AWS Amazon EC2 Volume
This page shows how to write Terraform and CloudFormation for Amazon EC2 Volume and write them securely.
aws_ebs_volume (Terraform)
The Volume in Amazon EC2 can be configured in Terraform with the resource name aws_ebs_volume
. The following sections describe 3 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_ebs_volume" "mysql" {
availability_zone = data.aws_availability_zones.available.names[0]
size = 40
}
resource "aws_ebs_volume" "mongodb" {
resource "aws_ebs_volume" "a-etcd-events-dilfuzacluster-com" {
availability_zone = "eu-west-1a"
size = 20
type = "gp2"
encrypted = false
resource "aws_ebs_volume" "a-etcd-events-csamatov-net" {
availability_zone = "eu-west-1a"
size = 20
type = "gp2"
encrypted = false
Security Best Practices for aws_ebs_volume
There are 2 settings in aws_ebs_volume that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure to use a customer-managed key for EBS volume encryption
It is better to use a customer-managed key for EBS volume encryption. It can be gain more control over the encryption by using customer-managed keys (CMK).
Ensure to enable EBS volume encryption
It is better to enable EBS volume encryption. An EBS volume may be unencrypted depending on settings by an `aws_ebs_encryption_by_default` resource. The volume encryption will help protect the data from unauthorized access to the underlying device.
Parameters
-
arn
optional computed - string -
availability_zone
required - string -
encrypted
optional computed - bool -
id
optional computed - string -
iops
optional computed - number -
kms_key_id
optional computed - string -
multi_attach_enabled
optional - bool -
outpost_arn
optional - string -
size
optional computed - number -
snapshot_id
optional computed - string -
tags
optional - map from string to string -
throughput
optional computed - number -
type
optional computed - string
Explanation in Terraform Registry
Manages a single EBS volume.
Tips: Best Practices for The Other AWS Amazon EC2 Resources
In addition to the aws_default_vpc, AWS Amazon EC2 has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_default_vpc
Ensure to avoid using default VPC
It is better to define the own VPC and use it.
aws_network_acl_rule
Ensure your network ACL rule blocks unwanted inbound traffic
It is better to block unwanted inbound traffic.
aws_instance
Ensure to avoid storing AWS access keys in user data
It is better to avoid storing AWS access keys in user data. `aws_iam_instance_profile` could be used instead.
aws_security_group
Ensure your security group blocks unwanted inbound traffic
It is better to block unwanted inbound traffic.
AWS::EC2::Volume (CloudFormation)
The Volume in EC2 can be configured in CloudFormation with the resource name AWS::EC2::Volume
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: "AWS::EC2::VolumeAttachment"
Properties:
InstanceId:
!Ref OTCSOTAC
VolumeId:
!Ref app
Type: "AWS::EC2::VolumeAttachment"
Properties:
InstanceId:
!Ref OTCSADM
VolumeId:
!Ref app
Type: 'AWS::EC2::Volume'
Properties:
AvailabilityZone: !GetAtt HanaNode1.AvailabilityZone
Size: 10
VolumeTYpe: 'gp2'
Tags:
Type: "AWS::EC2::VolumeAttachment"
Properties:
InstanceId:
!Ref OTCSADM
VolumeId:
!Ref app
Type: 'AWS::EC2::Volume'
Properties:
AvailabilityZone: !GetAtt openshiftmaster.AvailabilityZone
Size: 64
DeletionPolicy: Delete
"Type" : "AWS::EC2::Volume",
"Properties" : {
"Size" : { "Ref" : "AWSVolumeSize" },
"AvailabilityZone" : { "Fn::GetAtt" : [ "MongoDBNode8EBS", "AvailabilityZone" ]},
"Tags": [
{"Key": "Name", "Value": {"Ref": "MongoDBRSName"}}
"resourceType": "AWS::EC2::Volume",
"resourceId": "vol-01bd9aba91902cb57",
"ARN": "arn:aws:ec2:us-east-1:528884874493:volume/vol-01bd9aba91902cb57",
"awsRegion": "us-east-1",
"availabilityZone": "us-east-1b",
"configurationStateMd5Hash": "",
"Type" : "AWS::EC2::Volume",
"Properties": {
"Size": "50",
"AvailabilityZone" : {"Ref": "subnetAZ"},
"Tags": [ {
"Key": "Name",
"Type": "AWS::EC2::Volume",
"Properties": {
"VolumeType": "gp2",
"Size": "30",
"AvailabilityZone": {
"Fn::FindInMap": [
"Type": "AWS::EC2::Volume",
"Properties": {
"VolumeType": "gp2",
"Size": "30",
"AvailabilityZone": {
"Fn::FindInMap": [
Parameters
-
AutoEnableIO
optional - Boolean -
AvailabilityZone
required - String -
Encrypted
optional - Boolean -
Iops
optional - Integer -
KmsKeyId
optional - String -
MultiAttachEnabled
optional - Boolean -
OutpostArn
optional - String -
Size
optional - Integer -
SnapshotId
optional - String -
Tags
optional - List of Tag -
Throughput
optional - Integer -
VolumeType
optional - String
Explanation in CloudFormation Registry
Specifies an Amazon Elastic Block Store (Amazon EBS) volume. You can attach the volume to an instance in the same Availability Zone using AWS::EC2::VolumeAttachment.
When you use AWS CloudFormation to update an Amazon EBS volume that modifies
Iops
,Size
, orVolumeType
, there is a cooldown period before another operation can occur. This can cause your stack to report being inUPDATE_IN_PROGRESS
orUPDATE_ROLLBACK_IN_PROGRESS
for long periods of time.Amazon EBS does not support sizing down an Amazon EBS volume. AWS CloudFormation does not attempt to modify an Amazon EBS volume to a smaller size on rollback.
Some common scenarios when you might encounter a cooldown period for Amazon EBS include:+ You successfully update an Amazon EBS volume and the update succeeds. When you attempt another update within the cooldown window, that update will be subject to a cooldown period.
- You successfully update an Amazon EBS volume and the update succeeds but another change in your
update-stack
call fails. The rollback will be subject to a cooldown period.For more information on the cooldown period, see Requirements when modifying volumes.
DeletionPolicy attributeTo control how AWS CloudFormation handles the volume when the stack is deleted, set a deletion policy for your volume. You can choose to retain the volume, to delete the volume, or to create a snapshot of the volume. For more information, see DeletionPolicy attribute.
Note If you set a deletion policy that creates a snapshot, all tags on the volume are included in the snapshot.
Frequently asked questions
What is AWS Amazon EC2 Volume?
AWS Amazon EC2 Volume is a resource for Amazon EC2 of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon EC2 Volume?
For Terraform, the GuyBarros/terraform-hcp-demostack-aws, dilfuza97/Kops_cluster_Terraform and csamatov96/K8_cluster_kops source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the okram999/ec2-cfn, okram999/ec2-cfn and somanianshul/cloudfront source code examples are useful. See the CloudFormation Example section for further details.