docs.aws.amazon.com
Open in
urlscan Pro
143.204.9.67
Public Scan
Submitted URL: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default
Effective URL: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
Submission: On August 28 via api from IL — Scanned from DE
Effective URL: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
Submission: On August 28 via api from IL — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
SELECT YOUR COOKIE PREFERENCES
We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”
Accept all cookiesContinue without acceptingCustomize cookies
CUSTOMIZE COOKIE PREFERENCES
We use cookies and similar tools (collectively, "cookies") for the following
purposes.
ESSENTIAL
Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.
PERFORMANCE
Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.
Allow performance category
Allowed
FUNCTIONAL
Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.
Allow functional category
Allowed
ADVERTISING
Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.
Allow advertising category
Allowed
Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.
CancelSave preferences
UNABLE TO SAVE COOKIE PREFERENCES
We will only store essential cookies at this time, because we were unable to
save your cookie preferences.
If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.
Dismiss
Contact Us
English
Create an AWS Account
1. AWS
2. ...
3. Documentation
4. Amazon EC2
5. User Guide for Linux Instances
Feedback
Preferences
AMAZON ELASTIC COMPUTE CLOUD
USER GUIDE FOR LINUX INSTANCES
* What is Amazon EC2?
* Set up
* Get started tutorial
* Best practices
* Working with AWS SDKs
* Tutorials
* Install LAMP
* Amazon Linux 2023
* Amazon Linux 2
* Amazon Linux
* Configure SSL/TLS
* Amazon Linux 2023
* Amazon Linux 2
* Amazon Linux
* Host a WordPress blog
* Amazon Linux 2023
* Amazon Linux 2
* Increase size of Amazon EBS volume
* Step 1: Launch an instance with added volume
* Step 2: Make the data volume available for use
* Step 3: Increase the size of the data volume
* Step 4: Extend the file system
* Step 5: Clean up
* Amazon Machine Images
* AMI types
* Virtualization types
* Boot modes
* Launch an instance
* AMI boot mode parameter
* Instance type boot mode
* Instance boot mode
* Operating system boot mode
* Set AMI boot mode
* UEFI variables
* UEFI Secure Boot
* How UEFI Secure Boot works
* Launch an instance with UEFI Secure Boot support
* Verify whether an instance is enabled for UEFI Secure Boot
* Create a Linux AMI to support UEFI Secure Boot
* Create three key pairs
* Option A: Add keys to the variable store from within the instance
* Option B: Create a binary blob containing a pre-filled variable
store
* How the AWS binary blob is created
* Find a Linux AMI
* Shared AMIs
* Find shared AMIs
* Make an AMI public
* Share an AMI with organizations or OUs
* Share an AMI with specific AWS accounts
* Cancel having an AMI shared with your account
* Use bookmarks
* Guidelines for shared Linux AMIs
* Paid AMIs
* AMI lifecycle
* Create an AMI
* Create an Amazon EBS-backed Linux AMI
* Create an instance store-backed Linux AMI
* Set up the AMI tools
* Create an AMI from an instance store-backed instance
* Convert to an Amazon EBS-Backed AMI
* AMI tools reference
* Modify an AMI
* Copy an AMI
* Store and restore an AMI
* Deprecate an AMI
* Deregister your AMI
* Recover AMIs from the Recycle Bin
* Automate the EBS-backed AMI lifecycle
* Use encryption with EBS-backed AMIs
* Monitor AMI events
* Understand AMI billing
* AMI billing fields
* Find AMI billing information
* Verify AMI charges on your bill
* Amazon Linux
* Run Amazon Linux 2 on premises
* Kernel Live Patching
* User provided kernels
* Configure the MATE desktop connection
* AMI quotas
* Instances
* Instances and AMIs
* Instance types
* General purpose
* Burstable performance instances
* Key concepts
* Unlimited mode
* Concepts
* Examples
* Standard mode
* Concepts
* Examples
* Work with burstable performance instances
* Monitor your CPU credits
* Compute optimized
* Memory optimized
* Storage optimized
* Accelerated computing
* Get started with P5 instances
* Install NVIDIA drivers
* Install AMD drivers
* Dual 4k on G4ad
* Activate NVIDIA GRID Virtual Applications
* Optimize GPU settings
* Find an instance type
* Get recommendations
* Change the instance type
* Compatibility
* Troubleshoot
* Instance store-backed instances
* Mac instances
* Instance purchasing options
* On-Demand Instances
* Reserved Instances
* Regional and zonal Reserved Instances (scope)
* Types of Reserved Instances (offering classes)
* How Reserved Instances are applied
* Use your Reserved Instances
* How you are billed
* Buy Reserved Instances
* Sell in the Reserved Instance Marketplace
* Modify Reserved Instances
* Exchange Convertible Reserved Instances
* Reserved Instance quotas
* Spot Instances
* Best practices
* How Spot Instances work
* Spot Instance pricing history
* Savings
* Work with Spot Instances
* Example launch specifications
* Spot request status
* Rebalance recommendations
* Spot Instance interruptions
* Reasons for interruption
* Interruption behavior
* Stop
* Hibernate
* Terminate
* Prepare for interruptions
* Initiate a Spot Instance interruption
* Spot Instance interruption notices
* Find interrupted Spot Instances
* Determine whether Amazon EC2 terminated a Spot Instance
* Billing
* Spot placement score
* Spot Instance data feed
* Spot Instance quotas
* Burstable performance instances
* Dedicated Hosts
* Pricing and billing
* Burstable T3 instances on Dedicated Hosts
* Work with Dedicated Hosts
* Work with shared Dedicated Hosts
* Dedicated Hosts on AWS Outposts
* Host recovery
* Host maintenance
* Track configuration changes
* Dedicated Instances
* Work with Dedicated Instances
* On-Demand Capacity Reservations
* Capacity Reservation pricing and billing
* Work with Capacity Reservations
* Work with Capacity Reservation groups
* Capacity Reservations in cluster placement groups
* Capacity Reservations in Local Zones
* Capacity Reservations in Wavelength Zones
* Capacity Reservations on AWS Outposts
* Work with shared Capacity Reservations
* Capacity Reservation Fleets
* Capacity Reservation Fleet concepts
* Work with Capacity Reservation Fleets
* Example configurations
* Using service-linked roles
