AWS EBS Encryption Simplified: Protecting Your Cloud Data Effectively
For data storage on AWS Cloud, AWS offers services like S3, EBS — Elastic Block Store. In case if we need block devices that can be mounted on instances, data requiring quick access and long-term persistence we opt for AWS EBS. It’s particularly effective for primary storage in databases, file systems, and applications needing frequent and detailed updates.
We can use EBS with services like EC2, RDS.
While storing data on EBS, we don’t need to worry much about storage space as we can increase storage of EBS in few minutes.
But what we should care about when we store data on AWS ?
It will be really easy for attacker to look for information if they get into AWS environment.
One of core principle by AWS is —
AWS responsibility “Security of the Cloud” . Customer responsibility “Security in the Cloud”
Whatever we store on AWS services, its our responsibility to protect it.
So how to secure data ?
Same thing apply to EBS — Elastic Block Store. And one of the way to protect data on AWS EBS to encrypt the EBS volume.
In this blog we are going to check how to encrypt EBS volume :
- Enable Default encryption : Encrypting New on Volume creation.
- Encrypting existing Non-Encrypted Volume
Enable Default encryption
By default, when account gets created this setting is disabled. We can enable this easily by going to EC2 Dashboard.
Go to EC2 Dashboard → Under Account Attribute — Data protection and security →Manage
Once you click on Manage, you should able to enable encryption by just selecting checkbox. One important thing to note here, KMS Key you will be using. Here I have selected default key, but I would suggest to create Customer Managed KMS key, make sure KMS key policy that should give permission to role/user which going to be used by EC2/Application.
Once you enabled this setting, whenever you create EC2 instance it’s corresponding EBS volume will get encrypted with above key.
BUT, what about the volume which are created without encryption ?
Encrypting existing Non-Encrypted Volume
It may happen that while creating EC2 instance or EBS we didn’t created volume with encryption. This should not be a problem if we discovered earlier before attacker or auditor discovers ;)
Encrypting a non-encrypted volume is a five step process:
- Take snapshot of non-encrypted volume.
- Copy & Encrypt Snapshot
- Create volume from Encrypted Snapshot
- Stop EC2 instance & Detach non-encrypted volume.
- Attached encrypted volume & Start EC2 instance.
Part of this blog, I have done this process in my test environment. I would highly recommend to performance this steps in your test environment first and test your application. If all things work in test , only then proceed on production.
Let’s start encrypting a non-encrypted volume.
As a part of this blog, I have spin-up EC2 instance, installed apache server on it and added simple HTML page. One thing also note, Availability Zone in which you created EC2 instance. EBS and EC2 are zone specific. You cannot attach EBS from AZ-1 to EC2 instance in AZ-2.
So make sure to note-down the Availability Zone of EC2, EBS , it will be easy in performing steps.
As you can see in above screenshot, the volume which is attached to EC2 instance is not encrypted.
1. Take snapshot of non-encrypted volume
Part of this step, go to EBS volume attached to EC2 instance. You can easily do this by selecting EC2 → Go to Storage Tab →Click on corresponding EBS volume which start with vol-
In this step it also good to note down device name for respective volume, in this case it /dev/xvda
You will get navigated to below page where you can select from Action to Create Snapshot.
You can find snapshot section on left pane of AWS console. Go to Snapshot console, click on arrange by creation date (it will be easy for us to check recent snapshot if you have too many snapshots.). You will find recent snapshot creation in process.
After some time depending on size, you should able see the status Completed and progress Available. It means snapshot created successfully.
2. Copy & Encrypt Snapshot
Once snapshot is created successfully from step one, it’s time to copy snapshot and also encrypt. To do that, in snapshot console, select snapshot we created earlier → Action → Copy Snapshot.
During this copy process, you can also encrypt snapshot. For encryption you can provide default KMS key or customer managed KMS key. Make sure KMS key you will be selecting should have KMS key policy which grant access to corresponding EC2 role/ user who will be access application.
Here I have selected default KMS key which have permission to users and roles belongs this account only.
Click on Copy Snapshot, this operation should take some time to complete. Depending on size, time can vary. After 2 minute (in my case), I was able to see encrypted snapshot available.
3. Create volume from Encrypted Snapshot
Now we have encrypted snapshot available, we can create encrypted volume. Select encrypted snapshot → Action → Create Volume from Snapshot.
You will get pop-up after you click Create Volume from Snapshot.
On first option, you can select Volume time GP2, GP3, io1/2 etc. But I would recommend not to change volume type in this case. Keep the volume same as it was before like if current EC2 is on GP2 keep GP2 only, if it is on GP3, keep GP3 only. Our goal here is to encrypt volume only, not to play with performance or other parameters of volume. So if size was 8 GiB, keep 8GiB only. In your case if it is 100GiB, keep it that only.
So jumping on to availability zone, make sure to select correct availability zone. If your current EC2 instance is in us-east-1a, you select us-east-1a. In my case I have EC2 instance in us-east-1f so I selected here us-east-1f.
Click on Create Volume. Volume should be available quickly under Volume console. As you can see, Volume state is Avaialble, it means it is not attached to any instance and the one above which is In-use attached to EC2 instance but it is not encrypted.
So our next step is to attached this encrypted volume to EC2 instance. But before that we need to detach Non-encypted volume from EC2.
Stop EC2 instance & Detach non-encrypted volume
As this step leads to application downtime or non-avaialblity. I would suggest to have communication to user who access application. Or best way to have high-available application which is behind Load Balancer and do one server at a time.
In this step, we are going to detach non-ecrypted volume. Before that it is recommended to stop EC2 instance first. Go to corresponding EC2 instance → Instance State →Stop Instance.
Once instance stopped, go to corresponding EC2 volume attached to EC2 instance. It should take you to the volume console, select volume → Actions → Detach Volume. You can confirm when pop-up occured.
Once done, volume state should change to available, may be you also need refresh to reflect state.
Attached encrypted volume & Start EC2 instance
In this step we will be attaching encrypted volume to EC2 instance.
Select encrypted volume → Actions → Attach volume.
You will get below pop-up.
In instance drop down, select the instance you stopped in pervious step, you can copy instance-id from EC2 console and just search if there are too many instance in drop-down. If you are not able to see instance, check volume availability zone, it may happen EC2 and EBS volume you created from snapshot are in different AZs.
In device name filed, make sure to enter same name that you have noted down in step-1. In my case it is /dev/xvda
Click on attach volume.
Once volume is attached. Volume state will change In-Use
Go to EC2 console and start EC2 instance. If the instance is not started, check have you mentioned correct device name as before.
Wait of system checks to finish.
Try accessing your application. In my case I was successfully able to access application 🚀🚀🚀
I hope you found this blog useful. Happy Cloud Computing 🚀
