Encrypting EBS Volume
Prerequisite
You need to add the following rules to your IAM role policies ("aviatrix-app-policy").
{ "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeVolumes", "ec2:DescribeSnapshots", "ec2:StopInstances", "ec2:StartInstances", "ec2:CopySnapshot", "ec2:CreateSnapshot", "ec2:CreateVolume", "ec2:DeleteVolume", "ec2:DeleteSnapshot", "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": "*" }
Add Rules to IAM Roles Policy
Step1: Go to your AWS account and select IAM service.
Step2: Select "Roles", then double click the role name "aviatrix-role-app."
Step3: Click "JSON", then put the rules into the JSON file. Then click "Review policy".
Step4: Click “Save changes” to finish editing aviatrix-app-policy
Encrypt Gateway EBS Volume in Aviatrix Controller
Step1: Go to your Aviatrix Controller page, and select "Gateway" page.
Step2: Select the gateway which you want to encrypt, then click "Edit" button.
Step3: Check the current status of Gateway EBS volume.
Step4: Scroll down to "Encrypt Volume" and Click "Encrypt" button to encrypt the EBS. Please wait for the encryption process to complete.
The controller will use Default "AWS Managed Keys" to encrypt your EBS volume. Otherwise, you can use your* "Customer Managed Key ID" to encrypt the gateway EBS volume. How to create AWS Customer Managed Key ID? |
Step5: Check the encrypted volume. You may need to refresh the controller "Gateway" page to check the status of Gateway’s EBS volume.
Step6: You can check the result on your AWS console. It’s on EC2 → Volume page.
You can see that the gateway EBS volume was encrypted. Also, the previous unencrypted volume will be kept. Please make sure to add "aviatrix-role-app" to the CMK as Key users in KMS when you want to replace or resize the gateway later. |