问题描述
我正在为我创建的新EC2环境加密我的根EBS卷。我知道我可以从AWS控制台和CloudFormation做到这一点,但希望能够通过Elastic Beanstalk配置文件来做到这一点。
I am looking to encrypt my root EBS volumes for new EC2 environments that I create. I know that I can do this from the AWS console and from CloudFormation, but would like to be able to do so via an Elastic Beanstalk config file.
在启动配置中设置EBS卷,但这只会从根卷创建其他卷:
I have tried by setting the EBS volume in the launch configuration, however this only creates additional volumes from the root volume:
Type: AWS::AutoScaling::LaunchConfiguration
Properties:
BlockDeviceMappings: [ DeviceName: "/dev/sdf1", Ebs: { Encrypted: true, VolumeSize: 8, VolumeType: gp2}]
我也曾尝试在创建环境时创建一个新的EBS卷,但是我不确定如何动态获取EC2实例的逻辑名( MyEC2在这里供参考):
I have also tried to create a new EBS volume on environment creation, however I am unsure how to dynamically get the EC2 instance's logical name (I used MyEC2 here for reference):
Type: AWS::EC2::Volume
Properties:
AutoEnableIO: true
AvailabilityZone: { "Fn::GetAtt" : [ "MyEC2", "AvailabilityZone" ] }
Encrypted: true
KmsKeyId: mykey
Size: 8
VolumeType: gp2
E基本上,我需要能够使用加密的根卷创建一个新环境。
Essentially I need to be able to create a new environment with an encrypted root volume. Any help would be greatly appreciated!
推荐答案
截至2019年5月23日,您可以选择加入默认加密适用于新的EBS卷。这两个EBS(根/ docker数据)在启动时均已加密。
As of May 23, 2019, you can Opt-in to Default Encryption for New EBS Volumes. Both EBS's (root/docker data) were encrypted on launch. This feature needs to be enabled per region.
测试设置
平台版本和解决方案堆栈名称:单容器Docker 18.06版本2.12.11
Platform Version and Solution Stack Name: Single Container Docker 18.06 version 2.12.11
AWS控制台
EC2控制台>设置>始终加密新的EBS卷
AWS CLI
先升级awscli
pip install awscli --upgrade
启用
aws ec2 enable-ebs-encryption-by-default --region us-east-1
{
"EbsEncryptionByDefault": true
}
禁用
aws ec2 disable-ebs-encryption-by-default --region us-east-1
{
"EbsEncryptionByDefault": false
}
获取状态
aws ec2 get-ebs-encryption-by-default --region us-east-1
{
"EbsEncryptionByDefault": false
}
这篇关于如何使用Elastic Beanstalk自动执行EBS加密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!