Create a cluster with encrypted EBS volumes
EBS encryption can be configured on the Hardware and Storage page of the advanced create cluster wizard.
The Encryption configuration option is available per host group. The default setting is Encryption: Not encrypted. To enable encryption for a given host group:
- Under Instance Type you can see “Encryption Supported” next to all instance types for which encryption is supported. Ensure that encryption is supported for the instance type that you would like to use.
- Click on the
icon next to the chosen host group. - Under Encryption key, select the encryption key that you would like to use:
- To use the default encryption key, select "Default" from the dropdown.
- To use a custom key, select it from the dropdown.
Note that when encryption option is selected, the cluster creation process takes a few minutes longer than usual.
Once the cluster is running, you can confirm that encryption is enabled by navigating to cluster details > Hardware tab. The Key ID of the encryption key is also displayed with a link redirecting you to the AWS IAM console. Furthermore, if in the EC2 console on AWS you navigate to details of the block devices or root devices, you can see that the device is marked as “Encrypted” and the “KMS Key ARN” is listed.