AWS Block Storage Encryption Secures Volumes and Snapshots

Enterprises are continually in need of reliable and secure cloud storage solutions for application and development support. Amazon Web Services (AWS) offers Elastic Block Store (EBS) volumes that are a cost-effective storage solution suitable for several types of applications. Customers are able to efficiently store and manage their data in a more secure environment. Additionally, EBS store is highly scalable, allowing adjustments as small as 1 GB in storage capacity without disruption of current workloads. 

What is the relation between GitOps and Continuous Integration and Continuous Deployment? Find out all you need to know here.

AWS Block Storage Features

The following four vectors comprise the AWS block storage system:

  1.  EC2 instance store
    The EC2 instance store contains solid-state drives (SSD) and hard disk drives (HDD) variants. This store is local to an instance and stopping, starting, or terminating the instance, loses the storage. It is not replicated by default or contains snapshot support.  
  2. EBS SSD and HDD backed volumes

    EBS is block storage as a service that is accessed across the network. Volumes can be created, deleted, attached and detached through an API. The EBS volumes can be attached to single EC2 instances much like connecting devices. However, the volumes are independent of the instances and are used in a similar method to a hard drive.

    The specific volume types in EBS include General Purpose SSD (gp2), Provisioned IOPS SSD (io1 and io2), Throughput Optimized HDD (st1), and Cold (sc1).

    EBS volumes are an effective storage mechanism for file systems, databases, and granular-updated apps. File systems created on top of EBS volumes contain configurations that are easily modified at any time. Examples of typical case uses are enterprise applications including Microsoft, Oracle, Sharepoint, and others. Relational databases such as SAP, HANA, Microsoft SQL Server, and MySQL can also be deployed in EBS.  EBS is also appropriate for use with big data analytic engines such as Hadoop and Spark.

    GP2, the general-purpose SSD is the place to start for customers who are unsure of their workloads,  as it’s more suitable for boot volumes, bursty databases, and low latency applications. Provisioned IOPS is geared towards critical applications and databases with sustained IOPS.

    The throughput optimized HDD volume, st1, is designed for large-block, high-throughput sequential workloads. The sc1 HDD is ideal for sequential throughput workloads such as logging and backup workloads.  
  3. EBS Snapshots
    Copies of EBS volumes are stored on S3. Snapshots are regional, while volumes are zonal. The first snapshot is a full copy of the volume and subsequent snapshots are incremental. Snapshots can be created from volumes and can be shared and copied.  

Encrypting Block Storage

With a local instant store, the drives are always encrypted and cannot be disabled and encryption keys cannot be changed. These keys are destroyed with the instance is stopped or terminated. 

EBS encryption integrates with Key Management Service (KMS)-AES-256 encryption and uses customer master keys (CMKs). 

The following applies to EBS encryption:

  • Data that is inactive within the volume.
  • Data that is actively moving between the volume and the instance.
  • Snapshots are created from the volume.
  • Volumes are created from such snapshots.

EBS uses a built-in encryption hierarchy. A master key created in the KMS contains a set of data keys that can be used for individual volumes, reducing the possibility of single key exposure. The key is stored in the volume metadata which limits the risk of exposure.

Snapshots of encrypted volumes are automatically encrypted as are the volumes created from the encrypted snapshots. An unencrypted snapshot can be encrypted when the snapshot is copied. An owned snapshot can be re-encrypted with a different key when it is copied. 

Snapshots differ from volumes in that they can be shared and copied across accounts. Snapshots can also be copied within accounts and across regions. Snapshots can also be used to create AMIs. 

Sharing Snapshots

When sharing snapshots and AMIs, the following factors are considered: 

  • Public sharing
    The AWS Marketplace AMIs is an example since customers and other partners will be using it. 
  • Non-AMI snapshots
    These snapshots are to be shared with specific accounts since non-AMI snapshots with crucial data cannot be shared with the public.

When launching a volume from a snapshot across an account, a copy of the snapshot in-region is needed. A snapshot cannot be shared and then the volume is launched in a different region. 

Copying Snapshots

When copying snapshots, the following factors are considered:

  • Amazon S3 encryption protects snapshots while copying, regardless of its encryption status.
  • Unencrypted snapshots can be encrypted during copy.
  • Encrypted snapshots can be re-encrypted during copy.
  • While the first copy across regions is a full copy, snapshots are incremental after the first copy. 
  • For achieving incremental snapshots for encrypted snapshots, the same CMK is applied to both ends of the copies. If the CMK is not incremental, then full copies will be done. 

New Features For Easier Encryption

Amazon Web Services announced new security features that make encryption easier. 

  • Encrypted volumes from unencrypted snapshots or AMIs can now be launched in a single step without copying snapshots first. This costs substantially less since there is no longer the need to create and save copies of snapshots of the launch. 
  • The ability to share snapshots and AMIs across accounts encrypted with custom CMKs. However, snapshots and AMIs encrypted with default CMKs cannot be shared across accounts. 
  • Encryption is now enabled by default for EBS for an account in a region with a single setting. This feature is used to ensure that all subsequent EBS volumes and snapshots created are fully encrypted.  Without changes to workflows, newly launched volumes and snapshots are encrypted.

    The benefits of this feature are that it is easy to ensure compliance without change to workflows. It also enables introducing encryption while using unencrypted snapshots and AMIs.


AWS block storage encryption is a secure and flexible system for protection from unauthorized access to stored volumes. The new features implemented in the most recent update allow organizations to more efficiently use and share encrypted volumes and snapshots across accounts. 

Intraway provides innovative, ready-to-deploy solutions to communications providers worldwide. Contact us for more information on how our advanced technologies help build networks of the future while reducing costs. 

You may also like

Architecture Patterns Design Based on Cloud Services With Reliability and Scalability


Oracle Database Schemas to RDS AWS