How to Encrypt all Volumes built into the AWS AMI during instance provision?

prashanthvikram · February 15, 2021, 6:16pm

I have this Company Standard AMI which has 4 volumes baked into it. we are required to use only this RHEL AMI.

when provisioning an instance with this, I also add a new EBS volume and associate it with the instance.

I am able to encrypt the root volume using “root_block_device” attribute in the
resource "aws_instance"

For the EBS I added, the encryption is easy with the “encrypted, kms_key_id” attributes in the resource "aws_ebs_volume"

What am not able to figure out is how to encrypt (using my Key) the EBS volumes packed in with the AMI.

This is possible via the Console, CLI & the boto3 APIs.
But can we do this using Terraform?

tbugfinder · February 15, 2021, 9:12pm

Hi @prashanthvikram ,

as per my understanding you’re looking for a solution of encrypting non-root EBS volumes during provisioning.

Have you tried to use also block-device mappings for the existing EBS volumes and set encrpyted=true?

Would it be an option to pre-bake the image using packer and encrypt it within this step?
Terraform Resources aws_ami and aws_ami_copy include kms_key_id, too.

A different approach might be enabling EBS encryption by default for a given region.
https://docs.aws.amazon.com/cli/latest/reference/ec2/enable-ebs-encryption-by-default.html

Topic		Replies	Views
How to Encrypt existing EBS volume Terraform	1	2818	March 13, 2022
How to set AWS EBS encryption with terraform and its launch template and without block_device_mappings? Terraform	0	40	July 19, 2024
AMI with 2 volumes causes issue when you have EC2 with EBS volumes AWS	1	1266	January 12, 2021
Customize EBS volume attachment on aws_instance, from an AMI with multiple volumes AWS	1	4358	August 4, 2021
Launch template encryption of root block device using explicit KMS key AWS	1	4388	December 29, 2020

How to Encrypt all Volumes built into the AWS AMI during instance provision?

Related topics