EBS Encryption Flashcards
What type of encryption does EBS provide?
At rest for block volumes and snapshots
Is encryption in EBS enabled by default?
No.
When you set up a volume, what CMKs can you choose to use?
EBS can use the default EBS key (AWS managed CMK) which is normally referred as ‘aws/ebs’ or it could be a customer-managed CMK, which you create and manage yourself
How does encryption work in EBS?
That key is used by EBS when an encrypted volume is created. The CMK generates an encrypted data encryption key (DEK) which is stored with the volume on the physical disk. This key can only be encrypted by KMS when a role with the proper permissions makes the request.
When the volume is first used, EBS asks KMS to decrypt the key and stores the decrypted key in memory on the EC2 host while it’s being used. At all other times it’s stored on the volume in encrypted form.
When the EC2 instance is using the encrypted volume, it can use the decrypted data encryption key to move data on and off the volume. It is used for all cryptographic operations when data is being used to and from the volume.
What happens with the decrypted DEK stored in the memory of the EC2 host?
If an EC2 instance is moved from one host to another then the decrypted data encryption key is discarded, leaving only the encrypted version on the physical storage along with the volume.
To use this volume again, the key needs to be decrypted by KMS and loaded into another EC2 host.
What happens when a snapshot is taken from an encrypted EBS volume?
the same data encryption key is used for that snapshot (meaning that the snapshot is also encrypted). Anything made from this snapshot is also encrypted in the same way with the same key.
Does EBS encryption cost any money? How is it billed?
EBS encryption does not cost anything to use and you should always try to use it by default in any systems you are designing.
Can you apply a default configuration in EBS to make all the EBS volumes to be encrypted?
Yes, AWS accounts can be set to encrypt volumes by default.
When applying a default EBS volume encryption, to what area is this applied?
It is applied to the whole region and it is set up in the AWS account settings.
When using default encryption for EBS volumes, which keys can you choose?
You can use the default key configured or one of your choice.
Due to the limitation of CMKs to encrypt 4KBs…how is this handled in EBS?
A DEK is generated per volume.
Can you change a volume to NOT encrypted?
No, the alternative is to mount an unencrypted volume and copy things over but you can’t change the original volume.
Is the OS aware of the encryption of EBS volumes?
No, this is transparent for the EC2 instance and there is no impact in the performance of the instance/volume.
What encryption algorithm is used to encrypt volumes?
AES-256
