Amazon Elastic Compute Cloud
User Guide for Windows Instances

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Amazon EBS Encryption

Amazon EBS encryption offers a straight-forward encryption solution for your EBS resources that doesn't require you to build, maintain, and secure your own key management infrastructure. It uses AWS Key Management Service (AWS KMS) customer master keys (CMK) when creating encrypted volumes and snapshots.

Encryption operations occur on the servers that host EC2 instances, ensuring the security of both data-at-rest and data-in-transit between an instance and its attached EBS storage.

How EBS Encryption Works

You can encrypt both the boot and data volumes of an EC2 instance. When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted:

  • Data at rest inside the volume

  • All data moving between the volume and the instance

  • All snapshots created from the volume

  • All volumes created from those snapshots

EBS encrypts your volume with a data key using the industry-standard AES-256 algorithm. Your data key is stored on-disk with your encrypted data, but not before EBS encrypts it with your CMK. Your data key never appears on disk in plaintext. The same data key is shared by snapshots of the volume and any subsequent volumes created from those snapshots. For more information, see Data Keys in the AWS Key Management Service Developer Guide.

Amazon EBS works with AWS KMS to encrypt and decrypt your EBS volumes as follows:

  1. Amazon EBS sends a CreateGrant request to AWS KMS, so that it can decrypt the data key.

  2. Amazon EBS sends a GenerateDataKeyWithoutPlaintext request to AWS KMS, specifying the CMK to use to encrypt the volume.

  3. AWS KMS generates a new data key, encrypts it under the specified CMK, and sends the encrypted data key to Amazon EBS to be stored with the volume metadata.

  4. When you attach an encrypted volume to an instance, Amazon EBS sends a Decrypt request to AWS KMS, specifying the encrypted data key.

  5. AWS KMS decrypts the encrypted data key and sends the decrypted data key to Amazon EBS.

  6. Amazon EBS uses the plaintext data key in hypervisor memory to encrypt disk I/O to the volume. The plaintext data key persists in memory as long as the volume is attached to the instance.

For more information, see How Amazon Elastic Block Store (Amazon EBS) Uses AWS KMS and AWS KMS Log File Entries in the AWS Key Management Service Developer Guide.

Requirements

Before you begin, verify that the following requirements are met.

Supported Volume Types

Encryption is supported by all EBS volume types. You can expect the same IOPS performance on encrypted volumes as on unencrypted volumes, with a minimal effect on latency. You can access encrypted volumes the same way that you access unencrypted volumes. Encryption and decryption are handled transparently, and they require no additional action from you or your applications.

Supported Instance Types

Amazon EBS encryption is available on the instance types listed below. You can attach both encrypted and unencrypted volumes to these instance types simultaneously.

  • General purpose: M3, M4, M5, M5a, M5ad, M5d, M5dn, M5n, T2, T3, and T3a

  • Compute optimized: C3, C4, C5, C5d, and C5n

  • Memory optimized: cr1.8xlarge, R3, R4, R5, R5a, R5ad, R5d, R5dn, R5n, u-6tb1.metal, u-9tb1.metal, u-12tb1.metal, u-18tb1.metal, u-24tb1.metal, X1, X1e, and z1d

  • Storage optimized: D2, h1.2xlarge, h1.4xlarge, I2, I3, and I3en

  • Accelerated computing: F1, G2, G3, G4, P2, and P3

Permissions for IAM Users

When you configure a CMK as the default key for EBS encryption, the default key policy allows any IAM user with access to the required KMS actions to use this key to encrypt or decrypt EBS resources. You must grant IAM users permission to call the following actions in order to use EBS encryption:

  • kms:CreateGrant

  • kms:Decrypt

  • kms:DescribeKey

  • kms:GenerateDataKeyWithoutPlainText

  • kms:ReEncrypt

To follow the principal of least privilege, do not allow full access to kms:CreateGrant. Instead, allow the user to create grants on the CMK only when the grant is created on the user's behalf by an AWS service, as shown in the following example:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": [ "arn:aws:kms:us-east-2:123456789012:key/abcd1234-a123-456d-a12b-a123b4cd56ef" ], "Condition": { "Bool": { "kms:GrantIsForAWSResource": true } } } ] }

For more information, see Default Key Policy in the AWS Key Management Service Developer Guide.

