📃
AWS SAA-C02
  • Practice Test Scores
  • Basics of IAM
  • Elastic Compute Cloud (EC2)
    • Overview
    • Security Groups
    • IP Addresses
    • User Data
    • Launch Types
    • Spot Instances
    • Instance Types
    • Amazon Machine Image (AMI)
    • Placement Groups
    • Elastic Network Interface (ENI)
    • Hibernate
  • Elastic Load Balancer (ELB)
    • Basic Terms
    • Elastic Load Balancing
    • Classic Load Balancer (CLB)
    • Application Load Balancer (ALB)
    • Network Load Balancer (NLB)
    • Stickiness
    • Cross Zone Load Balancing
    • SSL Certificates
    • Connection Draining/Deregistration Delay
  • Auto Scaling Groups (ASG)
    • Launch Configurations & Launch Templates
    • Overview
    • Dynamic Scaling and Scheduled Scaling
    • Lifecycle Hooks
    • Scaling Cooldowns
  • EC2 Storage (EBS, EFS, Instance Store)
    • Elastic Block Storage (EBS)
    • EBS Volume Types
    • EBS Snapshots
    • EBS Volume Migration
    • EBS Volume Encryption
    • EBS RAID configurations
    • Instance Store
    • Elastic File System (EFS)
    • EFS vs EBS
  • Relational Database Service (RDS)
    • RDS Overview
    • Running Databases on EC2
    • RDS Backups & RDS Restores
    • RDS Read Replicas
    • RDS Multi AZ
    • RDS Encryption
    • RDS IAM database authentication
    • Aurora
    • ElastiCache
  • Route53
    • Overview
    • DNS Record Types
    • Routing Policies
    • 3rd Party Domains
  • Simple Storage Service (S3)
    • S3
    • Server-Side Encryption
    • S3 Security
    • Pre-signed URLs
    • S3 Websites
    • Cross-origin resource sharing (CORS)
    • Consistency Model
  • Advanced S3 & Athena
    • MFA Delete
    • Access Logs
    • Replication
    • Storage Classes
    • Lifecycle Configuration
    • Performance Optimization
    • Select and Glacier Select
    • Event Notifications
    • Object Lock and Glacier Lock
    • Athena Overview
  • CloudFront & Global Accelerator
    • CloudFront Overview
    • CloudFront Signed URL / Signed Cookies
    • Global Accelerator
  • Storage Gateway & FSx & Snowball/Snowmobile
    • Storage Gateway Overview
    • Storage Gateway File Gateway Hardware Appliance
    • FSx for Windows Servers
    • FSx for Lustre
    • Storage Comparison
    • Snowball/Snowmobile Overview
  • AWS Messaging
  • Simple Queue Service (SQS)
    • Overview
    • Message Visibility Timeout
    • Dead Letter Queues
    • Delay Queues
    • FIFO Queues
    • SQS + Auto Scaling Group
  • Simple Notification Service (SNS)
    • Overview
    • SNS & SQS - Fan Out Pattern
  • Kinesis + MQ
    • Kinesis
    • Amazon MQ
  • Serverless
    • Lamda Overview
    • Lambda@Edge
    • DynamoDB Overview
    • DynamoDB RCUs and WCUs
    • DynamoDB Advanced Features
    • API Gateway Overview
    • API Gateway Security
    • Cognito Overview
    • AWS SAM (Serverless Application Model)
  • Databases & Analytics
    • Databases
    • Analytics
  • Monitoring
    • CloudWatch Concepts
    • CloudWatch Logs
    • CloudWatch Agent
    • EC2 Instance Recovery
    • CloudWatch Events
    • CloudTrail
    • Config
  • Mini Security Lesson
    • IAM Policies
    • Authorization
    • IAM Conditions
    • IAM for S3 Resources
    • IAM Permission Boundaries
  • Security & Management
    • Security Token Service (STS)
    • Identity Federation in AWS
    • Directory Service
    • Organizations
    • Resource Access Manager (RAM)
    • Single Sign On (SSO)
  • Security & Encryption
    • Encryption Overview
    • KMS Overview
    • SSM Parameter Store Overview
    • Secrets Manager Overview
    • CloudHSM
    • Shield
    • Web Application Firewall (WAF) Overview
  • Virtual Private Cloud (VPC)
    • Networking for VPCs
    • Default VPC Overview
    • VPC Overview
    • VPC Subnets
    • Internet Gateways & Route Tables
    • NAT Instances
    • NAT Gateways
    • DNS support in your VPC
    • NACLs vs Security Groups
    • VPC Peering
    • VPC Endpoints
    • VPC Flow Logs
    • Bastion Hosts
    • Site to Site VPN
    • Direct Connect
    • Egress-only Internet Gateway
    • AWS PrivateLink
    • AWS ClassicLink
    • VPN CloudHub
    • Transit Gateway
  • Disaster Recovery & Migrations
    • Plan for Disaster Recovery
    • Database Migration Service (DMS)
    • Migration Services
    • DataSync Overview
  • Other Services
    • Overview of Other Services
Powered by GitBook
On this page
  • How does EBS encryption work?
  • Encrypting unencrypted volumes

Was this helpful?

  1. EC2 Storage (EBS, EFS, Instance Store)

EBS Volume Encryption

  • With Amazon EBS encryption, you aren't required to build, maintain, and secure your own key management infrastructure.

  • Amazon EBS encryption uses AWS Key Management Service (AWS KMS) customer master keys (CMK) when creating encrypted volumes and snapshots.

  • Encryption operations occur on the servers that host EC2 instances, ensuring the security of both data-at-rest and data-in-transit between an instance and its attached EBS storage.

  • You can attach both encrypted and unencrypted volumes to an instance simultaneously.

  • Snapshots of encrypted volumes are encrypted.

How does EBS encryption work?

  • You can encrypt both the boot and data volumes of an EC2 instance.

  • EBS encrypts your volume with a data key using the industry-standard AES-256 algorithm.

  • Your data key is stored on-disk with your encrypted data, but not before EBS encrypts it with your CMK.

  • Your data key never appears on disk in plaintext.

  • The same data key is shared by snapshots of the volume and any subsequent volumes created from those snapshots.

Encrypting unencrypted volumes

  • There is no direct way to encrypt an existing unencrypted volume or snapshot.

  • However, you can do the following: 1. Create a snapshot of the unencrypted volume. 2. Encrypt the snapshot (using copy). 3. Restore an EBS volume from the encrypted snapshot. 4. Attach the encrypted volume to the EC2 instance.

PreviousEBS Volume MigrationNextEBS RAID configurations

Last updated 4 years ago

Was this helpful?