chanciturnervgt2

How to Rapidly Deploy Encrypted EBS-Backed EC2 Instances from Unencrypted AMIs

by

VGT2 Las Vegas
in

How to Rapidly Deploy Encrypted EBS-Backed EC2 Instances from Unencrypted AMIsMore Info

An Amazon Machine Image (AMI) serves as a template for launching an instance (a virtual server) within your AWS environment. Numerous AMIs are available on the AWS Marketplace, including those for Amazon Linux, Red Hat, and Ubuntu, which you can utilize to deploy Amazon Elastic Compute Cloud (Amazon EC2) instances. When instances are launched from these AMIs, the resulting volumes are typically unencrypted. However, for compliance or regulatory requirements, there may be a need to deploy instances with encrypted root volumes. Previously, this involved a cumbersome multi-step process where you needed to keep a separate, encrypted copy of the AMI on your account to launch instances with encrypted volumes. Thankfully, this is no longer necessary.

You can now directly specify encryption settings during your existing workflows, such as the RunInstances API or the Launch Instance Wizard, allowing you to launch an encrypted Amazon Elastic Block Store (Amazon EBS) backed instance from an unencrypted AMI. This change streamlines the process of deploying instances with encrypted volumes and significantly lowers your associated AMI storage costs.

In this article, we will illustrate how to start from an unencrypted AMI to launch an encrypted EBS-backed Amazon EC2 instance. We will guide you through the process using both the AWS Management Console and the RunInstances API with the AWS Command Line Interface (AWS CLI).

Launching an Instance via the AWS Management Console

  1. Log into the AWS Management Console and navigate to the EC2 dashboard.
  2. Click on “Launch instance” and follow the prompts provided by the launch wizard:
    • In the first step, choose the Amazon Machine Image (AMI) you wish to use.
    • In step two, select your instance type.
    • In step three, provide any additional configuration details. For a comprehensive guide on configuring your instances, see Launching an Instance.
    • In step four, specify your EBS volumes. The encryption settings of the volumes will be derived from the selected AMI. If you are utilizing an unencrypted AMI, it will be marked as “Not Encrypted.” You can then choose an AWS KMS key for encrypting the volume. You have the option to use the same KMS key for each volume or different KMS keys for each.
  3. Click on “Review” and then “Launch.” Your instance will be initiated with an encrypted Amazon EBS volume that employs the KMS key you selected. For more details on the launch wizard, visit Launching an Instance with Launch Wizard.

Launching an Instance from the RunInstances API

When using the RunInstances API/CLI, you can specify the kmsKeyID for encrypting the volumes created from the AMI by including encryption within the BlockDeviceMapping (BDM) object. If you omit the kmsKeyID in the BDM but set the encryption flag to “true,” AWS Managed KMS key will be utilized for encryption.

For instance, to deploy an encrypted instance from an Amazon Linux AMI with an additional empty 100 GB data volume (/dev/sdb), the API call would look like this:

$ aws ec2 run-instances 
    --image-id ami-009d6802948d06e52 
    --count 1 
    --instance-type m4.large 
    --region us-east-1 
    --subnet-id subnet-aec2fc86 
    --key-name 2016KeyPair 
    --security-group-ids sg-f7dbc78e subnet-id subnet-aec2fc86 
    --block-device-mappings file://mapping.json

Where mapping.json includes the following configuration:

[
    {
        "DeviceName": "/dev/xvda",
        "Ebs": {
                "Encrypted": true,
                "KmsKeyId": "arn:aws:kms::key/"
        }
    },
    {
        "DeviceName": "/dev/sdb",
        "Ebs": {
            "DeleteOnTermination": true,
            "VolumeSize": 100,
            "VolumeType": "gp2",
            "Encrypted": true,
            "KmsKeyId": "arn:aws:kms::key/"
        }
    }
]

You can designate different keys for various volumes. Failing to include a kmsKeyID while setting the encryption flag will result in an API error.

Conclusion

In this blog post, we have illustrated how you can swiftly launch encrypted, EBS-backed instances from unencrypted AMIs in just a few steps. Additionally, you can employ the same method for launching EBS-backed encrypted volumes from unencrypted snapshots. This simplification significantly reduces the complexity of deploying instances with encrypted volumes and lowers your AMI storage costs.

This feature is accessible through the AWS Management Console, AWS CLI, or AWS SDKs at no additional charge across all commercial AWS regions except for China. For further insights on related topics, check out another blog post here. If you have any feedback regarding this article, please leave your comments below. For inquiries or further questions, you may initiate a new discussion on the Amazon EC2 forum or reach out to AWS Support. For more authoritative content on this subject, visit this resource.

For additional user experiences, visit this excellent resource.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *