How to encrypt a non-encrypted EBS root volume (AWS EXAM Question!)


Your companies security team recently contacted you and said, “due to new compliance updates, we have to encrypt all of our EBS volumes”. Since you’re the new guy, you’re tasked with encrypting all of the root volumes on the running EC2 instances. Should be pretty easy right?

Well, you don’t have to worry! Once you’re done reading this article, the answer to that last question will be an astounding, YES!


In this article, we’re going to walk you through how to encrypt non-encrypted EBS volumes step by step so you can easily meet all of the compliance standards without having to clear all of your server’s data and start again!

This information is also important for you to know if you’re studying for your solutions architect exam. I’ve heard numerous times that this has come up as a question, so by reading this article, you can understand how to go about encrypting a root EBS volume if it were to pop up on your solutions architect exam!

Either way, you’re going to learn something valuable, so let’s jump right in.

Steps to complete the task

  1. Find your non-encrypted root volumes
  2. Snapshot the volumes
  3. Create an AMI for the snapshot
  4. Launch a new EC2 with encrypted root volume using the AMI

1) Find your non-encrypted root volumes

Before we can go about encrypting the volumes, we first need to find the volumes that we need to encrypt. To do this, we can go to the EC2 service and then click on volumes. We can then filter the volumes to find non-encrypted volumes using Encryption : Not Encrypted in the filter bar at the top. The table will now show all of the non-encrypted EBS volumes.

NOTE: There could also be non-root volumes here. To ensure that you only snapshot root-volumes, you can cross-check the EBS ID with the running EC2 instances EBS ids. If you don’t care about creating extra snapshots, then you can skip this step.

Once you’ve found all of your root volumes, it’s time to move onto the next step, SNAPSHOTS!

2) Snapshot the volumes

Now that we’ve found the root volumes, we need to take a snapshot of the volumes. By taking a snapshot, we essentially take a still photograph of the data in the EBS volume at the time of the snapshot. The snapshot volumes data will then represent the state of the volume’s data at the time of the snapshot. This will come in handy when we need to encrypt this data!

To take a snapshot of an EBS Volume, select the volume > click the actions dropdown > create snapshot.

Once you select Create Snapshot you will be taken to another page where it asks you to give the snapshot a name. You should name your snapshot something descriptive such as unwrapped-bytes-non-encrypted-blog-rootEBS. Having a descriptive name will create less ambiguity in the future when you’re looking through your snapshots.

You should now see your snapshot in the snapshots section under Elastic Block Store ⬇️

pending snapshot being created
Snapshot pending creation

3) Create AMI from the Snapshot

Once you have a snapshot, you need to create an Amazon Machine Image (AMI). By creating an AMI we will then be able to create new EC2 instances that replicate the exact OS and data that was in the original snapshot BUT we will now have the option to encrypt it when laucnhing new instances!

To create an AMI from a snapshot, click on the snapshot then click Actions > Create Image.

snapshot action dropdown
Snapshot action dropdown to create image

You will then need to fill in the name, description, and you can leave the rest at their defaults (unless you really know what you’re doing I wouldn’t recommend changing them). Click create and you will see that a new AMI will be in your AMI’s section with the name you detailed. It will look something like this ⬇️ when you’re done

One thing to note about AMI’s is that they’re not cross-regional. So if you create an AMI in Northern Virginia you will only be able to access it in Northern Virginia. If you need to launch your encrypted EC2 instance in a new region, then we’ll need to copy the AMI to the region you need to launch in.

To do this, click on the AMI, Actions > Copy AMI and then select the region you want to copy it over to in the dropdown. Now you can change the region and see that the image is now available!

4) Encryption

We’re at the final step, and that is launching our new encrypted EC2 instance!

Go to your AMI, select it, then click launch. Choose all the default configurations for your EC2 instance type and configure instance values (if you had a very custom EC2 instance before, just copy the same configuration here). You can also launch an EC2 instance like normal, then select My AMI's and then select the image that you just created. Both ways of doing it will lead you to having an AMI selection like below ⬇️

Now we’re almost ready to launch the instance, but first, we need to encrypt the root volume.

To encrypt the root volume click Add Storage > find root volume > click encryption dropdown > select (default) encryption.

Highlighted dropdown for encrypting root storage

Your root volume is now encrypted with all of your previous data! Go to the final review and double-check to see that your root volume is encrypted. If the storage looks like the one below ⬇️ , you’re all good to go!

EC2 launch instance review

You’re all clear to launch your newly encrypted EC2 instance!

Wrap Up

Today we learned how to encrypt an un-encrypted EC2 instance. Recall that we need to create a snapshot, create an AMI from the snapshot, then launch an EC2 instance with the AMI that we created, and then set the root volume to encrypted. TBH, it’s way more complicated than it needs to be, so hopefully, Amazon makes this easier for users to do in the future. But for right now, we need to take the long route and do a bunch of steps in the console manually.

Should I create a script to do this for you and write a blog about it? I’m not entirely sure if it’s possible, but if the API is open and there is enough demand, I’ll go ahead and try it out.

Let me know in the comments ⬇️ if you’re reading this to help you study for your AWS exam, for leisure, or if you really are in dire need to encrypt your EC2 fleet.

If you liked today’s content, make sure you subscribe to the newsletter down below and if you want to support my coffee addiction, help me out by buying me a coffee! It keeps me going to create more AWESOME FREE CONTENT FOR YOU! As always, thanks for taking the time to unwrap some bytes with me. Cheers! 🍻

Success! You're on the list.

Leave A Comment