Real World Usage and Examples of Runbooks and Playbooks

Preperaing in case EBS data is stolen

Example - Automating EBS Volume Encryption using Ansible

EBS volume encryption is a feature provided by AWS to ensure that sensitive data at rest is secured and is in compliance with regulations.

Prerequisites

  1. The Ansible playbook is written is such a way that it checks for instances and associated volumes that have the tag createdFor with the value volume-encryption. This is done, so that the user can specify which all instance volumes has to be encrypted
  2. To run the playbook, it is required to have ansible and aws-cli credentials
  3. The playbook uses AWS authentication through AWS_PROFILE

Playbook Code

The playbook is written in two parts, the first part (playbook.yml) will check for instances that have the tag createdFor with value volume-encryption. Then it also checks for the list of volumes with the same and also have the Encrypted property with value Not Encrypted.

After the collection of list of instance volumes to be encrypted, the playbook will loop through the second part (include.yml) for the following steps for all collected instances,

  1. Stop the EC2 instance
  2. Create Snapshot of the main volume
  3. Detach Existing Volume from the instance
  4. Create a Encrypted Volume with double the size from the created snapshot and attach it to the instance
  5. Start the instance

The playbook executes this in a sequential manner.

Before running the Playbook, you will have to substitute the kms_key_id - Encryption key ID that was created under KMS service for performing a volume encryption. This value is in include.yml.

Post incident

After all EBS volumes that need to be encrypted have been successfully encrypted the runbook for creating EBS volumes should be updated to ensure that by default when new volumes are created they are encrypted.