2回答
- 新しい順
- 投票が多い順
- コメントが多い順
1
FYI, "New EBS volumes that are created from encrypted snapshots are automatically encrypted. You can also encrypt a volume on-the-fly while restoring it from an unencrypted snapshot. Encrypted volumes can only be attached to instance types that support EBS encryption."
Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-volume.html
回答済み 1年前
0
I don't think copy snapshot step is necessary. Can you share the documentation you are referring to? Here is the documentation regarding "creating an encrypted volumes from an unencrypted snapshot": https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
How EBS encryption works when the snapshot is unencrypted
- When you create an encrypted volume from unencrypted snapshot, Amazon EC2 works with AWS KMS to encrypt and decrypt your EBS volumes as follows:
- Amazon EC2 sends a CreateGrant request to AWS KMS, so that it can encrypt the volume that is created from the snapshot.
- Amazon EC2 sends a GenerateDataKeyWithoutPlaintext request to AWS KMS, specifying the KMS key that you chose for volume encryption.
- AWS KMS generates a new data key, encrypts it under the KMS key that you chose for volume encryption, and sends the encrypted data key to Amazon EBS to be stored with the volume metadata.
- Amazon EC2 sends a Decrypt request to AWS KMS to get the encryption key to encrypt the volume data.
- When you attach the encrypted volume to an instance, Amazon EC2 sends a CreateGrant request to AWS KMS, so that it can decrypt the data key.
- When you attach the encrypted volume to an instance, Amazon EC2 sends a Decrypt request to AWS KMS, specifying the encrypted data key.
- AWS KMS decrypts the encrypted data key and sends the decrypted data key to Amazon EC2.
- Amazon EC2 uses the plaintext data key in hypervisor memory to encrypt disk I/O to the volume. The plaintext data key persists in memory as long as the volume is attached to the instance.
関連するコンテンツ
- 質問済み 6年前
- AWS公式更新しました 1年前
Here's the link:
https://catalog.workshops.aws/startup-security-baseline/en-US/c-securing-your-workload/level-2-controls/4-encrypt-ebs-volumes#encrypt-an-existing-ebs-volume