Creation of an encrypted EBS volume results in the following:
- Data at rest is encrypted by default
- All EBS Volume snapshots are encrypted and therefore all volumes created from the snapshot will also be encrypted
- Data moving between the EBS volume and EC2 instance is also encrypted
- AWS handles all the encryption and decryption transparently and therefore there is no maintenance needed on behalf of the AWS user
- EBS encryption uses AWS Key Management Service (KMS) specifically AES-256 encryption
From a latency point of view AWS Encryption has minimal impact and it is possible to encrypt an un-encrypted snapshot by copying it, enabling encryption and then attaching the encrypted volume to the EC2 instance.