Feature Request: Update block_device_mappings to support encrypted Volume #471
Comments
|
I would suggest you turn on the EBS encryption by default for your account. |
|
Is there any other workaround? I turned on the EBS encryption by default, but it still not working |
|
@e-moshaya @yassineselmi is this still occurring? |
|
Yes, this is still an issue |
|
Sorry you've seen nothing here, I had to look into this for a customer and then found the github issue, so I wasn't aware. But I have some good news. We do support encryption in the block_device_mappings. It's just not documented. We actually just build the hash from the kitchen.yml driver config data and then forward that along to the resource.create_instances method in the aws-sdk-ec2 driver, so you can use any parameter that's listed in the ebsBlockDevice documentation: {
block_device_mappings: [
{
device_name: "String",
virtual_name: "String",
ebs: {
delete_on_termination: false,
iops: 1,
snapshot_id: "SnapshotId",
volume_size: 1,
volume_type: "standard", # accepts standard, io1, io2, gp2, sc1, st1, gp3
kms_key_id: "String",
throughput: 1,
outpost_arn: "String",
encrypted: false,
},
no_device: "String",
},
]
}That said, we do not automatically detect and enforce root drive encryption settings from the AMI, and the sdk (I BELIEVE) defaults to requesting unencrypted root values. In order to encrypt the root drive of an instance, you need to create a block device mapping specifically for it: block_device_mappings:
- device_name: /dev/sda1
ebs:
volume_size: 20
delete_on_termination: true
encrypted: trueFrom what I've seen, the root device is usually |
We have security hub/config reporting non compliant use of non-encrypted EBS volumes. Please can we update this to support EBS encryption in the block_device_mappings?
The text was updated successfully, but these errors were encountered: