Reputation: 2385
How enable EBS encryption with AWS ECS
I'm trying to set up an ECS cluster with EC2 instance type. My requirement is to encrypt the EBS volumes used by the ECS cluster. But, I couldn't see an option to select encrypted EBS during the ECS cluster creation. What I'm only seeing is an option to provide EBS volume size under instance configuration:
Is there any other way to implement EBS encryption in an ECS cluster?
Upvotes: 2
Views: 1502
Answers (3)
Reputation: 99
I have scoured the internet to get this to work and followed all documentation. I found that at least another person has this issue and has a possible work around by manually creating the volumn in docker. See: https://github.com/rexray/rexray/issues/1363
Another option, of which I just confirmed works, you can enable encryption by default for EBS volumes in the zone you are in.
See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
Upvotes: 0
Reputation: 3360
As mentioned in the comments, the accepted answer is not an optimal solution, since it's neither scalable, nor resilient.
An alternative would be to create a CloudFormation template, and use AWS::AutoScaling::AutoScalingGroup based on a custom AWS::EC2::LaunchTemplate, where you can specify the properties of the underlying EC2 instances, including encrypted EBS volumes. The UserData scripts on the EC2 instances shall register themselves with your ECS cluster.
ECSLaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: !Sub ${AWS::StackName}-lt
LaunchTemplateData:
ImageId: !Ref ImageAMI
InstanceType: !Ref InstanceType
BlockDeviceMappings:
- DeviceName: /dev/xvda
Ebs:
DeleteOnTermination: True
Encrypted: True
VolumeType: gp2
VolumeSize: 30
ECSAutoScalingGroup:
DependsOn: ECSCluster
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
LaunchTemplate:
LaunchTemplateId: !Ref ECSLaunchTemplate
Version: !GetAtt ECSLaunchTemplate.LatestVersionNumber
Upvotes: 1
Reputation: 22861
Instead of creating instances using the ECS console, you can create an them using EC2 console/CLI/CloudFormation/etc and join the created instances to the ECS cluster. That way you have full control of the instance options and contents, including specifying EBS encryption.
You will need to use an Amazon ECS optimised AMI to launch the instances, and you can join the cluster by adding the following to UserData:
#!/bin/bash
echo ECS_CLUSTER=your_cluster_name >> /etc/ecs/ecs.config
Full details here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/launch_container_instance.html
Upvotes: 1
Related Questions
- AWS Enable EBS Encryption via cloudformation
- How to automate EBS encryption with Elastic Beanstalk
- How to encrypt EBS using Terraform after launching an EC2
- Why is EBS is forced to be encrypted in AWS?
- Enable https on aws instance with ELB
- Verify encryption of ebs volumes in aws
- AWS IAM policy to enforce new EBS volumes are encrypted
- Data encryption at REST on aws EBS
- Confused about encrypted EBS volume
- Add EBS to Ubuntu EC2 Instance