How to Configure Encryption for EBS Volumes on Existing EC2 Instances
Using Snapshots and EBS Volumes to Secure EC2 Instances
To enhance the security of your EC2 instances, you must ensure that encryption is enabled for EBS volumes. In this demo, we will show you how to configure encryption for EBS volumes on existing EC2 instances.
First, you’ll analyze your snapshots. An encrypted snapshot indicates an encrypted EBS volume. If a snapshot is unencrypted (found in the snapshot’s Description tab), you need to create a new volume off of that snapshot. When you create a new volume, you have the option to apply encryption to the volume with a key of your choice. Once this new, encrypted EBS volume is created, you will attach it to your EC2 instance. Now, the encryption from the EBS volume will be applied to the EC2 instances.
For a visual guide to enabling encryption for EBS volumes, watch the full demo.
Amazon documentation points out that you can only configure the encryption setting at the time that you create the volume. If you need to retroactively apply encryption to an already existing EBS volume, the process to do that is to first create a snapshot and then create a volume off of the snapshot and encrypt that volume going forward. So, we’ll demonstrate that here.
Let’s go over to our “Snapshots.” We already created our snapshot offline. We can confirm that this is an unencrypted volume because the snapshot, itself, is also unencrypted. When you do create an encrypted EBS volume and then create a snapshot of that, the snapshot itself, will also be encrypted. There’s just no other way around that.
So, with our unencrypted volume that we created, we will come up here, select “Actions,” “Create Volume,” and now you can see that we do have the option, at the time of creating this volume, to apply encryption. We will select our key that we’ll use to protect the volume key that’s actually used to perform the encryption. We’ll add a tag to this, Encryption Enabled, just to call it something different. Sure enough, we created our volume. If we click on the settings, we will see that it is, indeed, encrypted at this point. Then, we would just reattach this volume to our EC2 instance and bring the instance back online, again. From that point forward, EBS volume encryption will be applied to the EC2 instance.