Elastic Block Store
- Persistent
- Network attached virtual drive
Instance store blocked EC2 basically the virtual hard drive on the host allocated to the EC2 instance.
- Limited to 10GB per device
- Ephemeral Storage ( Non-Persistent storage)
- The EC2 instance cant be stopped can only be rebooted or terminated. Terminated will delete data.
- EBS volume behave like RAW, unformatted external block storage device that you can attach to your EC2 instance.
- EBS volumes are block storage device suitable for database style data that requires frequent reads and writes.
- EBS volumes are attached to the EC2 instance through the AWS network like virtual hard drives.
- An EBS volumes can attach to a single EC2 instance only at a time.
- Both EBS volumes and EC2 instance must be in the same.
- An EBS volumes data is replicated by AWS across multiple source in the same AZ to prevent data loss resulting from any single AWS component failure.
- EBS encryption is supported is supported on all EBS volumes types and all EC2 instance families.
- Snapshot of encrypted volumes are also encrypted.
- Creating on EBS volume from an encrypted snapshot will result it an encrypted volume.
- Data encryption at rest means, encrypting data while it is stored on the data storage device.
- There are many ways you can encrypt data on an EBS volume at rest, while the volume is attached to an EC2 instance.
- Use 3rd party EBS volume.
- Encryption tools.
- Use encrypted EBS volumes.
- Use encryption at the OS level.
- Encryption data at application level before storing to the volume.
- Use encrypted file system on the top of the EBS volume.
- Encrypted volumes are accessed exactly like unencrypted once basically encryption is handled transparently.
- You can attach on encrypted and unencrypted volume to the same EC2 instance.
- Remember that the EBS volumes are not physical attached to the EC2 instance rather they are virtually attached through the EBS infrastructure.
- This means when you encrypt data on an EBS volume, data is actually encrypted on the EC2 instance then transferred encrypted to the stored on the EBS volume.
- This means data in transit between EC2 and encrypted EBS volumes is also encrypted.
- There is no direct way to change the encryption state of volume.
- To change the state indirectly you need to follow either of the following two ways
- Attach a new, encrypted, EBS volume to the EC2 instance that has the data to be encrypted then mount the new volume to the EC2 instance.
- Copy the data from the unencrypted volume to the new volume. Both volume must be on the same on same EC2 instance.
- Create a snapshot of the unencrypted volume.
- Copy the snapshot and chose encryption for the new copy, this will create on encrypted copy of the snapshot.
- Use this new copy to create on the EBS volume, Which will be encrypted too.
- Attach the new, Encrypted EBS volume to the EC2 instance.
* Root EBS volume encryption*
- There is no direct way to change the encryption state of the volume.
- There is an direct workaround to launch instance with the EBS volume required.
- Do whatever patching or install application.
- Create AMI from the EC2 instance.
- Copy the EMI and chose encryption while copying.
- This is result it an encrypted AMI that is private yours only.
- Use the encrypted AMI to launch now EC2 instance which will have their EBS root volume encrypted.
* EBS encryption key*
- To encrypt a volume or a snapshot you need an encryption key, these keys are called customer masters key CMK and are managed by AWS key management system KMS.
- When encrypting the first EBS volumes, AWS KMS creates a default CMK key.
- This Key is used for your first volume encryption of snapshots crates after that each newly, encrypted volumetric with a unique/ separate AFS 256bit encryption key. This key use to encrypt the volume, its snapshot and any volumes created of its snapshots.
* Changing encryption key*
- You cannot change the encryption CMK key used to encrypt on existing encrypted snapshot or encrypted EBS volumes.
- If you want to change the key, create a copy of the snapshot and specify during the copy process, That you want to re encrypt the copy with the different key.
- This come in a handy when you have a snapshot that was encrypted using your default CMK key and you want to change the key in order to be able share the snapshot with other accounts.
* Sharing EBS snapshot*
- By default, only the account, owner can create volumes from the account snapshots.
- You can share your unencrypted snapshot with the AWS community by making them public.
- Also you can share your unencrypted snapshot with a selected AWS account by making them private then selecting the AWS accounts to share with.
- You can not make your encrypted snapshot public.
- You can not make a snapshot of an encrypted EBS volume public on AWS.
- You can share encrypted snapshot with specific AWS account as follows.
- Make sure that you use a non default custom CMK key to encrypt the snapshot not the default CMK key AWS will not allow the sharing if default CMK is used.
- Configure cross account permissions in order to give the accounts with your wont to share the snapshots, access to the custom CMK key used to encrypt the snapshot. Without this, the other account will not be able to copy the snapshot nor will be able to create volumes of the snapshot.
- Without this the other accounts will no be able to copy the snapshot nor will be able to create volumes of the snapshot.
- You can share your encrypted snapshot with specific AWS accounts as follows
- Make sure that you use non default custom CMK key AWS will not allow the sharing if default CMK is used.
- Configure cross account permissions order to give the account with which you want to share the snapshot, access to the custom CMK key used to encrypt the snapshot.
- Without this, the other accounts will not be able to copy the snapshots nor will be able to create volumes of the snapshot.
- AWS will not allow you to share snapshots encrypted using your default CMK key.
- For the AWS account with whom an encrypted snapshot is shared.
- They must first create their own copies of the snapshot.
- Then they use that copy to restore create EBS volume.
- You can make only one copy of snapshot when it has been fully saved to S3 (its state shows as complete ) and not during the snapshots pending status ( When data blocks are being moved to S3)
- Amazon S3 server side encryption SSE protect the snapshot data in transit while copying.
- You can have upto snapshot copy request running in a single destination per account.