kitchen-ec2 icon indicating copy to clipboard operation
kitchen-ec2 copied to clipboard

Published 20 hours ago verified publisher icon test-kitchen

Feature Request: Update block_device_mappings to support encrypted Volume

Open e-moshaya opened this issue 5 years ago • 5 comments

We have security hub/config reporting non compliant use of non-encrypted EBS volumes. Please can we update this to support EBS encryption in the block_device_mappings?

e-moshaya avatar Oct 16 '19 15:10 e-moshaya

I would suggest you turn on the EBS encryption by default for your account.

https://aws.amazon.com/about-aws/whats-new/2019/05/with-a-single-setting-you-can-encrypt-all-new-amazon-ebs-volumes/

bdwyertech avatar Jan 10 '20 02:01 bdwyertech

Is there any other workaround? I turned on the EBS encryption by default, but it still not working

yassineselmi avatar Jun 29 '20 16:06 yassineselmi

@e-moshaya @yassineselmi is this still occurring?

marcparadise avatar Feb 10 '21 18:02 marcparadise

Yes, this is still an issue

e-moshaya avatar Feb 10 '21 18:02 e-moshaya

@e-moshaya @yassineselmi.

Sorry you've seen nothing here, I had to look into this for a customer and then found the github issue, so I wasn't aware. But I have some good news.

We do support encryption in the block_device_mappings. It's just not documented.

We actually just build the hash from the kitchen.yml driver config data and then forward that along to the resource.create_instances method in the aws-sdk-ec2 driver, so you can use any parameter that's listed in the ebsBlockDevice documentation:

{
  block_device_mappings: [
    {
      device_name: "String",
      virtual_name: "String",
      ebs: {
        delete_on_termination: false,
        iops: 1,
        snapshot_id: "SnapshotId",
        volume_size: 1,
        volume_type: "standard", # accepts standard, io1, io2, gp2, sc1, st1, gp3
        kms_key_id: "String",
        throughput: 1,
        outpost_arn: "String",
        encrypted: false,
      },
      no_device: "String",
    },
  ]
}

That said, we do not automatically detect and enforce root drive encryption settings from the AMI, and the sdk (I BELIEVE) defaults to requesting unencrypted root values. In order to encrypt the root drive of an instance, you need to create a block device mapping specifically for it:

block_device_mappings:
  - device_name: /dev/sda1
    ebs:
      volume_size: 20
      delete_on_termination: true
      encrypted: true

From what I've seen, the root device is usually /dev/sda1, but you can check that by spinning up an instance and then looking in the portal at the storage tab in the instance summary. That will tell you the device name of the root disk for sure, and you can use that in your driver configuration settings in your kitchen.yml file.

chef-davin avatar Mar 01 '22 19:03 chef-davin