* Monitoring Capacity Reservations
* CloudWatch metrics
* EventBridge events
* Utilization notifications
* Instance lifecycle
* Launch
* Launch using the launch instance wizard
* Old launch instance wizard
* Launch using a launch template
* Restrictions
* Control launching instances
* Create
* Modify (manage versions)
* Delete
* Launch instances
* Launch an instance from an existing instance
* Use an AWS Marketplace instance
* Stop and start
* Hibernate
* Overview
* Prerequisites
* Limitations
* Configure an AMI to support hibernation
* Enable hibernation for an instance
* Disable KASLR on an instance (Ubuntu only)
* Hibernate an instance
* Start a hibernated instance
* Troubleshoot
* Reboot
* Retire
* Terminate
* Recover
* Connect
* Connect to your Linux instance
* Connect with SSH from Linux or macOS
* Connect from Windows
* Connect with OpenSSH (Recommended)
* Connect with PuTTY
* Connect with WSL
* Connect with EC2 Instance Connect
* Prerequisites
* Permissions
* Install EC2 Instance Connect
* Connect using EC2 Instance Connect
* Uninstall EC2 Instance Connect
* Connect with Session Manager
* Connect with CloudShell
* Connect to instances without requiring a public IPv4 address
* Permissions
* Security groups
* Create an EC2 Instance Connect Endpoint
* Connect to an instance
* Log connections
* Remove EC2 Instance Connect Endpoint
* Service-linked role
* Quotas
* Connect your instance to a resource
* Tutorial: Connect an EC2 instance to an RDS database
* Option 1: Automatically connect – EC2 console
* Task 1: Create an RDS database – optional
* Task 2: Launch an EC2 instance – optional
* Task 3: Automatically connect your EC2 instance to your RDS
database
* Task 4: Verify the connection configuration
* Option 2: Automatically connect – RDS console
* Task 1: Launch an EC2 instance – optional
* Task 2: Create an RDS database and automatically connect it to
your EC2 instance
* Task 3: Verify the connection configuration
* Option 3: Manually connect (create security groups)
* Task 1: Launch an EC2 instance – optional
* Task 2: Create an RDS database – optional
* Task 3: Manually connect your EC2 instance to your RDS
database
* Clean up
* Configure instances
* Manage software
* Update software
* Add repositories
* Find and install software packages
* Prepare to compile software
* Manage users
* Processor state control
* I/O scheduler
* Set the time
* Optimize CPU options
* Rules for specifying CPU options
* CPU cores and threads per CPU core per instance type
* Specify CPU options for your instance
* View the CPU options for your instance
* CPU features
* AMD SEV-SNP
* Requirements
* Considerations
* Concepts and terminology
* Working with AMD SEV-SNP
* Attestation with AMD SEV-SNP
* Change the hostname
* Set up dynamic DNS
* Run commands at launch
* Instance metadata and user data
* Use IMDSv2
* How IMDSv2 works
* Transition to using IMDSv2
* Supported SDKs
* Configure the instance metadata options
* For new instances
* For existing instances
* Retrieve instance metadata
* Work with instance user data
* Retrieve dynamic data
* Instance metadata categories
* Example: AMI launch index value
* Instance identity documents
* Verify using the PKCS7 signature
* Verify using the base64-encoded signature
* Verify using the RSA-2048 signature
* Instance identity roles
* Amazon EI
* Identify instances
* Fleets
* EC2 Fleet
* EC2 Fleet request types
* EC2 Fleet 'instant' type
* EC2 Fleet configuration strategies
* Plan an EC2 Fleet
* Allocation strategies for Spot Instances
* Attribute-based instance type selection
* On-Demand backup
* Capacity Rebalancing
* Maximum price overrides
* Control spending
* Instance weighting
* Work with EC2 Fleets
* Spot Fleet
* Spot Fleet request types
* Spot Fleet configuration strategies
* Plan a Spot Fleet request
* Allocation strategies for Spot Instances
* Attribute-based instance type selection
* On-Demand in Spot Fleet
* Capacity Rebalancing
* Spot price overrides
* Control spending
* Instance weighting
* Work with Spot Fleets
* CloudWatch metrics for Spot Fleet
* Automatic scaling for Spot Fleet
* Target tracking scaling policies
* Step scaling policies
* Scheduled scaling
* Monitor fleet events
* EC2 Fleet event types
* Spot Fleet event types
* Create EventBridge rules
* For EC2 Fleet events
* For Spot Fleet events
* Tutorials
* Tutorial: Use EC2 Fleet with instance weighting
* Tutorial: Use EC2 Fleet with On-Demand as the primary capacity
* Tutorial: Launch On-Demand Instances using targeted Capacity
Reservations
* Tutorial: Use Spot Fleet with instance weighting
* Example configurations
* EC2 Fleet example configurations
* Spot Fleet example configurations
* Fleet quotas
* Monitor
* Automated and manual monitoring
* Best practices for monitoring
* Monitor the status of your instances
* Instance status checks
* State change events
* Scheduled events
* Define event windows for scheduled events
* Monitor your instances using CloudWatch
* Enable detailed monitoring
* List available metrics
* Get statistics for metrics
* Get statistics for a specific instance
* Aggregate statistics across instances
* Aggregate statistics by Auto Scaling group
* Aggregate statistics by AMI
* Graph metrics
* Create an alarm
* Create alarms that stop, terminate, reboot, or recover an instance
* Automate using EventBridge
* Monitor memory and disk metrics
* Deprecated: Collect metrics using the CloudWatch monitoring scripts
* Log API calls with AWS CloudTrail
* Networking
* Regions and Zones
* Instance IP addressing
* Multiple IP addresses
* Instance hostname types
* Bring your own IP addresses
* Elastic IP addresses
* Network interfaces
* Best practices for configuring network interfaces
* Scenarios for network interfaces
* Requester-managed network interfaces
* Assign prefixes
* Work with prefixes
* Network bandwidth
* Enhanced networking
* Elastic Network Adapter (ENA)
* ENA Express
* Intel 82599 VF
* Operating system optimizations
* Network performance metrics
* Troubleshoot ENA
* Improve network latency on Linux instances
* Elastic Fabric Adapter
* Get started with P5 instances and EFA
* Get started with EFA and MPI
* Get started with EFA and NCCL
* Use a base AMI
* Use an AWS Deep Learning AMI
* Work with EFA
* Monitor an EFA
* Verify the EFA installer using a checksum
