To enhance the security of your EC2 instances, you must ensure that encryption is enabled for EBS volumes. In this demo, we will show you two ways to configure encryption for EBS volumes on new EC2 instances.

The first option starts on the EC2 Dashboard. Navigate to Launch Instance then walk through the following steps: 

A second option is to set up a default setting so that all EC2 instances are created have encryption enabled via EBS volumes. To configure this default, you would complete the following steps: 

For a visual guide to enabling encryption for EBS volumes, watch the full demo. 

In this video, we’ll talk through configuring encryption for Amazon Elastic Block Store. First, let’s bring up our technology stack diagram, here, for just a minute and describe where this encryption is happening within our technology stack. This is happening, here, at the hypervisor level, so it’s beneath our operating system, meaning everything above the point of encryption sees unencrypted data. Now, if that is okay for your encryption use, then EBS encryption is a fine place to apply encryption. Other places you might consider based on risk is up here at our application, within our database, maybe being performed by our operating system directly, but those are considerations to be made by our architects. 

A couple of points to make about EBS encryption before we actually show how to do this. You can only do this at the time when you create the volume. We see that here in the documentation. If you’re going to apply this retroactively to an existing system, you have to take a snapshot, and then create a new volume from the snapshot encrypting that volume and attaching it to the instance. The other thing, here, is that this will use a key out of AWS KMS. The way that key is actually used is the EBS encryption will create a volume key per the documentation. That volume key is used to encrypt the data. Then, the KMS key is actually used to encrypt the volume key. That is all the ways KMS uses – whether it’s in S3, RDS, or whatever – all the different ways in which KMS is used by various Amazon services. 

Let’s go to our dashboard and we will demonstrate setting this up for a new system. Let’s go ahead and launch an instance. We will make this an Ubuntu instance. We’re just going to do it all free tier here. Configure the instance details. We’re going to leave that page alone, here, on our storage page. We’ll set our size and the type of hardware to back that up. Then, we will establish our encryption. You see, here, that we have an aws/ebs key. This is an Amazon-managed key. It does show up in our KMS console, but there’s not a lot we can do with it because it is one that is managed directly by Amazon. Then, we have a couple of other keys that we can also choose. We’re just going to go ahead and take the aws/ebs key. Then, let’s go ahead and add a tag – Encrypted Instance. We will configure a security group because a good security practice is that the default security group has no access. So, we’re going to set this up to use our already-existing SSH Access security group. Review this and that all looks great. We will go ahead and launch. I need to specify my key to use and now the instance will be launched. Let’s view our instances and, sure enough, we have our encrypted instance. If we take a look at “Storage,” we will see that this volume is, indeed, encrypted. 

Now, there is also a way to set that up as a default, so that all EC2 instances that are created are created with the encryption option enabled. To do that on our EC2 Dashboard, we’ll go to the “Account Attributes” and we’ll click on “EBS Encryption.” Then, we enable that and specific the key that we want used. In this case, it’s going to be our aws/ebs key. Update those settings and now, from this point forward, all EC2 instances that we create will use those EC2 settings. That concludes this video and if you have any questions, of course, on anything related to AWS security, feel free to reach out to anybody here at KirkpatrickPrice.