Encrypting EBS Volume

Description

The Encrypt EBS Volume feature is used to encrypt your gateway EBS volume.

Prerequisite

You need to add the following rules to your IAM role policies ("aviatrix-app-policy").

{
    "Effect": "Allow",
    "Action": [
        "ec2:DescribeInstances",
        "ec2:DescribeVolumes",
        "ec2:DescribeSnapshots",
        "ec2:StopInstances",
        "ec2:StartInstances",
        "ec2:CopySnapshot",
        "ec2:CreateSnapshot",
        "ec2:CreateVolume",
        "ec2:DeleteVolume",
        "ec2:DeleteSnapshot",
        "ec2:AttachVolume",
        "ec2:DetachVolume"
    ],
    "Resource": "*"
}

Add Rules to IAM Roles Policy

Step1: Go to your AWS account and select IAM service.

image 1 IAMRolesClickAviatrixroleapp

Step2: Select "Roles", then double click the role name "aviatrix-role-app."

image 2 selectAviatrixAppPolicyEnditPolicy

Step3: Click "JSON", then put the rules into the JSON file. Then click "Review policy".

image 3 selectJSONAddRulesClickReviewPolicy

Step4: Click “Save changes” to finish editing aviatrix-app-policy

image 4 saveChanges

Encrypt Gateway EBS Volume in Aviatrix Controller

Step1: Go to your Aviatrix Controller page, and select "Gateway" page.

Step2: Select the gateway which you want to encrypt, then click "Edit" button.

image 11 selectGwEdit

Step3: Check the current status of Gateway EBS volume.

image 12 checkStatus

Step4: Scroll down to "Encrypt Volume" and Click "Encrypt" button to encrypt the EBS. Please wait for the encryption process to complete.

image 13 scrollDownToEncryptVolume

The controller will use Default "AWS Managed Keys" to encrypt your EBS volume. Otherwise, you can use your* "Customer Managed Key ID" to encrypt the gateway EBS volume. How to create AWS Customer Managed Key ID?

Step5: Check the encrypted volume. You may need to refresh the controller "Gateway" page to check the status of Gateway’s EBS volume.

image 14 checkEncryptResult

Step6: You can check the result on your AWS console. It’s on EC2 → Volume page.

image 15 checkEncryptResultOnAws

You can see that the gateway EBS volume was encrypted. Also, the previous unencrypted volume will be kept. Please make sure to add "aviatrix-role-app" to the CMK as Key users in KMS when you want to replace or resize the gateway later.