Default Key for EBS Encryption

Amazon EBS automatically creates a unique AWS managed CMK in each Region where you store AWS resources. This key has the alias alias/aws/ebs. By default, Amazon EBS uses this key for encryption. Alternatively, you can specify a customer managed CMK that you created as the default key for EBS encryption. Using your own CMK gives you more flexibility, including the ability to create, rotate, and disable keys.

To configure the default key for EBS encryption for a Region

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. From the navigation bar, select the Region.

  3. Choose Account Attributes, Settings.

  4. Choose Change the default key and then choose an available key.

  5. Choose Update.

Encryption by Default

You can configure your AWS account to enforce the encryption of the new EBS volumes and snapshot copies that you create. For example, Amazon EBS encrypts the EBS volumes created when you launch an instance and the snapshots that you copy from an unencrypted snapshot. For examples of transitioning from unencrypted to encrypted EBS resources, see Encrypting Unencrypted Resources.

Encryption by default has no effect on existing EBS volumes or snapshots.

Considerations

  • Encryption by default is a Region-specific setting. If you enable it for a Region, you cannot disable it for individual volumes or snapshots in that Region.

  • When you enable encryption by default, you can launch an instance only if the instance type supports EBS encryption. For more information, see Supported Instance Types.

  • When migrating servers using AWS Server Migration Service (SMS), do not turn on encryption by default. If encryption by default is already on and you are experiencing delta replication failures, turn off encryption by default. Instead, enable AMI encryption when you create the replication job.

To enable encryption by default for a Region

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. From the navigation bar, select the Region.

  3. From the navigation pane, select EC2 Dashboard.

  4. In the upper-right corner of the page, choose Account Attributes, Settings.

  5. Under EBS Storage, select Always encrypt new EBS volumes.

  6. Choose Update.

You cannot change the CMK that is associated with an existing snapshot or encrypted volume. However, you can associate a different CMK during a snapshot copy operation so that the resulting copied snapshot is encrypted by the new CMK.

Encrypting EBS Resources

You encrypt EBS volumes by enabling encryption, either using encryption by default or by enabling encryption when you create a volume that you want to encrypt.

When you encrypt a volume, you can specify the CMK to use to encrypt the volume. If you do not specify a CMK, the key that is used for encryption depends on the encryption state of the source snapshot and its ownership. For more information, see the encryption outcomes table.

You cannot change the CMK that is associated with an existing snapshot or volume. However, you can associate a different CMK during a snapshot copy operation so that the resulting copied snapshot is encrypted by the new CMK.

Creating New Empty Volumes with Encryption

When you create a new, empty EBS volume, you can encrypt it by enabling encryption for the specific volume creation operation. If you enabled EBS encryption by default, the volume is automatically encrypted. By default, the volume is encrypted to your default key for EBS encryption. Alternatively, you can specify a different CMK for the specific volume creation operation. The volume is encrypted by the time it is first available, so your data is always secured. For detailed procedures, see Creating an Amazon EBS Volume.

By default, the CMK that you selected when creating a volume encrypts the snapshots that you make from the volume and the volumes that you restore from those encrypted snapshots. You cannot remove encryption from an encrypted volume or snapshot, which means that a volume restored from an encrypted snapshot, or a copy of an encrypted snapshot, is always encrypted.

Public snapshots of encrypted volumes are not supported, but you can share an encrypted snapshot with specific accounts. For detailed directions, see Sharing an Amazon EBS Snapshot.

Encrypting Unencrypted Resources

Although there is no direct way to encrypt an existing unencrypted volume or snapshot, you can encrypt them by creating either a volume or a snapshot. If you enabled encryption by default, Amazon EBS encrypts the resulting new volume or snapshot using your default key for EBS encryption. Even if you have not enabled encryption by default, you can enable encryption when you create an individual volume or snapshot. Whether you enable encryption by default or in individual creation operations, you can override the default key for EBS encryption and select a customer managed CMK. For more information, see Creating an Amazon EBS Volume and Copying an Amazon EBS Snapshot.

