How enable EBS encryption with AWS ECS

Question

I'm trying to set up an ECS cluster with EC2 instance type. My requirement is to encrypt the EBS volumes used by the ECS cluster. But, I couldn't see an option to select encrypted EBS during the ECS cluster creation. What I'm only seeing is an option to provide EBS volume size under instance configuration:

Is there any other way to implement EBS encryption in an ECS cluster?

Answer 1

As mentioned in the comments, the accepted answer is not an optimal solution, since it's neither scalable, nor resilient.

An alternative would be to create a CloudFormation template, and use AWS::AutoScaling::AutoScalingGroup based on a custom AWS::EC2::LaunchTemplate, where you can specify the properties of the underlying EC2 instances, including encrypted EBS volumes. The UserData scripts on the EC2 instances shall register themselves with your ECS cluster.

ECSLaunchTemplate:
  Type: AWS::EC2::LaunchTemplate
  Properties:
    LaunchTemplateName: !Sub ${AWS::StackName}-lt
    LaunchTemplateData:
      ImageId: !Ref ImageAMI
      InstanceType: !Ref InstanceType
      BlockDeviceMappings:
        - DeviceName: /dev/xvda
          Ebs:
            DeleteOnTermination: True
            Encrypted: True
            VolumeType: gp2
            VolumeSize: 30

ECSAutoScalingGroup:
  DependsOn: ECSCluster
  Type: AWS::AutoScaling::AutoScalingGroup
  Properties:
    LaunchTemplate:
      LaunchTemplateId: !Ref ECSLaunchTemplate
      Version: !GetAtt ECSLaunchTemplate.LatestVersionNumber

Answer 2

I have scoured the internet to get this to work and followed all documentation. I found that at least another person has this issue and has a possible work around by manually creating the volumn in docker. See: https://github.com/rexray/rexray/issues/1363

Another option, of which I just confirmed works, you can enable encryption by default for EBS volumes in the zone you are in.

See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html