How to Use Amazon EC2 Instance Store Encryption to Protect Data at Rest?

1. Create Amazon S3 bucket: amazon ec2

The created S3 bucket stores the encrypted password file. Encryption of the file system happens using such a password or key. When a boot happens for an Amazon EC2 instance, the files are copied, the encrypted password is read, the password is decrypted, and the plaintext password is retrieved. Utilization of this password happens when encrypting the file system on the instance store disk. Through the first step, the creation of an S# bucket occurs to enable the storage of the encrypted password file on it. Application of necessary permissions happens afterward. Additional permissions to the bucket to enable endpoint access are necessary whenever using Amazon VPC endpoint for Amazon S3.

  1. Sign into the S3 bucket and select “Create Bucket”.
  2. Then, enter the bucket name in the box named “Bucket Name”, then click on “Create”.
  3. All the details of the newly created bucket will appear in the right pane.

2. Configure the IAM roles and permission for the created S3 bucket

Using AWS Key Management Service (KMS), the encrypted password could be decrypted after essentially the encrypted password file being read from S3. One could assume a role with the right access permissions to the bucket of S3 by applying the IAM policy which that is configured in this step. “your-bucket-name” is that bucket used for the purpose of saving and storing the password file on it.

  1. Sign into the AWS Management Console to reach the IAM console.
  2. Then go to the navigation pane to and select “policies”.
  3. Afterward, click the “Create Policy” option.
  4. Then, select the “Create Your Own Policy” option.
  5. Get a name for the policy and a great description for it then proceed with the next step.
  6. Copy and paste the following policy at this point.
        "Version": "2012-10-17",
        "Statement": [
                "Sid": "Stmt1478729875000",
                "Effect": "Allow",
                "Action": [
                "Resource": [
  7. Then, select “Create Policy”.
  8. To elaborate on the previous policy, the bucket is granted through such policy to read. In other words, the encrypted password could be read because it is storedinsidesuch bucket. The IAM role then needs configuration now since EC2 fundamentally uses the previous policy.
  9. One should select “Roles”  inside the IAM console.
  10. Choose “Create New Role” now.
  11. Inside the first step of “Role Name”, create a name for the role and then press “Next Step”.
  12. Inside the second step of “Select Role Type”, select “Amazon EC2” and then press “Next Step”.
  13. Inside the third step of “Established Trust”, press “Next Step”.
  14. Inside the fourth step of “Attach Policy”, select the policy created in the first step. The following figure illustrates this point in a more concise way. amazon ec2
  15. Inside the fifth step of “Review”, review the configuration before finishing the steps. The IAM role which we just created can be used now with any new launch of EC2 instances, having an access permission on encrypted password file stored in the S3 bucket.
  16. The newly created IAM role becomes listed on the page of “Roles” there.
  17. Finally, select “Roles” and then select the newly created role as illustrated by the upcoming image. class=

3.Encrypt a secret password with KMS and store it inside S3 bucket

In order to accomplish this step successfully, one has to utilize AWS CLI. Fortunately, EC2 Amazon Linux instances already have AWS CLI by default on them. One could further install it on Windows, Mac, or Linux systems as well.

  1. Type the following command in AWS CLI. It will make use of KMS to encrypt the password. Note that you should replace “region name” with your region. In addition, creating keys and putting objects in S3 requires specific permissions that must be present before typing this command.
    aws --region us-east-one kms encrypt --key-id 'alias/EncFSForEC2InternalStorageKey' --plaintext "ThisIs-a-SecretPassword" --query CiphertextBlob --output text | base64 --decode > LuksInternalStorageKey
    aws s3 cp LuksInternalStorageKey s3://<bucket-name>/LuksInternalStorageKey
  2. The file name “LuksInternalStorageKey” will have the encrypted password as per the last used command.
  3. The key alias or name, which is useful for identifying diverse keys, has the name “EncFSForEC2InternalStorageKey”


  1. Make the KMS key accessible by the role

  1. Get to the IAM console and especially the navigation pane and choose “Encryption keys”.
  2. Then, choose the key alias named “EncFSForEC2InternalStorageKey”.
  3. If a new role is desired to get installed, and it is actually desired, then “Key Policy” should be scrolled down to it where “Add” should be selected under “Key Users” amazon ec2
  4. At this step, choose the newly created role and then press “Attach”.
  5. Now, this grants the access permission of the key to the role.


  1. Configure EC2 with role and configurations run

  1. Launch a new instance inside the EC2 console. But inside the third step “Configure Instance Details”, the IAM role has to be selected as shown in the following figure. amazoon ec2
  2. Expand the section of “Advanced Details” to the previously displayed screen.
  3. Inside “User Data, keep “As text” checked as it is by default. Then, copy and paste the following script into the text box.
    ## Initial setup to be executed on boot
    # Create an empty file. This file will be used to host the file system.
    # In this example we create a 2 GB file called secretfs (Secret File System).
    dd of=secretfs bs=1G count=0 seek=2
    # Lock down normal access to the file.
    chmod 600 secretfs
    # Associate a loopback device with the file.
    losetup /dev/loop0 secretfs
    #Copy encrypted password file from S3. The password is used to configure LUKE later on.
    aws s3 cp s3://an-internalstoragekeybucket/LuksInternalStorageKey .
    # Decrypt the password from the file with KMS, save the secret password in LuksClearTextKey
    LuksClearTextKey=$(aws --region us-east-1 kms decrypt --ciphertext-blob fileb://LuksInternalStorageKey --output text --query Plaintext | base64 --decode)
    # Encrypt storage in the device. cryptsetup will use the Linux
    # device mapper to create, in this case, /dev/mapper/secretfs.
    # Initialize the volume and set an initial key.
    echo "$LuksClearTextKey" | cryptsetup -y luksFormat /dev/loop0
    # Open the partition, and create a mapping to /dev/mapper/secretfs.
    echo "$LuksClearTextKey" | cryptsetup luksOpen /dev/loop0 secretfs
    # Clear the LuksClearTextKey variable because we don't need it anymore.
    unset LuksClearTextKey
    # Check its status (optional).
    cryptsetup status secretfs
    # Zero out the new encrypted device.
    dd if=/dev/zero of=/dev/mapper/secretfs
    # Create a file system and verify its status.
    mke2fs -j -O dir_index /dev/mapper/secretfs
    # List file system configuration (optional).
    tune2fs -l /dev/mapper/secretfs
    # Mount the new file system to /mnt/secretfs.
    mkdir /mnt/secretfs
    mount /dev/mapper/secretfs /mnt/secretfs
  4. On your account, enable CloudTrail.
  5. Finally, launch the EC2 instance. Such instance will copy the password file from S3, use KMS to decrypt the file, and configure an encrypted file system.

Try Certified Ethical Hacker for FREE!!!


Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.  
Regular use
This is the second tier that includes limited access to our training materials and to our exclusive lab.    
Risky use
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  
Monthly use
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!

This post was written by Joseph McCray

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.