Encrypt Instance Volumes
Encrypt or re-encrypt all EBS volumes attached to an instance with a KMS key.
Steps:
- Create snapshots of all volumes
- Create encrypted volumes from the snapshots with the specified KMS key
- Copy tags from the original volumes to the encrypted volumes
- Stop the instance
- Detach original volumes
- Attach encrypted volumes
- Preserve original device names (e.g. /dev/sda1)
- If instance was originally running:
- Start the instance
- Delete the snapshots
- Original volumes remain for rollback purposes
For running instances downtime is minimized by stopping the instance only when volumes are ready to swap. (~2 min)
If re_encrypt is supplied, already encrypted volumes will be re-encrypted.
Usage
Input
| Parameter | Description | Type | Required | Default Value |
|---|---|---|---|---|
instance_id | Instance ID for volume encryption | string | Yes | None |
kms_key_id | KMS Key ID to use for encryption | string | Yes | None |
re_encrypt | Re-encrypt already encrypted volumes | bool | No | False |
region | Region for operation. Leave blank for session default | string | No | Session Default |
debug | Increase log verbosity | bool | No | False |
silent | Decrease log verbosity | bool | No | False |
output | Output format table | string | No | None |
session | Established session | object | No | None |
Output
Returns a string of the encrypted instance ID:
"i-1234567890abcdef0"
Examples
Encrypt all instance volumes with a KMS key (already encrypted volumes are skipped):
aaws ec2 encrypt_instance_volumes --instance_id i-1234567890abcdef0 --kms_key_id abcd1234-a123-456a-a12b-a123b4cd56ef
Encrypt all instance volumes with a KMS key (already encrypted volumes are re-encrypted):
aaws ec2 encrypt_instance_volumes --re_encrypt --instance_id i-1234567890abcdef0 --kms_key_id abcd1234-a123-456a-a12b-a123b4cd56ef