Solutions Architect – TOGAF / AWS Gold Coast Australia

Creation of an encrypted EBS volume results in the following:

• Data at rest is encrypted by default
• All EBS Volume snapshots are encrypted and therefore all volumes created from the snapshot will also be encrypted
• Data moving between the EBS volume and EC2 instance is also encrypted
• AWS handles all the encryption and decryption transparently and therefore there is no maintenance needed on behalf of the AWS user
• EBS encryption uses AWS Key Management Service (KMS) specifically AES-256 encryption

From a latency point of view AWS Encryption has minimal impact and it is possible to encrypt an un-encrypted snapshot by copying it, enabling encryption and then attaching the encrypted volume to the EC2 instance.