Encryption with EBS

Learn how to encrypt and share EBS volumes and snapshots.

Encryption

You can encrypt both the boot and data volumes of an EC2 instance. When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted:

  • Data at rest inside the volume
  • All data moving between the volume and the instance
  • All snapshots created from the volume
  • All volumes created from those snapshots

EBS encrypts your volume with a data key using the industry-standard AES-256 algorithm. Your data key is stored on-disk with your encrypted data, but not before EBS encrypts it with your CMKCustomer Master Key. Your data key never appears on-disk in plaintext. The same data key is shared by snapshots of the volume and any subsequent volumes created from those snapshots.

Availability

All EBS volume types support encryption. You can expect the same IOPS performance on encrypted volumes as on unencrypted volumes. All instance families also support encryption.

Amazon EBS encryption is available on the instance types listed below.

  • General purpose: A1, M3, M4, M5, M5a, M5ad, M5d, T2, T3, and T3a
  • Compute optimized: C3, C4, C5, C5d, and C5n
  • Memory optimized: cr1.8xlarge, R3, R4, R5, R5a, R5ad, R5d, u-6tb1.metal, u-9tb1.metal, u-12tb1.metal, X1, X1e, and z1d
  • Storage optimized: D2, h1.2xlarge, h1.4xlarge, I2, and I3
  • Accelerated computing: F1, G2, G3, G4, P2, and P3

Encrypted snapshots

Snapshots of encrypted volumes are encrypted automatically. EBS volumes restored or created from encrypted snapshots are also encrypted automatically. By default, only the account owner can create volumes from snapshots.

To encrypt a volume or snapshot, you need an encryption key; these are Customer Master Keys (CMK) and managed by the AWS Key Management Service (KMS). A default CMK key is generated for the first encrypted volumes. Subsequent encrypted volumes will use their own unique key (AES 256 bit).

There is no direct way to change the encryption state of a volume. Either create an encrypted volume and copy data to it, or take a snapshot, encrypt it, and create a new encrypted volume from the snapshot.

You cannot change the CMK key that is used to encrypt a volume. You must create a copy of the snapshot and change encryption keys as part of the copy. This is required in order to be able to share the encrypted volume.

Sharing snapshots

The CMK used to encrypt a volume is used by any snapshots and volumes created from snapshots. You cannot share encrypted volumes created using a default CMK key; they must be using a custom CMK key.

You can share unencrypted snapshots with the AWS community by making them public. You can also share unencrypted snapshots with other AWS accounts by making them private and selecting the accounts to share them with. You cannot make encrypted snapshots public.

You can share encrypted snapshots with other AWS accounts using a non-default CMK key and by configuring cross-account permissions to give the account access to the key, marking it as private, and configuring the account to share it with. The receiving account must copy the snapshot before they can create volumes from the snapshot. It is recommended that the receiving account re-encrypt the shared and encrypted snapshot using their own CMK key.

Key points

The following information applies to snapshots:

  • Snapshots are created asynchronously and are incremental.
  • You can copy unencrypted snapshots (optionally encrypt).
  • You can copy an encrypted snapshot (optionally re-encrypt with a different key).
  • Snapshot copies receive a new unique ID.
  • You can copy within or between regions.
  • You cannot move snapshots, only copy them.
  • You cannot take a copy of a snapshot when it is in a “pending” state; it must be “complete”.
  • S3 Server Side Encryption (SSE) protects data in transit while copying.
  • User-defined tags are not copied.
  • You can have up to 5 snapshot copy requests running in a single destination per account.
  • You can copy Import/Export service, AWS Marketplace, and AWS Storage Gateway snapshots.
  • If you try to copy an encrypted snapshot without having access to the encryption keys, it will fail silently (cross-account permissions are required).

Copying snapshots may be required for:

  • Creating services in other regions
  • DR — the ability to restore from a snapshot in another region
  • Migration to another region
  • Applying encryption
  • Data retention

To take application-consistent snapshots of RAID arrays:

  • Stop the application from writing to disk.
  • Flush all caches to the disk.
  • Freeze the filesystem.
  • Unmount the RAID array.
  • Shut down the associated EC2 instance.

Level up your interview prep. Join Educative to access 80+ hands-on prep courses.