* Placement groups
* Share a placement group
* Placement groups on AWS Outposts
* Network MTU
* Virtual private clouds
* Code examples
* Actions
* Add tags to resources
* Allocate an Elastic IP address
* Associate an Elastic IP address with an instance
* Create a Amazon Virtual Private Cloud (Amazon VPC)
* Create a route table
* Create a security group
* Create a security key pair
* Create a subnet
* Create and run an instance
* Delete a security group
* Delete a security key pair
* Delete a snapshot
* Describe Availability Zones
* Describe Regions
* Describe instance status
* Describe instances
* Describe snapshots
* Disable detailed monitoring
* Disassociate an Elastic IP address from an instance
* Enable monitoring
* Get data about Amazon Machine Images
* Get data about a security group
* Get data about instance types
* Get details about Elastic IP addresses
* List security key pairs
* Reboot an instance
* Release an Elastic IP address
* Set inbound rules for a security group
* Start an instance
* Stop an instance
* Terminate an instance
* Scenarios
* Get started with instances
* Security
* Infrastructure security
* Resilience
* Data protection
* Identity and access management
* IAM policies
* Policy structure
* Tag resources during creation
* Control access to EC2 resources using resource tags
* Example policies for CLI or SDK
* Example policies for the console
* AWS managed policies
* IAM roles
* Network access
* Key pairs
* Create key pairs
* Tag a public key
* Describe public keys
* Delete a public key
* Add or remove a public key on your instance
* Verify the fingerprint
* Security groups
* Security group rules
* Connection tracking
* Default and custom security groups
* Work with security groups
* Security group rules for different use cases
* AWS PrivateLink
* Update management
* Compliance validation
* NitroTPM
* Considerations
* Prerequisites
* Create a Linux AMI for NitroTPM support
* Verify whether an AMI is enabled for NitroTPM
* Enable or stop using NitroTPM on an instance
* Storage
* Amazon EBS
* EBS volumes
* EBS volume types
* General Purpose SSD volumes
* Provisioned IOPS SSD volumes
* Throughput Optimized HDD and Cold HDD volumes
* Size and configuration constraints
* Create a volume
* Attach a volume to an instance
* Attach a volume to multiple instances
* Make a volume available for use
* View volume details
* Replace a volume
* Replace a root volume
* Monitor the status of your volumes
* Detach a volume from an instance
* Delete a volume
* Fault testing
* EBS snapshots
* Create snapshots
* Delete a snapshot
* Copy a snapshot
* Archive snapshots
* Guidelines and best practices for archiving snapshots
* Required IAM permissions
* Work with snapshot archiving
* Monitor snapshot archiving
* View snapshot information
* Share a snapshot
* Recover snapshots from the Recycle Bin
* Local snapshots on Outposts
* Amazon EBS direct APIs
* IAM permissions for EBS direct APIs
* Use EBS direct APIs
* Read snapshots
* Write snapshots
* Use encryption
* Use Signature Version 4 signing
* Use checksums
* Idempotency for StartSnapshot API
* Error retries
* Optimize performance
* EBS direct APIs service endpoints
* Interface VPC endpoints
* Log API calls with AWS CloudTrail
* Frequently asked questions
* Automate the snapshot lifecycle
* Amazon Data Lifecycle Manager
* Automate snapshot lifecycles
* Automate AMI lifecycles
* Automate cross-account snapshot copies
* View, modify, and delete lifecycle policies
* AWS Identity and Access Management
* AWS managed policies
* IAM service roles
* Permissions for users
* Permissions for encryption
* Monitor the lifecycle of snapshots and AMIs
* Monitor your policies using CloudWatch Events
* Monitor your policies using Amazon CloudWatch
* EBS data services
* Elastic volumes
* Requirements
* Request volume modifications
* Monitor modifications
* Extend a file system
* EBS encryption
* Fast snapshot restore
* EBS volumes and NVMe
* EBS optimization
* EBS performance
* I/O characteristics and monitoring
* Initialize volumes
* RAID configuration
* Benchmark EBS volumes
* EBS CloudWatch metrics
* EBS EventBridge events
* EBS quotas
* Instance store
* Instance store volumes
* Add instance store volumes
* SSD instance store volumes
* Instance store swap volumes
* Optimize disk performance
* File storage
* Amazon S3
* Amazon EFS
* Amazon FSx
* Instance volume limits
* Root device volume
* Device names
* Block device mappings
* Torn write prevention
* Resources and tags
* Recycle Bin
* Considerations
* Required IAM permissions
* Condition keys for Recycle Bin
* Work with retention rules
* Work with resources in the Recycle Bin
* Monitor Recycle Bin
* Monitor using EventBridge
* Monitor using CloudTrail
* Resource locations
* Resource IDs
* List and filter your resources
* Tag your resources
* Service quotas
* Usage reports
* Troubleshoot
* Troubleshoot launch issues
* Connect to your instance
* Stop your instance
* Terminate your instance
* Failed status checks
* Troubleshoot an unreachable instance
* Boot from the wrong volume
* EC2Rescue for Linux
* Install EC2Rescue for Linux
* (Optional) Verify the signature of EC2Rescue for Linux
* Work with EC2Rescue for Linux
* Develop EC2Rescue modules
* EC2 Serial Console
* Prerequisites
* Configure access to the EC2 Serial Console
* Connect to the EC2 Serial Console
* Disconnect from the EC2 Serial Console
* Troubleshoot your instance using the EC2 Serial Console
* Troubleshoot your Linux instance using GRUB
* Troubleshoot your Linux instance using SysRq
* Send a diagnostic interrupt
* Related information
* Document history
Amazon EBS encryption - Amazon Elastic Compute Cloud
AWSDocumentationAmazon EC2User Guide for Linux Instances
How EBS encryption worksRequirementsDefault KMS key for EBS encryptionEncryption
by defaultEncrypt EBS resourcesRotating AWS KMS keysEncryption scenariosSet
encryption defaults using the API and CLI
AMAZON EBS ENCRYPTION
PDFRSS
Use Amazon EBS encryption as a straight-forward encryption solution for your EBS
resources associated with your EC2 instances. With Amazon EBS encryption, you
aren't required to build, maintain, and secure your own key management
infrastructure. Amazon EBS encryption uses AWS KMS keys when creating encrypted
volumes and snapshots.
