How to encrypt EBS Snapshot using AWS CLI

Introduction

Elastic Block Storage (EBS) snapshots are snapshots of the volume at a particular moment in time. These snapshots can be shared and recreated into volumes for other instances. AWS provides the provision to share these snapshots with other AWS customers via the “Permissions” tab of the snapshot.

Since a snapshot is equivalent to the EBS volume, an attacker with access to a snapshot can read and gain access to data within the snapshot if it is unencrypted. It is recommended to implement data encryption in order to protect it from attackers or unauthorised users.

In this article we will take a look at how to encrypt an EBS snapshot using AWS CLI.

AWS CLI commands to encrypt EBS snapshot

Following are the AWS CLI commands to encrypt an EBS snapshot:

Run describe snapshots command

aws ec2 describe-snapshots --owner-ids self  --region <region> --query 'Snapshots[]'

Describe snapshot command

Make an encrypted copy of the unencrypted snapshot by running the following command

aws ec2 copy-snapshot --region <region> --source-region <region>  --destination-region <region> --source-snapshot-id <snapshot id> --description <description> --encrypted

Encrypted copy of unencrypted snapshot

Delete the unencrypted snapshot by providing its ID as identifier

aws ec2 delete-snapshot --region <region> --snapshot-id <snapshot id>

Delete unencrypted snapshot

Riyaz Walikar

Founder & Chief of R&D

Riyaz is the founder and Chief of R&D at Kloudle, where he hunts for cloud misconfigurations so developers don’t have to. With over 15 years of experience breaking into systems, he’s led offensive security at PwC and product security across APAC for Citrix. Riyaz created the Kubernetes security testing methodology at Appsecco, blending frameworks like MITRE ATT&CK, OWASP, and PTES. He’s passionate about teaching people how to hack—and how to stay secure.

•• See all posts

Riyaz Walikar

Founder & Chief of R&D

•• See all posts

← Back to Academy