To encrypt the snapshot copy to a customer managed CMK, you must both enable encryption and specify the key, as shown in Copy an Unencrypted Snapshot (Encryption by Default Not Enabled).

You can also apply new encryption states when launching an instance from an EBS-backed AMI. This is because EBS-backed AMIs include snapshots of EBS volumes that can be encrypted as described. For more information, see Using Encryption with EBS-Backed AMIs.

Encryption Scenarios

When you create an encrypted EBS resource, it is encrypted by your account's default key for EBS encryption unless you specify a different customer managed CMK in the volume creation parameters or the block device mapping for the AMI or instance. For more information, see Default Key for EBS Encryption.

The following examples illustrate how you can manage the encryption state of your volumes and snapshots. For a full list of encryption cases, see the encryption outcomes table.

Restore an Unencrypted Volume (Encryption by Default Not Enabled)

Without encryption by default enabled, a volume restored from an unencrypted snapshot is unencrypted by default. However, you can encrypt the resulting volume by setting the Encrypted parameter and, optionally, the KmsKeyId parameter. The following diagram illustrates the process.

If you leave out the KmsKeyId parameter, the resulting volume is encrypted using your default key for EBS encryption. You must specify a key ID to encrypt the volume to a different CMK.

For more information, see Restoring an Amazon EBS Volume from a Snapshot.

Restore an Unencrypted Volume (Encryption by Default Enabled)

When you have enabled encryption by default, encryption is mandatory for volumes restored from unencrypted snapshots, and no encryption parameters are required for your default CMK to be used. The following diagram shows this simple default case:

If you want to encrypt the restored volume to a customer managed CMK, you must supply both the Encrypted and KmsKeyId parameters as shown in Restore an Unencrypted Volume (Encryption by Default Not Enabled).

Copy an Unencrypted Snapshot (Encryption by Default Not Enabled)

Without encryption by default enabled, a copy of an unencrypted snapshot is unencrypted by default. However, you can encrypt the resulting snapshot by setting the Encrypted parameter and, optionally, the KmsKeyId parameter. If you omit KmsKeyId, the resulting snapshot is encrypted by your default CMK. You must specify a key ID to encrypt the volume to a different CMK.

The following diagram illustrates the process.


                    Create an encrypted snapshot from an unencrypted snapshot.

Note

If you copy a snapshot and encrypt it to a new CMK, a complete (non-incremental) copy is always created, resulting in additional delay and storage costs.

You can encrypt an EBS volume by copying an unexpected snapshot to an encrypted snapshot and then creating a volume from the encrypted snapshot. For more information, see Copying an Amazon EBS Snapshot.

Copy an Unencrypted Snapshot (Encryption by Default Enabled)

When you have enabled encryption by default, encryption is mandatory for copies of unencrypted snapshots, and no encryption parameters are required if your default CMK is used. The following diagram illustrates this default case:


                    Create an encrypted snapshot from an unencrypted snapshot.

Note

If you copy a snapshot and encrypt it to a new CMK, a complete (non-incremental) copy is always created, resulting in additional delay and storage costs.

Re-Encrypt an Encrypted Volume

When the CreateVolume action operates on an encrypted snapshot, you have the option of re-encrypting it with a different CMK. The following diagram illustrates the process. In this example, you own two CMKs, CMK A and CMK B. The source snapshot is encrypted by CMK A. During volume creation, with the key ID of CMK B specified as a parameter, the source data is automatically decrypted, then re-encrypted by CMK B.


                    Copy an encrypted snapshot and encrypt the copy to a new
                        key.

Note

If you copy a snapshot and encrypt it to a new CMK, a complete (non-incremental) copy is always created, resulting in additional delay and storage costs.

For more information, see Restoring an Amazon EBS Volume from a Snapshot.

Re-Encrypt an Encrypted Snapshot

The ability to encrypt a snapshot during copying allows you to apply a new CMK to an already-encrypted snapshot that you own. Volumes restored from the resulting copy are only accessible using the new CMK. The following diagram illustrates the process. In this example, you own two CMKs, CMK A and CMK B. The source snapshot is encrypted by CMK A. During copy, with the key ID of CMK B specified as a parameter, the source data is automatically re-encrypted by CMK B.


