ENCRYPTION

RDS (DATABASES)

DBs often store important data (both legally and for your business), so it's important to ensure that each instance is encrypted.

When RDS encryption is enabled, data stored on the instance's underlying storage, automated backups, read replicas and snapshots are all encrypted.

This option is only available at the launch of the BDD instance, not after.

Requête :

aws rds describe-db-instances --db-instance-identifier mydb --query "*[].{StorageEncrypted:StorageEncrypted}" --output text

Documentation :

• https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html

EFS (SERVERLESS FILE STORAGE)

Amazon Elastic File System (EFS) automatically grows and shrinks as you add and remove files, without the need to manage or allocate them.

One solution is to mount the new EFS (with encryption) next to the old (unencrypted) one and use the rsync command to copy the data.

As with DB encryption, if the EFS was created without this option enabled, you need to create EFS with the correct configuration and transfer the data from the old to the new.

Requêtes :

• Créer la clef :

aws kms create-key

• Configurer l'EFS pour utiliser cette clef :

aws efs put-encryption-config --file-system-id <filesystem-id> --encryption-config "{\"Encrypted\":true,\"KmsKeyId\":\"<kms-key-arn>\"}"

• Contrôler :

aws efs describe-file-systems --file-system-id <filesystem-id> --query 'FileSystems[*].Encrypted'

Documentation :

• https://docs.aws.amazon.com/fr_fr/efs/latest/ug/encryption.html

EBS (BLOCK STORAGE)

Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).

As with the previous two parts, it is very strongly recommended to enable encryption on EBS volumes.

Requête :

aws --region <region> ec2 enable-ebs-encryption-by-default

Documentation :

• https://docs.aws.amazon.com/fr_fr/AWSEC2/latest/UserGuide/EBSEncryption.html