How to enable AWS EBS Volume snapshots encryption
Using the AWS console:
Sign in to AWS console and navigate to https://console.aws.amazon.com/ec2/
From the left navigation choose snapshots option.
Select the actionable snapshot, choose actions.
Choose the Copy Snapshot option.
Check the encryption option.
Under the Master key choose the kms key (It is recommended to choose KMS CMK when EBS snapshot consist of highly sensitive data).
Click on copy.
Once the newly encrypted snapshot is ready old snapshot should be deleted.
Using AWS CLI
$> aws ec2 copy-snapshot --description [description-for-new-snapshot] --destination-region [region-name] --encrypted --kms-key-id [kms-key-id] ---source-region [region-name] --source-snapshot-id [actionable-snapshot-id]
Command reference: https://docs.aws.amazon.com/cli/latest/reference/ec2/copy-snapshot.html
$> aws ec2 delete-snapshot --snapshot-id [actionable-snapshot-id] --region [region-name]
Command reference: https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-snapshot.html
Note:
Applications using old snapshot id should point to new snapshot id.
Using KMS CMK to encrypt snapshots might incur additional cost.
Comments
Post a Comment