Encryption operations occur on the servers that host EC2 instances, ensuring the
security of both data-at-rest and data-in-transit between an instance and its
attached EBS storage.
You can attach both encrypted and unencrypted volumes to an instance
simultaneously.
CONTENTS
* How EBS encryption works
* Requirements
* Default KMS key for EBS encryption
* Encryption by default
* Encrypt EBS resources
* Rotating AWS KMS keys
* Encryption scenarios
* Set encryption defaults using the API and CLI
HOW EBS ENCRYPTION WORKS
You can encrypt both the boot and data volumes of an EC2 instance.
When you create an encrypted EBS volume and attach it to a supported instance
type, the following types of data are encrypted:
* Data at rest inside the volume
* All data moving between the volume and the instance
* All snapshots created from the volume
* All volumes created from those snapshots
Amazon EBS encrypts your volume with a data key using industry-standard AES-256
data encryption. The data key is generated by AWS KMS and then encrypted by AWS
KMS with your AWS KMS key prior to being stored with your volume information.
All snapshots, and any subsequent volumes created from those snapshots using the
same AWS KMS key share the same data key. For more information, see Data keys in
the AWS Key Management Service Developer Guide.
When a KMS key becomes unusable, the effect is almost immediate (subject to
eventual consistency). The key state of the KMS key changes to reflect its new
condition, and all requests to use the KMS key in cryptographic operations fail.
For more information, see How unusable KMS keys affect data keys in the AWS Key
Management Service Developer Guide.
Amazon EC2 works with AWS KMS to encrypt and decrypt your EBS volumes in
slightly different ways depending on whether the snapshot from which you create
an encrypted volume is encrypted or unencrypted.
HOW EBS ENCRYPTION WORKS WHEN THE SNAPSHOT IS ENCRYPTED
When you create an encrypted volume from an encrypted snapshot that you own,
Amazon EC2 works with AWS KMS to encrypt and decrypt your EBS volumes as
follows:
1. Amazon EC2 sends a GenerateDataKeyWithoutPlaintext request to AWS KMS,
specifying the KMS key that you chose for volume encryption.
2. If the volume is encrypted using the same KMS key as the snapshot, AWS KMS
uses the same data key as the snapshot and encrypts it under that same KMS
key. If the volume is encrypted using a different KMS key, AWS KMS generates
a new data key and encrypts it under the KMS key that you specified. The
encrypted data key is sent to Amazon EBS to be stored with the volume
metadata.
3. When you attach the encrypted volume to an instance, Amazon EC2 sends a
CreateGrant request to AWS KMS so that it can decrypt the data key.
4. AWS KMS decrypts the encrypted data key and sends the decrypted data key to
Amazon EC2.
5. Amazon EC2 uses the plaintext data key in the Nitro hardware to encrypt disk
I/O to the volume. The plaintext data key persists in memory as long as the
volume is attached to the instance.
HOW EBS ENCRYPTION WORKS WHEN THE SNAPSHOT IS UNENCRYPTED
When you create an encrypted volume from unencrypted snapshot, Amazon EC2 works
with AWS KMS to encrypt and decrypt your EBS volumes as follows:
1. Amazon EC2 sends a CreateGrant request to AWS KMS, so that it can encrypt
the volume that is created from the snapshot.
2. Amazon EC2 sends a GenerateDataKeyWithoutPlaintext request to AWS KMS,
specifying the KMS key that you chose for volume encryption.
3. AWS KMS generates a new data key, encrypts it under the KMS key that you
chose for volume encryption, and sends the encrypted data key to Amazon EBS
to be stored with the volume metadata.
4. Amazon EC2 sends a Decrypt request to AWS KMS to get the encryption key to
encrypt the volume data.
5. When you attach the encrypted volume to an instance, Amazon EC2 sends a
CreateGrant request to AWS KMS, so that it can decrypt the data key.
6. When you attach the encrypted volume to an instance, Amazon EC2 sends a
Decrypt request to AWS KMS, specifying the encrypted data key.
7. AWS KMS decrypts the encrypted data key and sends the decrypted data key to
Amazon EC2.
8. Amazon EC2 uses the plaintext data key in the Nitro hardware to encrypt disk
I/O to the volume. The plaintext data key persists in memory as long as the
volume is attached to the instance.
For more information, see How Amazon Elastic Block Store (Amazon EBS) uses AWS
KMS and Amazon EC2 example two in the AWS Key Management Service Developer
Guide.
