AWS EBS encryption
For a simple encryption solution for your Amazon EBS resources connected to your Amazon EC2 instances, use Amazon EBS encryption. Building, maintaining, and safeguarding your own key management system is not necessary when using Amazon EBS encryption. AWS KMS keys are used by Amazon EBS encryption to create encrypted volumes and snapshots.
In order to secure data-at-rest and data-in-transit between an instance and its connected EBS storage, encryption procedures are carried out on the servers that house EC2 instances.
An instance can have both encrypted and unencrypted volumes attached to it at the same time. Amazon EBS encryption is compatible with all Amazon EC2 instance types.
Protect EBS resources via encryption
You can either use encryption by default or enable encryption when you create a volume that you wish to encrypt in order to encrypt EBS volumes.
You can designate the symmetric encryption KMS key to be used when encrypting a volume. In the event that no KMS key is specified, the encryption state and ownership of the source snapshot determine which KMS key is utilized.
The KMS key linked to an existing snapshot or volume cannot be altered. To ensure that the resultant copied snapshot is encrypted using the new KMS key, you can, nevertheless, associate a separate KMS key during a snapshot copy process.
Encrypt a blank volume when it is created
By turning on encryption for the particular volume creation operation, you can encrypt a newly created, empty EBS volume. The volume is automatically encrypted using your default KMS key for EBS encryption if you have EBS encryption set by default. As an alternative, for the particular volume creation procedure, you can specify a separate symmetric encryption KMS key. Your data is always protected since the volume is encrypted when it is initially made available.
By default, the snapshots you take from a volume and the volumes you restore from those encrypted snapshots are encrypted using the KMS key you choose when creating the volume. A volume restored from an encrypted snapshot or a copy of an encrypted snapshot is always encrypted since you cannot unencrypt an encrypted volume or snapshot.
You can share an encrypted snapshot with particular accounts, however public snapshots of encrypted volumes are not supported.
Encrypt unencrypted resources
Volumes or snapshots that are already unencrypted cannot be directly encrypted. On the other hand, unencrypted volumes or snapshots can be converted into encrypted ones. Amazon EBS automatically encrypts new volumes and snapshots using your default KMS key for EBS encryption if you have encryption enabled by default. If not, you can use a symmetric customer controlled encryption key or the default KMS key for Amazon EBS encryption to enable encryption when you create a single volume or snapshot.
You must activate encryption and provide the KMS key in order to encrypt the snapshot copy to a customer controlled key.
Additionally, when starting an instance from an AMI backed by EBS, you can apply new encryption states. This is due to the fact that EBS-backed AMIs contain EBS volume snapshots that are capable of encryption as explained.
Amazon EBS encryption requirements
Make sure the following conditions are satisfied before you start.
Conditions
- Types of supported volumes
- Types of supported instances
- Users’ permissions
- Permissions for instances
Types of supported volumes
Every EBS volume type supports encryption. With little impact on latency, you may anticipate the same IOPS performance on encrypted volumes as on unencrypted volumes. Encrypted volumes can be accessed in the same manner as unencrypted volumes. You and your apps don’t need to take any more action because encryption and decryption are performed transparently.
Types of supported instances
All instance types from the previous generation and current generation support Amazon EBS encryption.
User permissions
Any user that has access to the necessary AWS KMS activities can use a KMS key to encrypt or decrypt EBS resources when you use it for EBS encryption, according to the KMS key policy. To use EBS encryption, you need to allow users to call the following actions:
kms:CreateGrantkms:Decryptkms:DescribeKeykms:GenerateDataKeyWithoutPlainTextkms:ReEncrypt
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “kms:CreateGrant”,
“Resource”: [
“arn:aws:kms:us-east-2:123456789012:key/abcd1234-a123-456d-a12b-a123b4cd56ef”
],
“Condition”: {
“Bool”: {
“kms:GrantIsForAWSResource”: true
}
}
}
]
}
Permissions for instances
An instance’s identity-only role receives a KMS key grant whenever it tries to communicate with an encrypted AMI, volume, or snapshot. The instance uses the identity-only role, an IAM role, to communicate with encrypted AMIs, volumes, or snapshots on your behalf.
Identity-only roles have no policies attached to them and can be created or removed manually. The identity-only role credentials are also inaccessible.
KMS key policies and service control policies (SCPs) apply to identity-only roles. You might not be able to launch EC2 instances with encrypted volumes, encrypted AMIs, or encrypted snapshots if a SCP or KMS key prevents the identity-only role from having access to a KMS key.
If you are using the aws:SourceIp and aws:Vpc to create a SCP or key policy that blocks access depending on network locationAWS global condition keys, such as SourceIp, aws:SourceVpc, or aws:SourceVpce, then you need to make sure that instance-only roles are exempt from these policy statements.
Identity-only function The format used by ARNs is as follows:
arn:aws-partition:iam::account_id:role/aws:ec2-infrastructure/instance_id
The assumed-role session unique to that instance receives the key grant when it is granted to an instance. The following format is used by the grantee primary ARN:
arn:aws-partition:sts::account_id:assumed-role/aws:ec2-infrastructure/instance_id
AWS EBS encryption by default
Your AWS account can be set up to require that newly created EBS volumes and snapshot copies be encrypted. The EBS volumes generated when you start an instance and the snapshots you copy from an unencrypted snapshot, for instance, are encrypted by Amazon EBS.
By default, existing EBS volumes and snapshots are unaffected by encryption.
Things to Think About
- By default, encryption is a region-specific configuration. You cannot turn it off for specific volumes or snapshots within a Region once you have enabled it for that Region.
- All instances of the current and prior generations support Amazon EBS encryption by default.
- A complete (non-incremental) copy of a snapshot is produced when it is copied and encrypted to a new KMS key. This leads to higher storage expenses.
- Don’t enable encryption by default when moving servers with AWS Server Migration Service (SMS). Turn off encryption by default if it is already enabled and you are having problems with delta replication. Rather, when you create the replication job, be sure that AMI encryption is enabled.
The KMS key linked to an existing snapshot or encrypted disk cannot be altered. To ensure that the resultant copied snapshot is encrypted using the new KMS key, you can, nevertheless, associate a separate KMS key during a snapshot copy process.
Is Amazon EBS encrypted by default?
Amazon EBS automatically encrypts new volumes and snapshots using your default KMS key for EBS encryption if you have encryption enabled by default.
