Steps to Encrypt EBS Data with AWS KMS

Encrypting your Amazon Elastic Block Store (EBS) volumes using AWS Key Management Service (KMS) enhances data security by managing encryption keys. Here's a concise guide to get you started.

Prerequisites

• An active AWS account.
• An EC2 instance. Refer to the "Launching an EC2 Instance into a Public Subnet" recipe if needed.
• A KMS key. Follow the "Creating Keys in KMS" recipe from Chapter 5 to create one.
• An IAM user with administrative permissions and a configured CLI profile (e.g., Adminuserprofile).

Steps to Enable EBS Encryption

1. Navigate to EC2 Service:

   • Go to the EC2 Dashboard, and under Elastic Block Store, click on Volumes.

2. Create a Volume:

   • Click on Create Volume.
   • Set Volume type to General Purpose SSD (gp3), Size to 6 GiB, and other options to default.
   • Check the Encrypt this volume option.
   • Select your KMS key from the dropdown list.
   • Click on Create Volume.

3. Create a Snapshot:

   • Select the newly created volume.
   • Click on Actions and select Create Snapshot.
   • Provide a description and click on Create Snapshot.

4. Attach Encrypted Volume to EC2 Instance:

   • Use the AWS CLI to attach the volume:
     aws ec2 attach-volume --volume-id vol-011738e29948788f0 --instance-id i-0921f7d11fa70e9b1 --device /dev/xvdf --profile adminuser

5. Verify Encryption:

   • Connect to the EC2 instance and run:
     lsblk
   • Confirm the encrypted volume is listed.

How It Works

When you create a KMS key, it secures your EBS volumes by encrypting data during instance creation or modification. For existing data, creating a snapshot initiates encryption, which is applied to new volumes created from that snapshot, ensuring data remains secure.

Additional Tips

• Automate encryption steps using AWS CLI or SDKs.
• Always back up critical data before starting the encryption process to ensure data integrity.

References

• AWS KMS Documentation
• Amazon EBS Documentation