08 - How to Encrypt an EBS Volume Attached to EC2 Lab Flashcards
1
Q
EBS Volume
A
- EC2 Instances and EBS Volumes must be in the same Availability Zone
- You can modify all volume attributes, except for Magnetic Storage Drives
- To move EBS volumes from one AZ to another AZ you need to create a snapshot
- You can copy the snapshot to the alternate AZ
- Then you create an image based off the snapshot
2
Q
Encryption Restrictions
A
- Volumes that are created from encrypted snapshots are automatically encrypted
- Volumes that are created from unencrypted snapshots are automatically unencrypted.
- If no snapshot is selected, you can choose to encrypt the volume.
3
Q
Encrypting Root Volume
A
- You can encrypt the root volume (the volume the OS is installed on) when using operating system encryption
- You can encrypt the root volume by first taking a snapshot of that volume, and then creating a copy with encryption enabled
- You can make an AMI of this snapshot and deploy the encrypted root device volume
- You can encrypt additional attached volumes using the console, CLI, or API
4
Q
Volumes - Summary
A
Volumes:
- Volumes exist on EBS
- Volumes are Virtual Hard Disks
- Volumes must always be in the same availability zone as the EC2 instance
- Volume sizes can be adjusted on the fly, including changing the size and storage type
- To move an EC2 volume from one availability zone / region to another, take a snapshot or an image of it, then copy it to the new AZ / Region
5
Q
Snapshot - Summary
A
Snapshots
- Snapshots exist on S3
- Snapshots are a point in time copies of volumes
- Snapshots are incremental (first snapshot takes longer) - this means only the blocks that have changed since your last snapshot are moved to S3
6
Q
Snapshot of Root Device Volumes
A
Snapshot of Root Device Volumes
- To create a snapshot for Amazon EBS volumes that serve as root devices, you should stop the instance before taking the snapshot
- However, you can take a snap while an instance is running
7
Q
AMI’s
A
AMI’s
- You can create AMIs from both Volumes and Snapshots
8
Q
Security
A
Security
- Snapshots of encrypted volumes are encrypted automatically
- Volumes restored from encrypted snapshots are encrypted automatically
- You can share snapshots with other people, but only if they are unencrypted
- These snapshots can be shared with other AWS accounts, or made public
9
Q
EFS
A
EFS
- Centralized file storage
- User-level & directory level privileges
- Perfect file storage, allows multiple EC2 instances to connect
- Access Behavior
- Read after write consistency
- EFS can be mounted simultaneously by multiple EC2 instances
- Data on EFS can be accessed by multiple EC2 instances at once
- EFS can support thousands of concurrent NFS connections
- User-level & directory level privileges
Storage
- Storage capacity is elastic (growing and shrinking automatically)
- Is block-based storage (NOT object-based, not S3)
- Only pay for the storage you use (no pre-provisioning required) (EBS requires you to create and attach the volume before it can be used)
- Data stored across multiple AZ’s in a Region
Security
- EFS instances must share the same security group as the EC2 instances that are accessing it