Simple Notification Service (SNS)
Kinesis + MQ
Databases & Analytics
EBS Volume Encryption
  • With Amazon EBS encryption, you aren't required to build, maintain, and secure your own key management infrastructure.
  • Amazon EBS encryption uses AWS Key Management Service (AWS KMS) customer master keys (CMK) when creating encrypted volumes and snapshots.
    ​
  • Encryption operations occur on the servers that host EC2 instances, ensuring the security of both data-at-rest and data-in-transit between an instance and its attached EBS storage.
    ​
  • You can attach both encrypted and unencrypted volumes to an instance simultaneously.
  • Snapshots of encrypted volumes are encrypted.

How does EBS encryption work?

  • You can encrypt both the boot and data volumes of an EC2 instance.
  • EBS encrypts your volume with a data key using the industry-standard AES-256 algorithm.
  • Your data key is stored on-disk with your encrypted data, but not before EBS encrypts it with your CMK.
  • Your data key never appears on disk in plaintext.
  • The same data key is shared by snapshots of the volume and any subsequent volumes created from those snapshots.

Encrypting unencrypted volumes

  • There is no direct way to encrypt an existing unencrypted volume or snapshot.
  • However, you can do the following: 1. Create a snapshot of the unencrypted volume. 2. Encrypt the snapshot (using copy). 3. Restore an EBS volume from the encrypted snapshot. 4. Attach the encrypted volume to the EC2 instance.