REQUIREMENTS
Before you begin, verify that the following requirements are met.
SUPPORTED VOLUME TYPES
Encryption is supported by all EBS volume types. You can expect the same IOPS
performance on encrypted volumes as on unencrypted volumes, with a minimal
effect on latency. You can access encrypted volumes the same way that you access
unencrypted volumes. Encryption and decryption are handled transparently, and
they require no additional action from you or your applications.
SUPPORTED INSTANCE TYPES
Amazon EBS encryption is available on all current generation and previous
generation instance types.
PERMISSIONS FOR USERS
When you configure a KMS key as the default key for EBS encryption, the default
KMS key policy allows any user with access to the required KMS actions to use
this KMS key to encrypt or decrypt EBS resources. You must grant users
permission to call the following actions in order to use EBS encryption:
* kms:CreateGrant
* kms:Decrypt
* kms:DescribeKey
* kms:GenerateDataKeyWithoutPlainText
* kms:ReEncrypt
TIP
To follow the principle of least privilege, do not allow full access to
kms:CreateGrant. Instead, use the kms:GrantIsForAWSResource condition key to
allow the user to create grants on the KMS key only when the grant is created on
the user's behalf by an AWS service, as shown in the following example.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "kms:CreateGrant",
"Resource": [
"arn:aws:kms:us-east-2:123456789012:key/abcd1234-a123-456d-a12b-a123b4cd56ef"
],
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}
]
}
For more information, see Allows access to the AWS account and enables IAM
policies in the Default key policy section in the AWS Key Management Service
Developer Guide.
PERMISSIONS FOR INSTANCES
When an instance attempts to interact with an encrypted AMI, volume, or
snapshot, a KMS key grant is issued to the instance's identity-only role. The
identity-only role is an IAM role that is used by the instance to interact with
encrypted AMIs, volumes, or snapshots on your behalf.
Identity-only roles do not need to be manually created or deleted, and they have
no policies associated with them. Additionally, you can't access the
identity-only role credentials.
NOTE
Identity-only roles are not used by applications on your instance to access
other AWS KMS encrypted resources, such as Amazon S3 objects or Dynamo DB
tables. These operations are done using the credentials of an Amazon EC2
instance role, or other AWS credentials that you have configured on your
instance.
Identity-only roles are subject to service control policies (SCPs), and KMS key
policies. If an SCP or KMS key denies the identity-only role access to a KMS
key, you may fail to launch EC2 instances with encrypted volumes, or using
encrypted AMIs or snapshots.
If you are creating an SCP or key policy that denies access based on network
location using the aws:SourceIp, aws:VpcSourceIp, aws:SourceVpc, or
aws:SourceVpce AWS global condition keys, then you must ensure that these policy
statements do not apply to instance-only roles. For example policies, see Data
Perimeter Policy Examples.
Identity-only role ARNs use the following format:
arn:aws-partition:iam::account_id:role/aws:ec2-infrastructure/instance_id
When a key grant is issued to an instance, the key grant is issued to the
assumed-role session specific to that instance. The grantee principal ARN uses
the following format:
arn:aws-partition:sts::account_id:assumed-role/aws:ec2-infrastructure/instance_id
DEFAULT KMS KEY FOR EBS ENCRYPTION
Amazon EBS automatically creates a unique AWS managed key in each Region where
you store AWS resources. This KMS key has the alias alias/aws/ebs. By default,
Amazon EBS uses this KMS key for encryption. Alternatively, you can specify a
symmetric customer managed encryption key that you created as the default KMS
key for EBS encryption. Using your own KMS key gives you more flexibility,
including the ability to create, rotate, and disable KMS keys.
IMPORTANT
Amazon EBS does not support asymmetric encryption KMS keys. For more
information, see Using symmetric and asymmetric encryption KMS keys in the AWS
Key Management Service Developer Guide.
New console
TO CONFIGURE THE DEFAULT KMS KEY FOR EBS ENCRYPTION FOR A REGION
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. From the navigation bar, select the Region.
3. From the navigation pane, select EC2 Dashboard.
4. In the upper-right corner of the page, choose Account Attributes, EBS
encryption.
5. Choose Manage.
6. For Default encryption key, choose a symmetric customer managed encryption
key.
7. Choose Update EBS encryption.
Old console
TO CONFIGURE THE DEFAULT KMS KEY FOR EBS ENCRYPTION FOR A REGION
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. From the navigation bar, select the Region.
3. From the navigation pane, select EC2 Dashboard.
4. In the upper-right corner of the page, choose Account Attributes, Settings.
5. Choose Change the default key and then choose an available KMS key.
6. Choose Save settings.
anchoranchor
* New console
* Old console
TO CONFIGURE THE DEFAULT KMS KEY FOR EBS ENCRYPTION FOR A REGION
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. From the navigation bar, select the Region.
3. From the navigation pane, select EC2 Dashboard.
4. In the upper-right corner of the page, choose Account Attributes, EBS
encryption.
5. Choose Manage.
6. For Default encryption key, choose a symmetric customer managed encryption
key.
7. Choose Update EBS encryption.
ENCRYPTION BY DEFAULT
You can configure your AWS account to enforce the encryption of the new EBS
volumes and snapshot copies that you create. For example, Amazon EBS encrypts
the EBS volumes created when you launch an instance and the snapshots that you
copy from an unencrypted snapshot. For examples of transitioning from
unencrypted to encrypted EBS resources, see Encrypt unencrypted resources.
Encryption by default has no effect on existing EBS volumes or snapshots.
CONSIDERATIONS
* Encryption by default is a Region-specific setting. If you enable it for a
Region, you cannot disable it for individual volumes or snapshots in that
Region.
* Amazon EBS encryption by default is supported on all current generation and
previous generation instance types.
* If you copy a snapshot and encrypt it to a new KMS key, a complete
(non-incremental) copy is created. This results in additional storage costs.
