AWS EBS Encryption

Creation of an encrypted EBS volume results in the following:

  • Data at rest is encrypted by default
  • All EBS Volume snapshots are encrypted and therefore all volumes created from the snapshot will also be encrypted
  • Data moving between the EBS volume and EC2 instance is also encrypted
  • AWS handles all the encryption and decryption transparently and therefore there is no maintenance needed on behalf of the AWS user
  • EBS encryption uses AWS Key Management Service (KMS) specifically AES-256 encryption

From a latency point of view AWS Encryption has minimal impact and it is possible to encrypt an un-encrypted snapshot by copying it, enabling encryption and then attaching the encrypted volume to the EC2 instance.