Saturday, 13 November 2021

AWS Volume encryption automatically for all instances for your AWS environment automatically using Shell Script :


About EBS volume Encryption:

EBS encryption as an encryption solution for your EBS resources associated with your aws EC2 instances. With Amazon EBS encryption, you aren't required to build, maintain, and secure your own key management infrastructure. Amazon EBS encryption uses AWS KMS keys when creating encrypted volumes for the ec2 servers.

Encryption operations occur on the servers that host EC2 instances, ensuring the security of both data-at-rest and data-in-transit between an instance and its attached EBS storage volume .

Problem Statement : 

Encrypt Volume encryption is an challenging task in an existing production environment which was  not build with encryption during the environment build . If its an 200 + instance then manually creating the AMI and attaching and detaching the volume manually will take lots of time and its an error prone . 

Solution :

So I decide to automate that task for my client which will detach the unencrypted volume and create an snapshot of the unencrypted volume , create an AWS volume by tracking the availability zone of the previous instance and attach the volume with the instance .   

Script :

Note : Server need to be ins stop state to detach the volume . Also you can add one more liner check in the below script to check if instance is online or in stop state . if you  need help please write back i will update the script

#!/bin/bash

#Script to update unencrypted volume on the account

# Place the input of volume Id to be delete in /tmp/volid.txt


us_region_name='your volume region name'

describe_vol="/usr/bin/aws ec2 describe-volumes"

describe_instance="/usr/bin/aws ec2 describe-instances"

create_snapshot="/usr/bin/aws ec2 create-snapshot"

describe_snapshots="/usr/bin/aws ec2 describe-snapshots"

create_volume="/usr/bin/aws ec2 create-volume"

attach_volume="/usr/bin/aws ec2 attach-volume"

detach_volume="/usr/bin/aws ec2 detach-volume"

create_tags="/usr/bin/aws ec2 create-tags"

kms_key="your KMS key"

for SNAP in `cat /tmp/volid.txt`

do

echo $SNAP


instance_id=`$describe_vol  --volume-ids $SNAP  --query Volumes[*].Attachments[*].InstanceId  --region $us_region_name  --output text`

Availabilityzone=`$describe_vol  --volume-ids $SNAP  --query Volumes[*].AvailabilityZone  --region $us_region_name  --output text`

attachment=`$describe_vol  --volume-ids $SNAP  --query Volumes[*].Attachments[*].Device  --region $us_region_name  --output text`

#instance-name=`$describe_instance --instnce-id $instance_id --query 'Reservations[].Instances[].[Tags[?Key==`Name`]| [0].Value]' --output table`

#instance-name=`\$describe_instance --instance-ids $instance_id --query 'Reservations[].Instances[].[Tags[?Key==`Name`]| [0].Value]' --region $us_region_name  --output text\`

$describe_instance --instance-ids $instance_id --query 'Reservations[].Instances[].[Tags[?Key==`Name`]| [0].Value]' --region $us_region_name  --output text > /tmp/instance-name

ins_name=$(cat /tmp/instance-name)

echo $instance_id

echo $attachment

echo $Availabilityzone

echo $ins_name


vol_name=$ins_name-$attachment:$instance_id


echo $vol_name


SNAP_vol=`$create_snapshot --volume-id $SNAP  --region $us_region_name --output text | awk '{print $3}'`


#SNAP=`$create-snapshot --volume-id $SNAP  --query SnapshotId --region $us_region_name --output text`


aws ec2 create-tags --resources $SNAP_vol --tags Key=Name,Value=$vol_name   --region $us_region_name

aws ec2 create-tags --resources $SNAP_vol --tags Key=Availabilityzone,Value=$Availabilityzone   --region $us_region_name

aws ec2 create-tags --resources $SNAP_vol --tags Key=InstanceID,Value=$instance_id  --region $us_region_name

aws ec2 create-tags --resources $SNAP_vol --tags Key=VolumeID,Value=$SNAP  --region $us_region_name

aws ec2 create-tags --resources $SNAP_vol --tags Key=attachment,Value=$attachment  --region $us_region_name


if [ $? -eq 0 ];

  then

  snap_list+=" $SNAP_vol"


else

  echo "SNAP creation is failed"

fi


done


#Snapshot availability check

for snap in $snap_list;

do

echo $snap

snap_status=`$describe_snapshots --snapshot-ids $snap --query  Snapshots[*].State --region $us_region_name --output text`

while [ "$snap_status" != "completed" ];

  do

    sleep 5

    echo "Test successful"

    snap_status=`$describe_snapshots --snapshot-ids $snap --query  Snapshots[*].State --region $us_region_name --output text`

  done

  $describe_snapshots --snapshot-ids $snap  --query 'Snapshots[*].{Name:Tags[?Key==`Availabilityzone`]|[0].Value}' --region $us_region_name --output text > /tmp/zone

  $describe_snapshots --snapshot-ids $snap  --query 'Snapshots[*].{Name:Tags[?Key==`Name`]|[0].Value}' --region $us_region_name --output text > /tmp/snp_name

  $describe_snapshots --snapshot-ids $snap  --query 'Snapshots[*].{Name:Tags[?Key==`InstanceID`]|[0].Value}' --region $us_region_name --output text > /tmp/InstanceID

  $describe_snapshots --snapshot-ids $snap  --query 'Snapshots[*].{Name:Tags[?Key==`VolumeID`]|[0].Value}' --region $us_region_name --output text > /tmp/VolumeID

  $describe_snapshots --snapshot-ids $snap  --query 'Snapshots[*].{Name:Tags[?Key==`attachment`]|[0].Value}' --region $us_region_name --output text > /tmp/attach

  zone=$(cat /tmp/zone)

  snap_name=$(cat /tmp/snp_name)

  InstanceID=$(cat /tmp/InstanceID)

  VolumeID=$(cat /tmp/VolumeID)

  attachment_deive=$(cat /tmp/attach)


  vol=`$create_volume --volume-type gp3 --snapshot-id $snap --availability-zone $zone  --encrypted --kms-key-id $kms_key --region $us_region_name --output text| awk '{print $10}'`

  aws ec2 create-tags --resources $vol --tags Key=Name,Value=$snap_name  --region $us_region_name

  sleep 5

  $detach_volume --volume-id $VolumeID --region $us_region_name --output text

  sleep 30

  $attach_volume --volume-id $vol --instance-id $InstanceID --device $attachment_deive --region $us_region_name --output text


  if [ $? -eq 0 ];

  then

    echo "snap is available. Replacing the encrypted volume of the instances"


  else

    echo "snap is not available"


fi


done

Note : Server need to be ins stop state to detach the volume . Also you can add one more liner check in the below script to check if instance is online or in stop state . if you  need help please write back i will update the script

 If you need to check the volume which is not encrypted in your account .Please check my other blog. 

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)