Credits: The screen displays and procedure described in this topic were provided by Terra Verde, a leading provider of cybersecurity and compliance consulting services.
Based on your organization's security policy and compliance requirements, you may want or need to provide additional data encryption safeguards when deploying AlienVault USM Appliance in a off-premises, hosted cloud computing environment. When you deploy USM Appliance on AWS, you can encrypt the Amazon EBS-based volume from which you launch USM Appliance instances. When you create an encrypted EBS volume and attach it to your USM Appliance instance, the following types of data are encrypted:
- Data at rest inside the volume
- All data moving between the volume and the instance
- All snapshots created from the volume
The following procedure describes how to create an Amazon-encrypted EBS volume and attach the USM Appliance Amazon Machine Image (AMI) from which you can launch instances of USM Appliance. This procedure assumes that you have already deployed an Amazon EC2 instance from an AlienVault-provided USM Appliance AMI on an unencrypted Amazon EBS-based root volume.
To perform this procedure, you need permissions to do the following:
- Start and stop Amazon EC2 instances.
- Create and copy snapshots.
- Make EBS volumes from snapshots.
- Attach and Detach EBS volumes from instances.
Note: For more information about Amazon EBS encryption, see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html. In addition, refer to Deploy USM Appliance with AMI for more information on deploying USM Appliance in an AWS environment.
Log in to the AWS console and navigate to Amazon EC2 Instances.
Locate your existing USM Appliance instance that is currently linked with an unencrypted EBS root volume.
It is important for successful completion of the procedure to have a clean snapshot of the USM Appliance instance. Stop the USM Appliance instance that is currently running, prior to performing following steps.
Inspect the instance details and hover over the drive specification for the root storage device.
Click the EBS ID link which will open the Volumes page.
With the volume selected, choose Actions > Create Snapshot.
Specify a name and description for the snapshot, which will make your snapshot easier to identify later.
Note that creating the snapshot may take a fair amount of time to complete.
Once the snapshot has been created successfully, locate it on the Snapshots page and make sure it is selected.
Select Actions > Copy.
Set the new copy parameters of your snapshot:
- Make sure to the snapshot in the proper Region.
- Make sure Encrypt this snapshot is checked.
- Select a master key that you would like to use for encryption.
Setting these parameters ensures that the new volume that will be created to replace the unencrypted root volume will be encrypted.
Verify that the new snapshot has been created successfully and select it.
Select Actions > Create Volume to make the new encrypted volume that will be replacing the unencrypted volume currently attached to the USM Appliance instance.
Confirm the EBS volume settings:
- Encryption is set to Encrypted.
- The size is set to 1024.
- The availability zone is set correctly.
After the new volume has been created, navigate back to the Volumes page and locate the unencrypted EBS volume currently in use by the USM Appliance instance. Then, select Actions > Force Detach Volume to detach the volume from the instance.
Once the original volume is detached, locate and select the encrypted EBS volume that you created in Step 13 and select Actions > Attach Volume.
In the Instance field, start typing the name or ID of the USM Appliance instance until the full name of the instance appears in the field and you are able to select it.
In the Device field, type /dev/sda1 and then click Attach.
At this point, AWS swaps the original root EBS volume with an encrypted copy of the original EBS volume so the USM Appliance can operate in an encrypted state.
The USM Appliance instance can now be started from the Amazon EC2 Console, and you can verify the USM Appliance instance's functionality.
After you've verified the USM Appliance instance's functionality, you can optionally delete the unencrypted EBS volume and snapshot.