Encrypting EBS Volume
Prerequisite
You need to add the following rules to your IAM role policies ("aviatrix-app-policy").
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:CopySnapshot",
"ec2:CreateSnapshot",
"ec2:CreateVolume",
"ec2:DeleteVolume",
"ec2:DeleteSnapshot",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": "*"
}
Add Rules to IAM Roles Policy
Step1: Go to your AWS account and select IAM service.
Step2: Select "Roles", then double click the role name "aviatrix-role-app."
Step3: Click "JSON", then put the rules into the JSON file. Then click "Review policy".
Step4: Click “Save changes” to finish editing aviatrix-app-policy
Encrypt Gateway EBS Volume in Aviatrix Controller
Step1: Go to your Aviatrix Controller page, and select "Gateway" page.
Step2: Select the gateway which you want to encrypt, then click "Edit" button.
Step3: Check the current status of Gateway EBS volume.
Step4: Scroll down to "Encrypt Volume" and Click "Encrypt" button to encrypt the EBS. Please wait for the encryption process to complete.
|
The controller will use Default "AWS Managed Keys" to encrypt your EBS volume. Otherwise, you can use your* "Customer Managed Key ID" to encrypt the gateway EBS volume. How to create AWS Customer Managed Key ID? |
Step5: Check the encrypted volume. You may need to refresh the controller "Gateway" page to check the status of Gateway’s EBS volume.
Step6: You can check the result on your AWS console. It’s on EC2 → Volume page.
|
You can see that the gateway EBS volume was encrypted. Also, the previous unencrypted volume will be kept. Please make sure to add "aviatrix-role-app" to the CMK as Key users in KMS when you want to replace or resize the gateway later. |