* When migrating servers using AWS Server Migration Service (SMS), do not turn
on encryption by default. If encryption by default is already on and you are
experiencing delta replication failures, turn off encryption by default.
Instead, enable AMI encryption when you create the replication job.
Amazon EC2 console
TO ENABLE ENCRYPTION BY DEFAULT FOR A REGION
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. From the navigation bar, select the Region.
3. From the navigation pane, select EC2 Dashboard.
4. In the upper-right corner of the page, choose Account Attributes, EBS
encryption.
5. Choose Manage.
6. Select Enable. You keep the AWS managed key with the alias alias/aws/ebs
created on your behalf as the default encryption key, or choose a symmetric
customer managed encryption key.
7. Choose Update EBS encryption.
AWS CLI
TO VIEW THE ENCRYPTION BY DEFAULT SETTING
* For a specific Region
$ aws ec2 get-ebs-encryption-by-default --region region
* For all Regions in your account
$ for region in $(aws ec2 describe-regions --region us-east-1 --query "Regions[*].[RegionName]" --output text); do default=$(aws ec2 get-ebs-encryption-by-default --region $region --query "{Encryption_By_Default:EbsEncryptionByDefault}" --output text); kms_key=$(aws ec2 get-ebs-default-kms-key-id --region $region | jq '.KmsKeyId'); echo "$region --- $default --- $kms_key"; done
TO ENABLE ENCRYPTION BY DEFAULT
* For a specific Region
$ aws ec2 enable-ebs-encryption-by-default --region region
* For all Regions in your account
$ for region in $(aws ec2 describe-regions --region us-east-1 --query "Regions[*].[RegionName]" --output text); do default=$(aws ec2 enable-ebs-encryption-by-default --region $region --query "{Encryption_By_Default:EbsEncryptionByDefault}" --output text); kms_key=$(aws ec2 get-ebs-default-kms-key-id --region $region | jq '.KmsKeyId'); echo "$region --- $default --- $kms_key"; done
TO DISABLE ENCRYPTION BY DEFAULT
* For a specific Region
$ aws ec2 disable-ebs-encryption-by-default --region region
* For all Regions in your account
$ for region in $(aws ec2 describe-regions --region us-east-1 --query "Regions[*].[RegionName]" --output text); do default=$(aws ec2 disable-ebs-encryption-by-default --region $region --query "{Encryption_By_Default:EbsEncryptionByDefault}" --output text); kms_key=$(aws ec2 get-ebs-default-kms-key-id --region $region | jq '.KmsKeyId'); echo "$region --- $default --- $kms_key"; done
PowerShell
TO VIEW THE ENCRYPTION BY DEFAULT SETTING
* For a specific Region
PS C:\> Get-EC2EbsEncryptionByDefault -Region region
* For all Regions in your account
PS C:\> (Get-EC2Region).RegionName | ForEach-Object { [PSCustomObject]@{ Region = $_; EC2EbsEncryptionByDefault = Get-EC2EbsEncryptionByDefault -Region $_; EC2EbsDefaultKmsKeyId = Get-EC2EbsDefaultKmsKeyId -Region $_ } } | Format-Table -AutoSize
TO ENABLE ENCRYPTION BY DEFAULT
* For a specific Region
PS C:\> Enable-EC2EbsEncryptionByDefault -Region region
* For all Regions in your account
PS C:\> (Get-EC2Region).RegionName | ForEach-Object { [PSCustomObject]@{ Region = $_; EC2EbsEncryptionByDefault = Enable-EC2EbsEncryptionByDefault -Region $_; EC2EbsDefaultKmsKeyId = Get-EC2EbsDefaultKmsKeyId -Region $_ } } | Format-Table -AutoSize
TO DISABLE ENCRYPTION BY DEFAULT
* For a specific Region
PS C:\> Disable-EC2EbsEncryptionByDefault -Region region
* For all Regions in your account
PS C:\> (Get-EC2Region).RegionName | ForEach-Object { [PSCustomObject]@{ Region = $_; EC2EbsEncryptionByDefault = Disable-EC2EbsEncryptionByDefault -Region $_; EC2EbsDefaultKmsKeyId = Get-EC2EbsDefaultKmsKeyId -Region $_ } } | Format-Table -AutoSize
anchoranchoranchor
* Amazon EC2 console
* AWS CLI
* PowerShell
TO ENABLE ENCRYPTION BY DEFAULT FOR A REGION
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. From the navigation bar, select the Region.
3. From the navigation pane, select EC2 Dashboard.
4. In the upper-right corner of the page, choose Account Attributes, EBS
encryption.
5. Choose Manage.
6. Select Enable. You keep the AWS managed key with the alias alias/aws/ebs
created on your behalf as the default encryption key, or choose a symmetric
customer managed encryption key.
7. Choose Update EBS encryption.
You cannot change the KMS key that is associated with an existing snapshot or
encrypted volume. However, you can associate a different KMS key during a
snapshot copy operation so that the resulting copied snapshot is encrypted by
the new KMS key.
ENCRYPT EBS RESOURCES
You encrypt EBS volumes by enabling encryption, either using encryption by
default or by enabling encryption when you create a volume that you want to
encrypt.
When you encrypt a volume, you can specify the symmetric encryption KMS key to
use to encrypt the volume. If you do not specify a KMS key, the KMS key that is
used for encryption depends on the encryption state of the source snapshot and
its ownership. For more information, see the encryption outcomes table.
NOTE
If you are using the API or AWS CLI to specify a KMS key, be aware that AWS
authenticates the KMS key asynchronously. If you specify a KMS key ID, an alias,
or an ARN that is not valid, the action can appear to complete, but it
eventually fails.
You cannot change the KMS key that is associated with an existing snapshot or
volume. However, you can associate a different KMS key during a snapshot copy
operation so that the resulting copied snapshot is encrypted by the new KMS key.
