Encrypt root volume of EC2 while creating stack using cloud formation

2
votes

Working on cloud formation script which will create simple ec2 instance. here i want to encrypt a root volume at the time of launch. its possible to create a separate EBS, encrypt it and attach it as boot volume. but i couldn't find a way to encrypt it while launching. any way to do this?

Thanks In Advance

2
amazon-web-servicesencryptionamazon-ec2storage
I don't think there is any way to do this if you are starting with an unencrypted AMI. You need to create an AMI from a system with an encrypted volume, then you could simply tell Cloud Formation to use that AMI.Mark B

2 Answers

10
votes

It looks like AWS has recently released a feature to launch an instance with encrypted volume based on non-encrypted AMI. Launch encrypted EBS backed EC2 instances from unencrypted AMIs in a single step

From the CloudFormation perspective, you need to overwrite AMI block device configuration. So for example, you can write like this:

  BlockDeviceMappings:
  - DeviceName: "/dev/xvda"
    Ebs:
      VolumeSize: '8'
      Encrypted: 'true'

This will start an instance with encrypted root EBS from non-encrypted AMI with a default KMS key

0
votes

We can't encrypt root volume during the launch. Here is what you need to do.

  1. Always use custom KMS keys.
  2. If you have the unencrypted AMI, just copy the AMI to the same region and use encrypt option there.
  3. Then use that AMI in your cloudformation.