Easily encrypted root volumes on AWS with Ansible - Reactive Ops

Tell us more

Community

Easily encrypted root volumes on AWS with Ansible

Easily encrypted root volumes on AWS with Ansible

Whether or not root volumes on AWS need to be encrypted is a subject of debate. The encrypted AMI is all about protecting data at rest.

Encryption at rest protects against three things:

  • The disk with the root volume on it being stolen from an AWS data center
  • The disk not being properly destroyed when Amazon recycles it
  • Some sort of leak in AWS infrastructure code that allows another entity to access your volume

All three scenarios are pretty unlikely, but (as with most things in life) there are no guarantees. Some of our clients don’t keep the kind of sensitive information that mandates encryption. However, others who are entrusted with such data and are under regulatory mandates demand encryption.

At one point, it was only (easily) possible to encrypt data volumes. Many used these additional volumes to store sensitive information and avoid writing to the root volume. However, late in 2015, AWS announced encrypted EBS boot volumes- a great feature that closed the gap on the encryption front across the instance. For organizations with compliance requirements, encrypted EBS boot volumes aren’t just a feature, but a must-have.

Creating an encrypted EBS volume is straightforward and simple:

  • Find an AMI you want to use as your base
  • Copy the AMI to your AWS account and check the Encrypted box
  • Use the new encrypted AMI as the boot volume for your instances

You can find command line examples of how to create an encrypted EBS volume from this AWS Blog.

At ReactiveOps we like to automate even further. Since we use Ansible, we put together a role that creates an encrypted AMI. In addition to handling the copy, the role will also help you find a base AMI to use for your encrypted AMI. (You can find the role on our ReactiveOps GitHub page. If you’re going down the root volume encryption route, we hope this role will prove useful.)

In short, encryption is a no-brainer for those with regulatory requirements. Many questions go away if you can check the “all data is encrypted” box.

For those on the fence, I’ll offer this rule of thumb: If you encrypt your data volumes, you should also encrypt the root volume. After all, why put three deadbolts on the front door and then leave the back door open?

Other Developer Hub Posts

| Rob Scott

How we manage Kubernetes RBAC and IAM Roles on GKE

Read more

| Rob Scott

rbac-lookup: Reverse Lookup for Kubernetes Authorization

Read more

| ReactiveOps

Kubernetes HPA Autoscaling with Custom and External Metrics - Using...

Read more

| ReactiveOps

Automated SSL certs for Kubernetes with letsencrypt and cert-manager

Read more

| ReactiveOps

The Benefits of Running Kubernetes on Google Container Engine

Read more

| Eric Hole

kops 102 - An Inside Look at Deploying Kubernetes on...

Read more