Encryption at rest can be achieved on AWS with encrypted volumes with KMS keys
...
- Alias: core-nex-uat or core-nex-prd
- Description: Encryption for Nex! volumes
- Key material origin: KMS
- Tags: environment => uat
- Key Admins: gapps-superadmin, gapps-poweruser
- Key usage: mcluster_dev, gapps-superadmin, gapps-poweruser
Authorise KMS Policy
...
| Code Block |
|---|
{
"Statement": [
{
"Sid": "Stmt1340424171166",
"Action": [
"ec2:*",
"elasticloadbalancing:*",
"kms:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
]
} |
Configure Nex! Orchestrator
The KMS key ARN must be set in the Nex! configuration. Get the ARN from the AWS Console key details (eg: arn:aws:kms:us-east-1:681271161082:key/50997aaf-7603-421f-8514-4e758738eeb7)
In Nex! configuration, set the parameterparameters volume_encryption_key_id per region:
| Code Block |
|---|
compute:
lxc:
...
encrypted: true
volume_encryption_key_id:
southeast-1: arn:aws:kms:ap-southeast-1:681271161082:key/53bd91c9-0156-4e1a-b9b3-6789052078fc
...
docker:
...
encrypted: true
volume_encryption_key_id:
southeast-1: arn:aws:kms:ap-southeast-1:681271161082:key/53bd91c9-0156-4e1a-b9b3-6789052078fc
... |
...