Security and IAM

2 Minute Tip: Easily Encrypt AWS AMI Root EBS Volumes

Jared Short Trek10
Jared Short | Oct 24 2017

Tue, 24 Oct 2017

In order to meet compliance or just general best practices, it is well worth your time to leverage encrypted root volumes on your EC2 instances. This protects your data from someone grabbing the hard disk in the data center or other similar attack vectors.

If you have ever wanted to grab a marketplace AMI (ex: OpenVPN) you’ll know that the process is painful. It involves a lot of ec2 starts and stops, snapshots, etc. More detail found in AWS docs.

Having done this several times, I finally got annoyed enough that I built out a script that you can point at any AMI in a region and get an AMI in your account with an encrypted root volume.

Short and sweet, but solves a real pain.


  • You will need to first make sure you have subscribed to the marketplace product
  • Get the AMI of the marketplace
  • Copy the script to machine
  • awsume (or otherwise authorize) to AWS
  • chmod the script to be executable if needed via chmod +x

Usage ./ {region} {ami} {name} Example: ./ us-east-1 ami-f6eed4e0 OpenVPN

This make take a few minutes. Output looks like

Creating instance from marketplace AMI ami-f6eed4e0Waiting for instance i-0d3a37ce1eb4b3f24 to be running and status OK...Creating encrypted imageWaiting for AMI ami-01bfa37a, to be available...Terminating unencrypted instance...Everything is good! Your new AMI 'OpenVPN Encrypted' is available as ami-01bfa37a