ENCRYPT AN EMPTY VOLUME ON CREATION
When you create a new, empty EBS volume, you can encrypt it by enabling
encryption for the specific volume creation operation. If you enabled EBS
encryption by default, the volume is automatically encrypted using your default
KMS key for EBS encryption. Alternatively, you can specify a different symmetric
encryption KMS key for the specific volume creation operation. The volume is
encrypted by the time it is first available, so your data is always secured. For
detailed procedures, see Create an Amazon EBS volume.
By default, the KMS key that you selected when creating a volume encrypts the
snapshots that you make from the volume and the volumes that you restore from
those encrypted snapshots. You cannot remove encryption from an encrypted volume
or snapshot, which means that a volume restored from an encrypted snapshot, or a
copy of an encrypted snapshot, is always encrypted.
Public snapshots of encrypted volumes are not supported, but you can share an
encrypted snapshot with specific accounts. For detailed directions, see Share an
Amazon EBS snapshot.
ENCRYPT UNENCRYPTED RESOURCES
You cannot directly encrypt existing unencrypted volumes or snapshots. However,
you can create encrypted volumes or snapshots from unencrypted volumes or
snapshots. If you enable encryption by default, Amazon EBS automatically
encrypts new volumes and snapshots using your default KMS key for EBS
encryption. Otherwise, you can enable encryption when you create an individual
volume or snapshot, using either the default KMS key for Amazon EBS encryption
or a symmetric customer managed encryption key. For more information, see Create
an Amazon EBS volume and Copy an Amazon EBS snapshot.
To encrypt the snapshot copy to a customer managed key, you must both enable
encryption and specify the KMS key, as shown in Copy an unencrypted snapshot
(encryption by default not enabled).
IMPORTANT
Amazon EBS does not support asymmetric encryption KMS keys. For more
information, see Using Symmetric and Asymmetric encryption KMS keys in the AWS
Key Management Service Developer Guide.
You can also apply new encryption states when launching an instance from an
EBS-backed AMI. This is because EBS-backed AMIs include snapshots of EBS volumes
that can be encrypted as described. For more information, see Use encryption
with EBS-backed AMIs.
ROTATING AWS KMS KEYS
Cryptographic best practices discourage extensive reuse of encryption keys. To
create new cryptographic material for your KMS key, you can create new KMS key,
and then change your applications or aliases to use the new KMS key. Or, you can
enable automatic key rotation for an existing KMS key.
When you enable automatic key rotation for a KMS key, AWS KMS generates new
cryptographic material for the KMS key every year. AWS KMS saves all previous
versions of the cryptographic material so you can decrypt any data encrypted
with that KMS key. AWS KMS does not delete any rotated key material until you
delete the KMS key.
When you use a rotated KMS key to encrypt data, AWS KMS uses the current key
material. When you use the rotated KMS key to decrypt data, AWS KMS uses the
version of the key material that was used to encrypt it. You can safely use a
rotated KMS key in applications and AWS services without code changes.
NOTE
Automatic key rotation is supported only for symmetric customer managed keys
with key material that AWS KMS creates. AWS KMS automatically rotates AWS
managed keys every year. You can't enable or disable key rotation for AWS
managed keys.
For more information, see Rotating KMS key in the AWS Key Management Service
Developer Guide.
ENCRYPTION SCENARIOS
When you create an encrypted EBS resource, it is encrypted by your account's
default KMS key for EBS encryption unless you specify a different customer
managed key in the volume creation parameters or the block device mapping for
the AMI or instance. For more information, see Default KMS key for EBS
encryption.
The following examples illustrate how you can manage the encryption state of
your volumes and snapshots. For a full list of encryption cases, see the
encryption outcomes table.
EXAMPLES
* Restore an unencrypted volume (encryption by default not enabled)
* Restore an unencrypted volume (encryption by default enabled)
* Copy an unencrypted snapshot (encryption by default not enabled)
* Copy an unencrypted snapshot (encryption by default enabled)
* Re-encrypt an encrypted volume
* Re-encrypt an encrypted snapshot
* Migrate data between encrypted and unencrypted volumes
* Encryption outcomes
RESTORE AN UNENCRYPTED VOLUME (ENCRYPTION BY DEFAULT NOT ENABLED)
Without encryption by default enabled, a volume restored from an unencrypted
snapshot is unencrypted by default. However, you can encrypt the resulting
volume by setting the Encrypted parameter and, optionally, the KmsKeyId
parameter. The following diagram illustrates the process.
If you leave out the KmsKeyId parameter, the resulting volume is encrypted using
your default KMS key for EBS encryption. You must specify a KMS key ID to
encrypt the volume to a different KMS key.
For more information, see Create a volume from a snapshot.
RESTORE AN UNENCRYPTED VOLUME (ENCRYPTION BY DEFAULT ENABLED)
When you have enabled encryption by default, encryption is mandatory for volumes
restored from unencrypted snapshots, and no encryption parameters are required
for your default KMS key to be used. The following diagram shows this simple
default case:
If you want to encrypt the restored volume to a symmetric customer managed
encryption key, you must supply both the Encrypted and KmsKeyId parameters as
shown in Restore an unencrypted volume (encryption by default not enabled).
COPY AN UNENCRYPTED SNAPSHOT (ENCRYPTION BY DEFAULT NOT ENABLED)
Without encryption by default enabled, a copy of an unencrypted snapshot is
unencrypted by default. However, you can encrypt the resulting snapshot by
setting the Encrypted parameter and, optionally, the KmsKeyId parameter. If you
omit KmsKeyId, the resulting snapshot is encrypted by your default KMS key. You
must specify a KMS key ID to encrypt the volume to a different symmetric
encryption KMS key.
The following diagram illustrates the process.
You can encrypt an EBS volume by copying an unencrypted snapshot to an encrypted
snapshot and then creating a volume from the encrypted snapshot. For more
information, see Copy an Amazon EBS snapshot.
