Elastic Block Storage (EBS) snapshots are snapshots of the volume at a particular moment in time. These snapshots can be shared and recreated into volumes for other instances. AWS provides the provision to share these snapshots with other AWS customers via the “Permissions” tab of the snapshot.
Since a snapshot is equivalent to the EBS volume, an attacker with access to a snapshot can read and gain access to data within the snapshot if it is unencrypted. It is recommended to implement data encryption in order to protect it from attackers or unauthorised users.
In this article we will take a look at how to encrypt an EBS snapshot using AWS CLI.
Following are the AWS CLI commands to encrypt an EBS snapshot:
Run describe snapshots command
aws ec2 describe-snapshots --owner-ids self --region <region> --query 'Snapshots[]'
Make an encrypted copy of the unencrypted snapshot by running the following command
aws ec2 copy-snapshot --region <region> --source-region <region> --destination-region <region> --source-snapshot-id <snapshot id> --description <description> --encrypted
Delete the unencrypted snapshot by providing its ID as identifier
aws ec2 delete-snapshot --region <region> --snapshot-id <snapshot id>