Amazon EBS encryption
Use Amazon EBS encryption for a straightforward encryption solution for your Amazon EBS resources that are linked to your Amazon EC2 instances. Using Amazon EBS encryption eliminates the need to create, maintain, and secure your own key management system. Amazon EBS encryption creates encrypted volumes and snapshots using AWS KMS keys.The servers hosting EC2 instances undergo encryption processes to protect data-at-rest and data-in-transit between an instance and its linked EBS storage.
It is possible to simultaneously attach encrypted and unencrypted volumes to an instance. All Amazon EC2 instance types are compatible with Amazon EBS encryption.
Use encryption to safeguard EBS resources
To encrypt EBS volumes, you can either use encryption by default or enable encryption when you create a volume that you want to encrypt.When encrypting a volume, you can specify which KMS key for symmetric encryption should be used. If no KMS key is provided, the KMS key used is determined by the ownership and encryption status of the source snapshot.
It is not possible to change the KMS key associated with an existing snapshot or volume. However, you can link a different KMS key during a snapshot copy process to guarantee that the resulting copied snapshot is encrypted using the new KMS key.
When a blank volume is created, encrypt it
You can encrypt a newly generated, empty EBS volume by enabling encryption for the specific volume creation operation. If you have EBS encryption enabled by default, the volume is immediately encrypted using your default KMS key. Alternatively, you can select a different symmetric encryption KMS key for the specific volume creation process. Since the volume is encrypted when it is first made available, your data is always safe.By default, the KMS key you select when creating a volume is used to encrypt both the volumes you restore from those encrypted snapshots and the snapshots you take from the volume. Since an encrypted volume or snapshot cannot be unencrypted, a volume restored from an encrypted snapshot or a copy of an encrypted snapshot is always encrypted.
Public snapshots of encrypted volumes are not supported, however you can share an encrypted snapshot with specific accounts.
Unencrypted resources should be encrypted
It is not possible to directly encrypt volumes or snapshots that are already unencrypted. However, it is possible to turn unencrypted volumes or snapshots into encrypted ones. If you have encryption set by default, Amazon EBS will automatically encrypt new volumes and snapshots using your default KMS key for EBS encryption. If not, you can enable encryption while creating a single volume or snapshot by using the default KMS key for Amazon EBS encryption or a symmetric customer controlled encryption key.To encrypt the snapshot copy to a customer owned key, you need to turn on encryption and supply the KMS key.
You can also apply new encryption states when you start an instance from an AMI backed by EBS. This is because, as previously said, EBS-backed AMIs include EBS volume snapshots that can be encrypted.
Requirements for Amazon EBS encryption
Before you begin, make sure the following requirements are met.
Situations
- Volume types that are supported
- Supported instance types
- Permissions of users
- Instance-specific permissions
Volume types that are supported
Encryption is supported by all EBS volume types. You can expect the same IOPS performance on encrypted volumes as on unencrypted volumes with minimal latency impact. Accessing encrypted volumes is the same as accessing unencrypted volumes. Since encryption and decryption are done transparently, neither you nor your apps need to do anything more.
Supported instance types
Amazon EBS encryption is supported by all instance types, both current and past generations.Permissions for users
The KMS key policy states that any user with the required AWS KMS activities can use a KMS key to encrypt or decode EBS resources when you use it for EBS encryption. You must permit users to do the following actions in order to use EBS encryption:kms:CreateGrantkms:Decryptkms:DescribeKeykms:GenerateDataKeyWithoutPlainTextkms:ReEncrypt
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “kms:CreateGrant”,
“Resource”: [
“arn:aws:kms:us-east-2:123456789012:key/abcd1234-a123-456d-a12b-a123b4cd56ef”
],
“Condition”: {
“Bool”: {
“kms:GrantIsForAWSResource”: true
}
}
}
]
}
Instance-specific permissions
Every time an instance attempts to communicate with an encrypted AMI, volume, or snapshot, its identity-only role is granted a KMS key. The instance interacts with encrypted AMIs, volumes, or snapshots on your behalf using the identity-only role, an IAM role.Identity-only roles can be added or withdrawn manually and are not subject to any policies. Additionally, the identity-only role credentials are not available.
Identity-only roles are subject to service control policies (SCPs) and KMS key policies. If a SCP or KMS key restricts the identity-only role from accessing a KMS key, you may not be able to start EC2 instances with encrypted volumes, encrypted AMIs, or encrypted snapshots.
Make sure that instance-only roles are exempt from these policy statements if you are utilizing the aws:SourceIp and aws:Vpc to construct a SCP or key policy that restricts access based on network locationAWS global condition keys, such as SourceIp, aws:SourceVpc, or aws:SourceVpce.
Identity-only function The format used by ARNs is as follows:
arn:aws-partition:iam::account_id:role/aws:ec2-infrastructure/instance_id
The assumed-role session unique to that instance receives the key grant when it is granted to an instance. The following format is used by the grantee primary ARN:
arn:aws-partition:sts::account_id:assumed-role/aws:ec2-infrastructure/instance_id
By default, AWS EBS encryption
You can configure your AWS account to demand the encryption of newly created EBS volumes and snapshot copies. For example, Amazon EBS encrypts the EBS volumes created when you launch an instance and the snapshots you take when you copy from an unencrypted snapshot.Existing EBS volumes and snapshots are automatically protected from encryption.
Considerations
- Encryption is configured region-specifically by default. Once you have enabled it for a Region, you cannot disable it for individual volumes or snapshots inside that Region.
- By default, Amazon EBS encryption is supported by all instances of both the current and previous generations.
- Copying and encrypting a snapshot to a new KMS key creates a full (non-incremental) copy of the snapshot. Higher storage costs result from this.
- When using AWS Server Migration Service (SMS) to move servers, don't turn encryption on by default. If encryption is already active and you are experiencing issues with delta replication, turn it off by default. Instead, make sure that AMI encryption is turned on when you create the replication task.
0 Comments