Encryption at rest can be achieved on AWS with encrypted volumes with KMS keys
From the AWS Console, go the the IAM Service, then select the left hand side menu Encryption Keys.
Create a new key with the following details:
The Nex! Orchestrator IAM User must be allowed to access the KMS key. Ensure the Nex! Orchestrator policy contains the action "kms:*"
{ "Statement": [ { "Sid": "Stmt1340424171166", "Action": [ "ec2:*", "elasticloadbalancing:*", "kms:*" ], "Effect": "Allow", "Resource": [ "*" ] } ] } |
The KMS key ARN must be set in the Nex! configuration. Get the ARN from the AWS Console key details (eg: arn:aws:kms:us-east-1:681271161082:key/50997aaf-7603-421f-8514-4e758738eeb7)
In Nex! configuration, set the parameter
compute: lxc: ... encrypted: true volume_encryption_key_id: southeast-1: arn:aws:kms:ap-southeast-1:681271161082:key/53bd91c9-0156-4e1a-b9b3-6789052078fc ... docker: ... encrypted: true volume_encryption_key_id: southeast-1: arn:aws:kms:ap-southeast-1:681271161082:key/53bd91c9-0156-4e1a-b9b3-6789052078fc ... |