Encryption for EBS Volumes
Protecting EBS Volumes and Snapshots
How does Amazon EBS encryption work? AWS explains, “EBS encrypts your volume with a data key using the industry-standard AES-256 algorithm. Your data key is stored on disk with your encrypted data, but not before EBS encrypts it with your CMK. Your data key never appears on disk in plaintext. The same data key is shared by snapshots of the volume and any subsequent volumes created from those snapshots.”
Amazon EBS encryption is a solution that uses KMS CMKs, which takes the burden off of your team to build and manage a key management program. Encryption is supported by all EBS volume types and is available on all current generation instance types. When you enforce encryption on EBS volumes, the following types of data will be protected:
- Data at rest inside of the volume
- Data moving between the volume and instance
- Snapshots created from the volume
- Volumes created from those snapshots
Transcription
One of the points in Amazon Web Services where we can encrypt our data in storage is in our EBS volumes that are used by our EC2 instances. These are just volumes that are attached as hard drives to an operating system. There is an option in AWS for us to encrypt those volumes in storage similar to operating system encryption that we would use in BitLocker in encrypted Linux volumes. When you are creating a new volume, for instance, as part of an EC2 instance or as part of an auto-scaling group, there is an option as a check box in the AWS Management Console or CLI to instruct AWS to encrypt that volume in storage. Those will take advantage of keys in KMS, provided by AWS. That gives you the control point over the key material that is used to encrypt those volumes. When you already have an existing operating system that is in use that was not originally encrypted, there is a method, a process, that is discussed on the AWS source documentation on the help pages to encrypt that volume again, that involves making a snapshot of the original volume and then using that snapshot to make a new volume that you can, then, apply the encryption switch on that new volume after the snapshot.