COPY AN UNENCRYPTED SNAPSHOT (ENCRYPTION BY DEFAULT ENABLED)
When you have enabled encryption by default, encryption is mandatory for copies
of unencrypted snapshots, and no encryption parameters are required if your
default KMS key is used. The following diagram illustrates this default case:
RE-ENCRYPT AN ENCRYPTED VOLUME
When the CreateVolume action operates on an encrypted snapshot, you have the
option of re-encrypting it with a different KMS key. The following diagram
illustrates the process. In this example, you own two KMS keys, KMS key A and
KMS key B. The source snapshot is encrypted by KMS key A. During volume
creation, with the KMS key ID of KMS key B specified as a parameter, the source
data is automatically decrypted, then re-encrypted by KMS key B.
For more information, see Create a volume from a snapshot.
RE-ENCRYPT AN ENCRYPTED SNAPSHOT
The ability to encrypt a snapshot during copying allows you to apply a new
symmetric encryption KMS key to an already-encrypted snapshot that you own.
Volumes restored from the resulting copy are only accessible using the new KMS
key. The following diagram illustrates the process. In this example, you own two
KMS keys, KMS key A and KMS key B. The source snapshot is encrypted by KMS key
A. During copy, with the KMS key ID of KMS key B specified as a parameter, the
source data is automatically re-encrypted by KMS key B.
In a related scenario, you can choose to apply new encryption parameters to a
copy of a snapshot that has been shared with you. By default, the copy is
encrypted with a KMS key shared by the snapshot's owner. However, we recommend
that you create a copy of the shared snapshot using a different KMS key that you
control. This protects your access to the volume if the original KMS key is
compromised, or if the owner revokes the KMS key for any reason. For more
information, see Encryption and snapshot copying.
MIGRATE DATA BETWEEN ENCRYPTED AND UNENCRYPTED VOLUMES
When you have access to both an encrypted and unencrypted volume, you can freely
transfer data between them. EC2 carries out the encryption and decryption
operations transparently.
For example, use the rsync command to copy the data. In the following command,
the source data is located in /mnt/source and the destination volume is mounted
at /mnt/destination.
[ec2-user ~]$ sudo rsync -avh --progress /mnt/source/ /mnt/destination/
ENCRYPTION OUTCOMES
The following table describes the encryption outcome for each possible
combination of settings.
Is encryption enabled? Is encryption by default enabled? Source of volume
Default (no customer managed key specified) Custom (customer managed key
specified) No No New (empty) volume Unencrypted N/A No No Unencrypted snapshot
that you own Unencrypted No No Encrypted snapshot that you own Encrypted by same
key No No Unencrypted snapshot that is shared with you Unencrypted No No
Encrypted snapshot that is shared with you Encrypted by default customer managed
key* Yes No New volume Encrypted by default customer managed key Encrypted by a
specified customer managed key** Yes No Unencrypted snapshot that you own
Encrypted by default customer managed key Yes No Encrypted snapshot that you own
Encrypted by same key Yes No Unencrypted snapshot that is shared with you
Encrypted by default customer managed key Yes No Encrypted snapshot that is
shared with you Encrypted by default customer managed key No Yes New (empty)
volume Encrypted by default customer managed key N/A No Yes Unencrypted snapshot
that you own Encrypted by default customer managed key No Yes Encrypted snapshot
that you own Encrypted by same key No Yes Unencrypted snapshot that is shared
with you Encrypted by default customer managed key No Yes Encrypted snapshot
that is shared with you Encrypted by default customer managed key Yes Yes New
volume Encrypted by default customer managed key Encrypted by a specified
customer managed key Yes Yes Unencrypted snapshot that you own Encrypted by
default customer managed key Yes Yes Encrypted snapshot that you own Encrypted
by same key Yes Yes Unencrypted snapshot that is shared with you Encrypted by
default customer managed key Yes Yes Encrypted snapshot that is shared with you
Encrypted by default customer managed key
* This is the default customer managed key used for EBS encryption for the AWS
account and Region. By default this is a unique AWS managed key for EBS, or you
can specify a customer managed key. For more information, see Default KMS key
for EBS encryption.
** This is a customer managed key specified for the volume at launch time. This
customer managed key is used instead of the default customer managed key for the
AWS account and Region.
SET ENCRYPTION DEFAULTS USING THE API AND CLI
You can manage encryption by default and the default KMS key using the following
API actions and CLI commands.
API action CLI command Description
DisableEbsEncryptionByDefault
disable-ebs-encryption-by-default
Disables encryption by default.
EnableEbsEncryptionByDefault
enable-ebs-encryption-by-default
Enables encryption by default.
GetEbsDefaultKmsKeyId
get-ebs-default-kms-key-id
Describes the default KMS key.
GetEbsEncryptionByDefault
get-ebs-encryption-by-default
Indicates whether encryption by default is enabled.
ModifyEbsDefaultKmsKeyId
modify-ebs-default-kms-key-id
Changes the default KMS key used to encrypt EBS volumes.
ResetEbsDefaultKmsKeyId
reset-ebs-default-kms-key-id
Resets the AWS managed key as the default KMS key used to encrypt EBS volumes.
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.
Document Conventions
Extend a file system
Fast snapshot restore
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
DID THIS PAGE HELP YOU?
Yes
No
Provide feedback
NEXT TOPIC:
Fast snapshot restore
PREVIOUS TOPIC:
Extend a file system
NEED HELP?
* Try AWS re:Post
* Connect with an AWS IQ expert
PrivacySite termsCookie preferences
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ON THIS PAGE
* How EBS encryption works
* Requirements
* Default KMS key for EBS encryption
* Encryption by default
* Encrypt EBS resources
* Rotating AWS KMS keys
* Encryption scenarios
* Set encryption defaults using the API and CLI
DID THIS PAGE HELP YOU? - NO
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Feedback