cloud engineer
If you have an existing EFS that’s unencrypted, you can encrypt it be creating a snapshot using AWS Backup, and then restoring the file system to a new EFS with encryption. If you choose to restore in a directory in the same file system, it will not be encrypted. It has to be a new EFS. In addition, you’ll be asked to select which encryption key to use. The default key will work, unless you have your own.
Here the steps to encrypt an unencrypted volume.
AWS CLI
# CREATE A SNAPSHOT aws ec2 create-snapshot \ --volume-id vol-1234567890abcdef0 \ --description "This is my snapshot" # COPY SNAPSHOT aws ec2 copy-snapshot \ --source-region us-west-2 --source-snapshot-id snap-066877671789bd71b \ --region us-east-1 --description "This is my copied snapshot." # CREATE A VOLUME aws ec2 create-volume \ --region us-east-1 --availability-zone us-east-1a \ --snapshot-id snap-066877671789bd71b --volume-type io1 --iops 1000 # STOP AN INSTANCE aws ec2 stop-instances --instance-ids i-1234567890abcdef0 # DETACH A VOLUME aws ec2 detach-volume --volume-id vol-1234567890abcdef0 # ATTACH A VOLUME aws ec2 attach-volume --volume-id vol-1234567890abcdef0 \ --instance-id i-01474ef662b89480 --device /dev/sdf # START AN INSTANCE aws ec2 start-instances --instance-ids i-1234567890abcdef0 |
Here’s the AWS CLI to get a list of encrypted or unencrypted volumes.
# list of encrypted volumes aws ec2 describe-volumes \ --filters Name=encrypted,Values=true \ --region us-east-1 --profile default \ --query "Volumes[*].{ID:VolumeId}" --output text # list of unencrypted volumes aws ec2 describe-volumes \ --filters Name=encrypted,Values=false \ --region us-east-1 --profile default \ --query "Volumes[*].{ID:VolumeId}" --output text # count the list of encrypted volumes. use wc -l to get a count. aws ec2 describe-volumes \ --filters Name=encrypted,Values=true \ --region us-east-1 --profile default \ --query "Volumes[*].{ID:VolumeId}" --output text | wc -l |