01
Login to the AWS Management Console.
02
Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.
03
In the left navigation panel, click Encryption Keys.
4
Select the appropriate AWS region from the Filter menu:
(must match the region where the AWS resource that will use the key was created).
05
Click Create Key button from the top menu.
06
Enter an alias (name) and a description for the new CMK, then click Next Step.
07
Under Key Administrators section, select which IAM users and/or roles can administer the CMK, then click Next Step.
08
Under This Account section, select which IAM users and/or roles can use the CMK to encrypt/decrypt data with the AWS KMS API.
09
(Optional) Under External Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt/decrypt data. The owners of the external AWS accounts must also provide access to this CMK by creating policies for their IAM users.
10
Click Next Step.
11
Under Preview Key Policy section, click Finish to create your new CMK. Once the key is created, the KMS dashboard will display a confirmation message: “Your master key was created successfully. Alias: (the CMK display name)”
12
Now the CMK must be implemented to encrypt/decrypt the EBS volume data. Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
13
In the navigation panel, under Elastic Block Store, click Volumes and select your EBS volume.
14
Click the Actions dropdown button from the dashboard top menu and select Create p.
15
In the Create Snapshot dialog box, provide a name and a description for the snapshot (optional) and click Create.
16
In the navigation panel, under Elastic Block Store, click Snapshots.
17
Select your newly created EBS snapshot.
18
Click the Actions dropdown button from the dashboard top menu and select Copy.
19
If the source volume is not encrypted, in the Copy Snapshot dialog box, select Encrypt this snapshot. Once the feature is enabled, select your new CMK customer-managed key from the Master Key dropdown list:
and click Copy.
20
If the source volume is encrypted with a default (aws/ebs), in the Copy Snapshot dialog box, under Master Key select your CMK customer-managed key:
and click Copy.
21
Select the new (copied) EBS snapshot.
22
Click the Actions dropdown button from the dashboard top menu and select Create Volume.
23
In the Create Volume dialog box, review the volume configuration details and click Create.
24
Click the Actions dropdown button from the dashboard top menu and select Detach Volume.
25
In the Detach Volume dialog box click Yes, Detach.
26
Go back to the navigation panel and click Volumes.
27
Select the original (source) EBS volume.
28
Select the newly created EBS volume (encrypted with the new customer-managed key).
29
Click the Actions dropdown button from the top menu and select Attach Volume.
30
In the Attach Volume dialog box enter your EC2 instance ID and the device name for attachment, then click Attach.
31
Select the Description tab from the bottom panel and make sure the new EBS volume use your own CMK customer-managed key by checking the KMS Key Aliases value: