Skip to content

5.1

Jump to bottom
Paul Duvall edited this page Jan 29, 2020 · 11 revisions

5.1 Enable Encryption at rest for EBS, RDS, DynamoDB, and S3 in Console

Review and ensure that you have setup your development environment before going through the steps below.

Solution Architecture

Enable Volume Encryption in EBS

  1. Go to the EC2 Console.
  2. Click on Volumes.
  3. Click the Create Volume button.
  4. Select the Encrypt this volume checkbox.
  5. Enter (default) aws/ebs in the Master Key field.
  6. Click the Add Tag button.
  7. Enter Name in the Key field and encrypted in the Value field.
  8. Click the Create Volume button.
  9. Select the checkbox next to the EBS volume you just created and click on the Actions button. Then, click on Attach Volume from the menu.
  10. Search for an available EC2 instance in the Instance field.
  11. Click the Attach button.
  12. Verify the instance is attached under the Attachment Information column for the volume.

Enable Encryption for an RDS database

  1. Go to the RDS Console.
  2. Click on Databases.
  3. Click the Create Database button.
  4. Click on Additional configuration.
  5. Ensure that the Enable Encryption checkbox is selected in the Encryption section.
  6. Click the Create database button.

Enable Encryption for a DynamoDB table

  1. Go to the DynamoDB Console.
  2. Click on Tables.
  3. Click the Create table button.
  4. Under Table settings section, select the Use default settings checkbox.
  5. Under the Encryption At Rest section, click on the KMS radio button.
  6. Click the Create button.

Enable Encryption for an S3 Bucket

  1. Go to the S3 Console.
  2. Click the Create bucket button.
  3. Enter ceoa-5-s3-ACCOUNTID in the Bucket name field. Replace ACCOUNTID with the results of the following command: aws sts get-caller-identity --output text --query 'Account'. Click the Next button.
  4. On the Configure options page, click the Automatically encrypt objects when they are stored in S3 checkbox in the Default encryption section. Then, choose the AWS-KMS radio button.
  5. Enter a key name. Then click the Next button.
  6. Leave the defaults on the Set permissions page and click the Next button.
  7. Click the Create bucket button.

AWS Managed or Customer Managed Keys

To determine if a key is owned by AWS or Customer Managed, run the following from the command line:

aws kms list-aliases

Clone this wiki locally