In this article, I am going to show you how to encrypt EBS volume of the EC2 instance from an already launched Cloud9 environment using AWS Managed key.
What is AWS Cloud9?
AWS Cloud9 is an integrated development environment, or IDE. It runs in a web browser on your local computer which connects with your AWS Cloud9 environment. When you create Cloud9 environment, it creates a EC2 instance on your computer. You can store all your project's files in the Cloud9 environment locally on the server. You can also store the files on a remote AWS CodeCommit which you cloned into your environment.
What is Amazon Elastic Compute Cloud (Amazon EC2)?
Amazon Elastic Compute Cloud (Amazon EC2) is a scalable computing capacity in the Amazon Web Services (AWS) Cloud.
These are some of the EC2 features that are going to be explored in this article.
1. Instance: A virtual computing server in the AWS Cloud.
2. Amazon Machine Image (AMI): You launch an instance from pre-configured templates such as an Amazon Machine Image (AMI). The AMI provides the operating system, and additional software.
3. Amazon Elastic Block Store (Amazon EBS): A block level, persistent storage volume device, attached to an EC2 instance in the same Availability Zone. Can be used as a physical hard drive - root. You can attach multiple EBS volumes to a single instance. But the volume and instance must be in the same Availability Zone.
4. Regions and Availability Zones: Physical locations for your resources, such as instances and Amazon EBS volumes.
What are AWS Managed Keys?
AWS managed keys are KMS keys in your account that are created, managed, and used on your behalf by an AWS service (in this article, I am using EBS) integrated with AWS KMS.
- Can be identified by their aliases - the format aws/service-name (aws/ebs)
- Are automatically rotated every year. You cannot change their rotation schedule.
- No monthly fee.
- AWS KMS key, by default, uses symmetric encryption, where the same key is used for encryption and decryption.
Please visit my GitHub Repository for EBS articles on various topics being updated on constant basis.
Let’s get started!
Objectives:
1. Create and Locate the EC2 and EBS instance of Cloud9 Environment
2. Create a snapshot of the EBS volume
3. Copy snapshot (unencrypted) to an encrypted copy using AWS Managed Key
4. Create a new EBS volume from the encrypted snapshot in the same Availability Zone as your EC2 instance
5. Stop the (unencrpted) EC2 instance of Cloud9 environment
6. Detach existing (unencrypted) volume from the Amazon Instance
7. Attach the new (encrypted) volume to the Amazon EC2 instance
8. Restart the encrypted EC2 instance
Pre-requisites:
- AWS user account with admin access, not a root account.
- Cloud9 IDE with AWS CLI.
Resources Used:
Create an EC2 environment with the console
Encrypt an existing Amazon EBS volume used by AWS Cloud9
Steps for implementation to this project:
1. Create and Locate the EC2 and EBS instance of Cloud9 Environment
In AWS Cloud9 Console / Create environment / Under Details /
Name: test
Create
You have to wait 3-4 min to complete creating the Cloud9 environment.
Cloud9 environment - test
Volume for "test" Cloud9 environment - not encrypted
From the EC2 Console / Choose Volumes /
name it as test-volume
- From the EC2 Console
Note:
1. Take note of the Device name - /dev/xvda and
2. Availability zone - us-east-1f
2. Create a snapshot of the EBS volume
On the EC2 console / Under Elastic Block Store / choose Snapshots / Create snapshot / Under Create snapshot / Snapshot settings /
Resource type: Volume
Volume ID: select the existing volume - test-volume
Create snapshot
- name it as test-snap-unencrypt
3. Copy snapshot (unencrypted) to an encrypted copy using AWS Managed Key
On Amazon EC2 console / choose Snapshots / Select the Snapshot that you just now created / Under Actions drop-down / Select copy snapshot / Under Copy snapshot
Encryption: Check the box for Encrypt this snapshot
KMS key: select aws/ebs
Copy snapshot
- name it as test-snap-encrypt
- Wait till Snapshot status: shows - Completed
4. Create a new EBS volume from the encrypted snapshot in the same Availability Zone as your EC2 instance
New EBS volumes that are created from encrypted snapshots are automatically encrypted.
For Availability Zone, choose the Availability Zone in which to create the volume. A volume can be attached only to instances that are in the same Availability Zone.
On Amazon EC2 console / choose Snapshots / Select the encrypted Snapshot that you just now created / Under Actions drop-down / Select Create volume from snapshot / Under Volume settings
Availability Zone: Choose the same Availability Zone where the EC2 Instance for Cloud9 is - us-east-1f
Create volume
From the EC2 Console / Choose Volumes /
name it as test-volume-encrypt
5. Stop the (unencrpted) EC2 instance of Cloud9 environment
On the Amazon EC2 console/ Check the box for EC2 instance of Cloud9 environment test / Under Instance state / Stop instance
Stop
- Wait till Instance status: shows - Stopped
6. Detach existing (unencrypted) volume from the Amazon Instance
On the Amazon EC2 console/ Under Elastic Block Store / Volumes / Choose test-volume (unencrypted) / Under Actions / Detach volume
Note:
1. Attached instances - Nil and
2. Encryption - Not Encrypted
7. Attach the new (encrypted) volume to the Amazon EC2 instance
Note: The volume must be attached to an instance in the same Availability Zone.
On EC2 console / Under Elastic Block Store / Check the box test-volume-encrypt / Under Actions drop-down / Attach Volume
Under Attach volume / Under Basic details / Instance / select "Cloud9 test instance" which is stopped /
Availability Zone: us-east-1f (is already selected)
Device name: /dev/xvda (which is noted from Step 1)
Attach volume
Note:
1. Attached instances - shows aws-cloud9 instances attached to the device /dev/xvda
2. Encryption - Encrypted
3. Availability Zone:** us-east-1f
- From the EC2 Console Instance state Stopped
- From the EC2 Console / Under Storage tab
Device name: /dev/xvda
Attachment status: Attached
Encrypted: Yes
8. Restart the encrypted EC2 instance
On the Amazon EC2 console/ Check the box for EC2 instance of Cloud9 environment test / Under Instance state / Start instance
- Wait till Instance status: shows - Running
Cleanup
- Delete Cloud9 environment test
- Delete Volumes for test
- Delete Snapshots for test
What we have done so far
First, We have successfully encrypted the snapshot of an existing unencrypted Amazon EBS volume by an AWS Managed Key used by AWS Cloud9 EC2 instance.
Next, after stopping the EC2 instance, we detached it and attached the encrypted volume.
Lastly, We have started the encrypted EC2 Instance of Cloud9.
Top comments (0)