Avi Load Balancer supports EBS and S3 encryption using AWS SSE-KMS which encrypts the Amazon Machine Image (AMI). The section explains Amazon EBS encryption which is a solution offered to encrypt EBS volumes.
Encrypting EBS volumes and attaching it to the supported instance type encrypts the data inside the volume, all data moving between the volume and the instance, all snapshots created from the volume, and all volumes created from those snapshots.
The data at rest within an Amazon S3 data center can be protected using AWS KMS. Server-side encryption is one way to use AMS KMS, in which you can protect your data using the customer master key.
The three different modes of service-side encryption are:
SSE-S3 – Amazon S3 manages the data and master encryption keys.
SSE-C – User manages the encryption key.
SSE-KMS – AWS manages the data key, but the user manages the master key in AWS KMS. For complete information on AWS KMS, refer to How Amazon Simple Storage Service (Amazon S3) Uses AWS KMS.
Avi Load Balancer supports EBS and S3 encryption using AWS SSE-KMS which encrypts the Amazon Machine Image (AMI). For detailed information on AMI, see Amazon Machine Images (AMI).
On deploying the Avi Load Balancer Controller instance in the AWS cloud, an Amazon Machine Image (AMI) is generated and uploaded to an Amazon Simple Storage Service (S3) bucket within the account. This Controller AMI is used to deploy the Service Engines as required.
During cloud configuration, S3 buckets are generated when AMIs are registered. By default, Avi Load Balancer creates versioning-disabled S3 buckets. However, users can apply external policies to enable versioning for each S3 bucket upon creation. To support these changes, the following are the two new S3 permissions introduced within the Avi Load Balancer ControllerIAM Role:
"s3:ListBucketVersions"
"s3:DeleteObjectVersion"
The bucket Avi Load Balancer Controller creates to import the SE OVA to create SE AMI defaults to the prefix
avi-se-
. This prefix can be modified in the cloud configuration field obj_name_prefix. If changed, the bucket name will be<prefix value>-se-<uuid>
. For granular control, if the custom prefix is used, the S3 policy can also be updated to use the same prefix instead ofavi-se-
.
Enabling encryption encrypts both the Controller and SE AMIs. As explained earlier, this encryption is done for the EBS volume and S3 bucket. Enabling encryption does not dynamically update existing SEs and is applied only to the newly launched SEs.
Users can enable EBS Encryption at the account level but may not have specified the corresponding KMS key used for encryption. In this case, Avi Load Balancer will be unaware of this and may repeatedly creates SE AMIs due to an encryption configuration mismatch. If EBS encryption is enabled in the account, the user must use the same key in Avi Load Balancer's AWS cloud setup as the EBS encryption key.
For more information on configuring AWS Encryption on Avi Load Balancer, see configuring EBS Encryption using Avi Load Balancer UI.