Set up for Amazon EBS - Amazon EBS
Sign up for an Amazon Web Services accountSecure IAM users(Optional) Create and use a customer managed key for Amazon EBS encryption(Optional) Enable block public access for Amazon EBS snapshots
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Set up for Amazon EBS

Complete the tasks in this section to get set up for working with Amazon EBS resources.

Sign up for an Amazon Web Services account

If you do not have an Amazon Web Services account, use the following procedure to create one.

To sign up for Amazon Web Services

  1. Open http://www.amazonaws.cn/ and choose Sign Up.

  2. Follow the on-screen instructions.

Amazon sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to http://www.amazonaws.cn/ and choosing My Account.

Secure IAM users

After you sign up for an Amazon Web Services account, safeguard your administrative user by turning on multi-factor authentication (MFA). For instructions, see Enable a virtual MFA device for an IAM user (console) in the IAM User Guide.

To give other users access to your Amazon Web Services account resources, create IAM users. To secure your IAM users, turn on MFA and only give the IAM users the permissions needed to perform their tasks.

For more information about creating and securing IAM users, see the following topics in the IAM User Guide:

(Optional) Create and use a customer managed key for Amazon EBS encryption

Amazon EBS encryption is an encryption solution that uses Amazon KMS cryptographic keys to encrypt your Amazon EBS volumes and Amazon EBS snapshots. Amazon EBS automatically creates a unique Amazon managed KMS key for Amazon EBS encryption in each Region. This KMS key has the alias aws/ebs. You can't rotate the default KMS key or manage its permissions. For more flexibility and control over the KMS key used for Amazon EBS encryption, you might consider creating and using a customer managed key.

To create and use a customer managed key for Amazon EBS encryption

  1. Create a symmetric encryption KMS key.

  2. Select the KMS key as the default KMS key for Amazon EBS encryption.

  3. Give users permission to use the KMS key for Amazon EBS encryption.

(Optional) Enable block public access for Amazon EBS snapshots

To prevent public sharing of your snapshots, you can enable block public access for snapshots. After you enable block public access for snapshots in a Region, any attempt to publicly share snapshots in that Region is automatically blocked. This can help you to improve the security of your snapshots and to protect your snapshot data from unauthorized or unintended access.

For more information, see Block public access for Amazon EBS snapshots.

Console
To enable block public access for snapshots

  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. In the navigation pane, choose EC2 Dashboard, and then in Account attributes (on the right-hand side), choose Data protection and security.

  3. In the Block public access for EBS snapshots section, choose Manage.

  4. Select Block public access and then choose one of the following options:

    • Block all public access — To block all public sharing of your snapshots. Users in the account can't request new public sharing. Additionally, snapshots that were already publicly shared are treated as private and are no longer publicly available.

    • Block new public sharing — To block only new public sharing of your snapshots. Users in the account can't request new public sharing. However, snapshots that were already publicly shared, remain publicly available.

  5. Choose Update.

Amazon CLI
To enable block public access for snapshots

Use the enable-snapshot-block-public-access command. For --state specify one of the following values:

  • block-all-sharing — To block all public sharing of your snapshots. Users in the account can't request new public sharing. Additionally, snapshots that were already publicly shared are treated as private and are no longer publicly available.

  • block-new-sharing — To block only new public sharing of your snapshots. Users in the account can't request new public sharing. However, snapshots that were already publicly shared, remain publicly available.

aws ec2 enable-snapshot-block-public-access --state block-new-sharing
PowerShell
To enable block public access for snapshots

Use the Enable-EC2SnapshotBlockPublicAccess cmdlet. For -State specify one of the following values:

  • block-all-sharing — To block all public sharing of your snapshots. Users in the account can't request new public sharing. Additionally, snapshots that were already publicly shared are treated as private and are no longer publicly available.

  • block-new-sharing — To block only new public sharing of your snapshots. Users in the account can't request new public sharing. However, snapshots that were already publicly shared, remain publicly available.

Enable-EC2SnapshotBlockPublicAccess -State block-new-sharing