search

awslabs / scale-out-computing-on-aws

Scale-Out Computing on AWS is a solution that helps customers deploy and operate a multiuser environment for computationally intensive workflows.
https://awslabs.github.io/scale-out-computing-on-aws/
Apache License 2.0
117 stars 58 forks source link

Encryption at rest #132

Open urgent opened 1 month ago

urgent commented 1 month ago

Is your feature request related to a problem? Please describe. EC2 instances launch with EBS as "Not Encrypted".

Describe the feature you'd like Encryption at rest please.

Additional context From my review, please check your links: https://github.com/awslabs/scale-out-computing-on-aws/blob/main/source/soca/cluster_manager/cloudformation_builder.py#L525

jsynack commented 1 month ago

Hello @urgent ,

Correct - right now the instances are launched without an explicit Encryption setting for the EBS volumes.

This will defer to the defaults for the AWS Account, which can be configured to automatically encrypt EBS by default (https://repost.aws/knowledge-center/ebs-automatic-encryption).

That being said - we certainly understand that some Service Control Policies (SCP) or site policy will reject launch attempts without explicitly setting the encryption on newly created volumes.

This will be changed in the next SOCA version and an explicit encryption enabled flag will be set along with an optional KMS Key ID (or to use the aws/ebs default key).

For your use-case - do you require different keys for different parts of the architecture or just to explicitly set the encryption during volume create/launch? (e.g. do you need different KMS Ids for compute vs. VDI)

Thanks!