EBS encryption on AWS
Cloudbreak allows you to configure encryption for Amazon Elastic Block Store (EBS) volumes used by the cluster's VM instances to store data. Refer to this section if you would like to encrypt EBS volumes used for clusters running on AWS.
Amazon's Key Management System (KMS) or external KMS generated keys can be used.
Since an encryption key must be specified for each host group, it is possible to either have one encryption key for multiple host groups or to have a separate encryption key for each host group. Once enabled, encryption is configured for the following disk types:
- Block devices
- Root devices
Once the encryption is configured for a given host group, it is automatically applied to any new devices added as a result of cluster scaling.
Overview of configuring EBS encryption
In order to configure EBS encryption:
- Your Cloudbreak credential must have the minimum access permissions.
- Your encryption key must fulfill the following criteria:
- It must be located in the same region where you would like to create clusters with encrypted volumes.
- Your IAM user (if using role-based credential) or IAM role (if using key-based credential) must be assigned to the encryption key as both key administrator and key user.
- The AWSServiceRoleForAutoScaling built-in role must be assigned to the encryption key as both key administrator and key user.
- When creating a cluster, you must explicitly select an existing encryption key for each host group on which you would like to configure EBS volume encryption.
These requirements are described in the sections listed below.