如何使用Elastic Beanstalk自动执行EBS加密 [英] How to automate EBS encryption with Elastic Beanstalk

问题描述

我正在为我创建的新EC2环境加密我的根EBS卷。我知道我可以从AWS控制台和CloudFormation做到这一点，但希望能够通过Elastic Beanstalk配置文件来做到这一点。

I am looking to encrypt my root EBS volumes for new EC2 environments that I create. I know that I can do this from the AWS console and from CloudFormation, but would like to be able to do so via an Elastic Beanstalk config file.

在启动配置中设置EBS卷，但这只会从根卷创建其他卷：

I have tried by setting the EBS volume in the launch configuration, however this only creates additional volumes from the root volume:

Type: AWS::AutoScaling::LaunchConfiguration
Properties:
  BlockDeviceMappings: [ DeviceName: "/dev/sdf1", Ebs: { Encrypted: true, VolumeSize: 8, VolumeType: gp2}]

我也曾尝试在创建环境时创建一个新的EBS卷，但是我不确定如何动态获取EC2实例的逻辑名（ MyEC2在这里供参考）：

I have also tried to create a new EBS volume on environment creation, however I am unsure how to dynamically get the EC2 instance's logical name (I used MyEC2 here for reference):

Type: AWS::EC2::Volume
Properties:
  AutoEnableIO: true
  AvailabilityZone: { "Fn::GetAtt" : [ "MyEC2", "AvailabilityZone" ] }
  Encrypted: true
  KmsKeyId: mykey
  Size: 8
  VolumeType: gp2

E基本上，我需要能够使用加密的根卷创建一个新环境。

Essentially I need to be able to create a new environment with an encrypted root volume. Any help would be greatly appreciated!

推荐答案

截至2019年5月23日，您可以选择加入默认加密适用于新的EBS卷。这两个EBS（根/ docker数据）在启动时均已加密。

As of May 23, 2019, you can Opt-in to Default Encryption for New EBS Volumes. Both EBS's (root/docker data) were encrypted on launch. This feature needs to be enabled per region.

测试设置

平台版本和解决方案堆栈名称：单容器Docker 18.06版本2.12.11

Platform Version and Solution Stack Name: Single Container Docker 18.06 version 2.12.11

AWS控制台

EC2控制台>设置>始终加密新的EBS卷

AWS CLI

先升级awscli

pip install awscli --upgrade

启用

aws ec2 enable-ebs-encryption-by-default --region us-east-1
{
    "EbsEncryptionByDefault": true
}

禁用

aws ec2 disable-ebs-encryption-by-default --region us-east-1
{
    "EbsEncryptionByDefault": false
}

获取状态

aws ec2 get-ebs-encryption-by-default --region us-east-1
{
    "EbsEncryptionByDefault": false
}

https://aws.amazon.com/blogs/aws/对新的ebs卷使用新的默认加密/

这篇关于如何使用Elastic Beanstalk自动执行EBS加密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！