There is not much to dispute about the importance of encrypting data.
Elastic Block Store (EBS) encryption offers a solution to encrypt EBS volumes, i.e. machine “disks”. Data residing on encrypted EBS volumes are assured to be encrypted at rest, while moving between the volume and the instance and also when dumped into a volume snapshot.
However, unlike other services such as S3 Server-Side Encryptions (SSE-S3, SSE-KMS, SSE-C) or Redshift clusters (immutably encrypted on-demand during nodes launch), AWS does not provide any guideline on how to create a base AMI with all the EBS volumes encrypted. This article describes the solution we have implemented @ Sequra.
Continue reading →