e-dixo
commented
11 months ago For now we are dealing with it in the following way:
...
self._bastion_host = BastionHostForward(
self,
"BastionHostAuroraServerless",
vpc=self._vpc,
name="gdl-auroraserverless-bastionhost",
security_group=bastion_host_security_group,
address=self._aurora_db.db_cluster.cluster_endpoint.hostname,
port=str(self._aurora_db.db_cluster.cluster_endpoint.port),
)
cdk.Aspects.of(self).add(EncryptEbsInEc2Instance())
@jsii.implements(cdk.IAspect)
class EncryptEbsInEc2Instance:
def visit(self, node):
if isinstance(node, ec2.CfnInstance):
node.add_property_override(
property_path="BlockDeviceMappings",
value=[
{
"DeviceName": "/dev/xvda",
"Ebs": {
"Encrypted": "true",
"VolumeSize": 8,
"VolumeType": "gp3",
},
},
],
)
snowiow
Hi,
The construct is not compliant with the following Config rule once the EBS volume attached to the instance is not encrypted: https://docs.aws.amazon.com/config/latest/developerguide/encrypted-volumes.html
Is it possible to add parameters in order to specify if volume is needed or not? If can't remove the ebs volume I would say to add the "encrypted=True" option to the volume and optionally specify a KMS key.
Thanks in advance!