For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?
Replacing unecrypted EBS volumes with encrypted ones on the running EC2 instances
Hi Team, we have received Shepherd risks for using unencrypted EBS volumes in the EC2 instances. Now to resolve this issue, I am creating a snapshot of the existing EBS volumes and trying to create an encrypted volume from that snapshot. While creating a new volume, it shows a success message that the volume is created but when I click on the volume link, it says volume doesn't exist.
Attaching ss for reference.
- Newest
- Most votes
- Most comments
This could be because your KMS Key doesnt have the correct Policy or you do not have IAM permissions to the KMS Key
https://repost.aws/knowledge-center/ebs-volume-does-not-exist
Hi,
Did you copy the snapshot(unencrypted) to an encrypted copy before creating an encrypted volume from encrypted snapshot?
You can follow this guide: https://medium.com/@kuldeepkumawat195/how-to-encrypt-an-existing-unencrypted-ec2-ebs-volume-280069e1be8f
Please also consider enabling default encryption for EBS Volumes in the future, it's region specific settings: https://docs.aws.amazon.com/ebs/latest/userguide/encryption-by-default.html
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated 5 months ago
This is likely the correct answer. EC2 will say a CreateVolume operation is successful even when KMS access is missing, but the volume will never appear. CloudTrail in the region will show the KMS operations that are failing with an access denied error.