                    Copy an encrypted snapshot and encrypt the copy to a new
                        key.

Note

If you copy a snapshot and encrypt it to a new CMK, a complete (non-incremental) copy is always created, resulting in additional delay and storage costs.

In a related scenario, you can choose to apply new encryption parameters to a copy of a snapshot that has been shared with you. By default, the copy is encrypted with a CMK shared by the snapshot's owner. However, we recommend that you create a copy of the shared snapshot using a different CMK that you control. This protects your access to the volume if the original CMK is compromised, or if the owner revokes the CMK for any reason. For more information, see Encryption and Snapshot Copying.

Migrate Data between Encrypted and Unencrypted Volumes

When you have access to both an encrypted and unencrypted volume, you can freely transfer data between them. EC2 carries out the encryption and decryption operations transparently.

For example, use the robocopy command to copy the data. In the following command, the source data is located in D:\ and the destination volume is mounted at E:\.

PS C:\> robocopy D:\sourcefolder E:\destinationfolder /e /copyall /eta

We recommend using folders rather than copying an entire volume, as this avoids potential problems with hidden folders.

Encryption Outcomes

The following table describes the encryption outcome for each possible combination of settings.

Is encryption enabled? Is encryption by default enabled? Source of volume Default (no CMK specified) Custom (CMK specified)
No No New (empty) volume Unencrypted N/A
No No Unencrypted snapshot that you own Unencrypted
No No Encrypted snapshot that you own Encrypted by same key
No No Unencrypted snapshot that is shared with you Unencrypted
No No Encrypted snapshot that is shared with you Encrypted by default CMK*
Yes No New volume Encrypted by default CMK Encrypted by a specified CMK**
Yes No Unencrypted snapshot that you own Encrypted by default CMK
Yes No Encrypted snapshot that you own Encrypted by same key
Yes No Unencrypted snapshot that is shared with you Encrypted by default CMK
Yes No Encrypted snapshot that is shared with you Encrypted by default CMK
No Yes New (empty) volume Encrypted by default CMK
No Yes Unencrypted snapshot that you own Encrypted by default CMK N/A
No Yes Encrypted snapshot that you own Encrypted by same key
No Yes Unencrypted snapshot that is shared with you Encrypted by default CMK
No Yes Encrypted snapshot that is shared with you Encrypted by default CMK
Yes Yes New volume Encrypted by default CMK Encrypted by a specified CMK
Yes Yes Unencrypted snapshot that you own Encrypted by default CMK
Yes Yes Encrypted snapshot that you own Encrypted by same key
Yes Yes Unencrypted snapshot that is shared with you Encrypted by default CMK
Yes Yes Encrypted snapshot that is shared with you Encrypted by default CMK

* This is the default CMK used for EBS encryption for the AWS account and Region. By default this is a unique AWS managed CMK for EBS, or you can specify a customer managed CMK. For more information, see Default Key for EBS Encryption.

** This is a customer managed CMK specified for the volume at launch time. This CMK is used instead of the default CMK for the AWS account and Region.

Setting Encryption Defaults Using the API and CLI

You can manage encryption by default and the default customer master key (CMK) using the following API actions and CLI commands.

API action CLI command Description

DisableEbsEncryptionByDefault

disable-ebs-encryption-by-default

Disables encryption by default.

EnableEbsEncryptionByDefault

enable-ebs-encryption-by-default

Enables encryption by default.

GetEbsDefaultKmsKeyId

get-ebs-default-kms-key-id

Describes the default CMK.

GetEbsEncryptionByDefault

get-ebs-encryption-by-default

Indicates whether encryption by default is enabled.

ModifyEbsDefaultKmsKeyId

modify-ebs-default-kms-key-id

Changes the default CMK used to encrypt EBS volumes.

ResetEbsDefaultKmsKeyId

reset-ebs-default-kms-key-id

Resets the AWS managed default CMK as the default CMK used to encrypt EBS volumes.