Encrypt EBS Volume for the VM-Series Firewall on AWS

Use the AWS KMS to encrypt data stored on the EBS volume of the VM-Series firewall on AWS.
EBS encryption is available for all AWS EC2 Instance Types on which you can deploy the VM-Series firewall. To securely store data on the VM-Series firewall on AWS, you must first create a copy of an AMI that is published on the AWS public or GovCloud Marketplace, or use a custom AMI, and then encrypt the EBS volume with a customer master key (CMK) on the AWS Key Management Service (KMS). You can use the default master key for your AWS account or any CMK that you have previously created using the AWS Key Management Service, and EBS the KMS interact to ensure data security.
  1. Create an encryption key on AWS or skip this step if you want to use the default master key for your account.
    You will use this key to encrypt the EBS volume on the firewall. Note that the key is region specific.
    encryption-key.png
  2. Use the key to encrypt the EBS volume on the firewall.
    You must create a copy of the AMI that you want to encrypt. You can copy an AMI that is published on the AWS public or GovCloud Marketplace, or use a custom AMI (Create a Custom Amazon Machine Image (AMI)).
    1. On the EC2 Dashboard, select the AMI and Copy AMI.
      copy-ami.png
    2. Set the details for the AMI.
      Make sure to select Encrypt target EBS snapshots.
      copy-encrypt-ami.png
    3. Select the encryption key and Copy AMI to create an encrypted EBS snapshot.
      copy-encrypt-ami-key.png
    4. Select EC2 DashboardSnapshots to verify that the EBS snapshot is encrypted with the key you selected above.
      copy-encrypt-ami-verify.png

Related Documentation