBS volume
- substitute the volume ID from step 1
aws ec2 create-snapshot --volume-id vol-0fb860db404da7a11 --region us-east-1 --description "ec2-snap-unencrypt"
Note:
1. SanpshotID - snap-026d48b0db0f94561 name it as ec2-snap-unencrypt
3. Copy snapshot (unencrypted) to an encrypted copy using AWS Managed Key
- Using SnapshotId from previous step as source, create an encrypted copy of the snapshot
ec2-snap-unencrypt =======> ec2-snap-encrypt
aws ec2 copy-snapshot \
--source-region us-east-1 \
--source-snapshot-id snap-026d48b0db0f94561 \
--encrypted \
--kms-key-id aws/ebs \
--description "ec2-snap-encrypt"
- Wait till Snapshot status: shows - Completed
aws ec2 describe-snapshots \
--snapshot-ids snap-0ffad4354d5eec3f4
Note:
1. ec2-snap-encrypt - snap-0ffad4354d5eec3f4
4. Create a new EBS volume from the encrypted snapshot in the same Availability Zone as your EC2 instance
ec2-snap-encrypt =======> ec2-vol-encrypt
Create a new volume from this encrypted snapshot with create-volume CLI.
The output of this command will give you the volume identifier which now can be used in place of the original unencrypted EBS volume.
aws ec2 create-volume \
--region us-east-1 \
--availability-zone us-east-1c \
--snapshot-id snap-0ffad4354d5eec3f4 \
--volume-type gp2 \
--encrypted
Note: ec2-vol-encrypt - vol-08e4cd64f0208e4f0
5. Attach the new (encrypted) volume to the Amazon EC2 instance on a different device
ec2-vol-encrypt =======> attach to EC2 Instance
aws ec2 attach-volume --volume-id vol-08e4cd64f0208e4f0 --instance-id i-077af5f2ecb89c2ad --device /dev/xvdb
- to check encrypted ec2 volume, device type
aws ec2 describe-instances \
--filters "Name=tag-value,Values=myec2"
6. Restart the encrypted EC2 instance
To check that the EC2 is running fine after encryption
- Stop the EC2 encrypted instance
aws ec2 stop-instances --instance-ids i-077af5f2ecb89c2ad
- Start the EC2 encrypted instance
aws ec2 start-instances --instance-ids i-077af5f2ecb89c2ad
Cleanup
- detach and delete ec2-vol-encrypt
aws ec2 detach-volume --volume-id vol-08e4cd64f0208e4f0
aws ec2 delete-volume --volume-id vol-08e4cd64f0208e4f0
- delete ec2-snap-unencrypt
aws ec2 delete-snapshot --snapshot-id snap-026d48b0db0f94561
- delete ec2-snap-encrypt
aws ec2 delete-snapshot --snapshot-id snap-0ffad4354d5eec3f4
- terminate EC2 Instance
aws ec2 terminate-instances --instance-ids i-077af5f2ecb89c2ad
What we have done so far
We have successfully demonstrated on how to do EBS Volume encryption with AWS Command Line Interface (CLI) using with AWS Managed Key.
Top comments (0)