Lock and Key - Encrypting EBS Disk Volumes for BIG-IP AWS Deployments
A good rule of thumb is that if you want to keep something private you need to put a lock in it. In the physical world we do this by renting a safedepost box at the local credit union or by purchasing as personal safe and placing it in our home. When it comes to our data we should also consider using a lock; IE encryption. For data in motion TLS or IPSEC are common solutions. We also need to address data at rest. For some organizations it is a matter of best practice, for others it may be a matter of compliance. Either way not addressing data at rest leaves a gap in your security and privacy strategy. To solve for this AWS provides users with EBS Encryption allowing users to encrypt the data on the volumes connected to the instances and between the volumes and the instance. Sounds great!
Implementing EBS Encryption with BIG-IP
The short answer is this is possible. Let's start with the nuance that creates a fork in the road for how you will encrypt the volumes associated with a BIG-IP instance. The first question is this an AMI that you created with the F5 Image generator or is this an AMI that you are consuming from F5 via the AWS marketplace? This is material; if you are the AMI owner you can encrypt it from day one, when you use the image generator and upload it to AWS you are the AMI owner. When it comes to marketplace images they are owned by a third party and are not encrypted. The reasons for this is that if F5 encrypted them you would not be able to read them. You have to take action to encrypt the volumes at launch or post launch.
Option 1: Encrypt at AMI instantiation
This method can be applied to an AMI provided by your organization or an AMI provided by F5 via the marketplace. When a user launches an AMI via the EC2 console or from a CloudFormation template they can tell the system to encrypt the EBS that will be attached. Viola - the problem is solved.
Select the AMI
Select a BIG-IP image from the AWS marketplace or your custom AMI.
Encrypt the Volume
Expand the advanced properties of the volume and select encrypted and a key (in the screen shot I am using the AWS default as this is a lab without production data; you should use your own key.)
When the instance launches the volume will be encrypted.
Option 2: Encrypting an Existing Instance
For many organizations they already have BIG-IP deployed and they do not want to launch new instances and migrate to them. The good news is the process is not hard nor does it take a long time. It does require you to shut down the instance.
Create a snapshot
Create and Encrypt a volume
Again - you should use your own key.
Configure the Instance to use the new Volume
Navigate to the Instance and detach the original volume
Conclusion
I hope this article helps you address further securing your AWS environment. Going forward with your new deployments you can simply encrypt the instance at launch either via the console or using Cloud Formation. For your existing instances you can schedule the encryption as part of a maintenance window.