An Amazon EBS Volume is a durable, block level storage device that you can attach to your instance.
EBS is Availability Zone specific. To move EBS volume from one AZ to another: -EBS volume–Snapshot S3—Copy to another AZ –Create new Same EBS volume
When you create an EBS Volume, it is automatically replicated within its Availability Zone, to prevent data loss due to failure of any single hardware component.
You can attach multiple EBS volumes to a single instance. The Volume and instance must be in same Availability Zone. You can attach an EBS Volume to any EC2 instance in the same Availability Zone.
You can use EBS volume as primary storage for data that requires frequent updates, such as the system drive for an instance or storage for a database application. Also use them for throughput intensive applications that perform continuous disk scans.
Constraints on Size and configuration of an EBS volume: EBS currently supports a maximum volume size of 16 TiB.
Amazon EBS provides following volume types:
General purpose SSD (gp2 and gp3), Provisioned IOPS SSD(io1 and io2), thourhput optimized HDD (st1),Cold HDD (sc1) and Magnetic (standard).
Benefits of EBS Volumes:
1.Data availability: When you create an EBS Volume, it is automatically replicated within its Availability Zone, to prevent data loss due to failure of any single hardware component.
2.Data persistence: An EBS volume is off-instance storage that can persist independently from the life of an instance. EBS volumes attached to running instance can automatically detach from the instance with their data intact when the instance is terminated if you uncheck the Delete on Termination checkbox while configuring EBS volume on EC2. The Volume can be reattached to new instance, enabling quick recovery. EBS backed instance, data is unaffected when EC2 instance is restarted. Volume remains attached throughout start to stop cycle .Data persist on Volume until deleted explicitly.
By Default, root volume attached to instance is deleted when instance is terminated.
Additional EBS volume that are created and attached to an instance at launch are not deleted when instance is terminated.
These behaviors can be changed by modifying the settings.
EBS volume support live configuration changes while in production. You can modify volume type, volume size, and IOPS capacity without service interruptions.
Amazon EBS provides ability to create snapshots (backup) of any EBS volume and write a copy of the data in S3, where it is stored redundantly in multiple Availability zones.
Incremental Volume: In EBSM Snapshot created only for consumed part.
For next snapshot, only updated part stored in next snapshot. First snapshot is clone, subsequent snapshot is incremental.
Incremental snapshot helps in saving cost.
Deleting data will only delete data exclusive of that snapshot.
If first snapshot is deleted, Amazon will move the first snapshot data, to another snapshot data.
You are charged for Data transferred to S3 from EBS volume snapshot stored in S3
5. Data Encryption-You can create encrypted EBS volumes with Amazon EBS encryption feature.
Encrypting data at rest is vital for regulatory compliance to ensure that sensitive data saved on disks is not readable by any user or application without a valid key. Some compliance regulations such as PCI DSS and HIPAA require that data at rest be encrypted throughout the data lifecycle. To this end, AWS provides data-at-rest options and key management to support the encryption process.
Data encryption at rest means encryption of data stored in EBS volume.
Data in transit means encryption of data moving from EC2 to EBS.
You can attach an encrypted and Unencrypted Volume to the same EC2 instance.
Data cannot be directly transferred between encrypted to unencrypted volume.
Encryption is always at EC2, and then moved to EBS. Data is encrypted prior to moving to EBS.
EBS volume is not physically attached to EC2, but is network connected.
Data in transit between EC2 and Encrypted EBS is also encrypted.
There is no direct way to change the encryption state of volume. To change the Encryption state indirectly, follow the below steps:
- Attach a new encrypted, EBS volume to EC2 Instance that has the data to be encrypted.
- Mount the new Volume to EC2 instance
- Copy the data from unencrypted volume to new Volume.
- Both the volume must be on the same EC2 instance
- Create a snapshot of unencrypted volume.
- Copy the snapshot and choose encryption for new copy-This will create encrypted copy.
- Use this new copy to create new volume which would be encrypted too.
- Attach the volume to EC2 instance.
Root Volume Encryption-
Root volume is not encrypted by default.
There is no direct way to change the encryption of a volume
There is an indirect workaround to Encrypt Root Volume-
1.Launch the instance with the EBS volume required
2.Do patching or install the application
3.Create an AMI from EC2 instance
4.Copy the AMI and choose encryption while copying
5.Result is an encrypted AMI that is private
6.Use the encrypted AMI to launch new EC2 instance which will have EBS root Volume encrypted.
How to share EBS snapshot—
To Encrypt a volume of a snapshot, you need an encryption key , these keys are called Customer Master Key (CMK) and are managed by AWS key management service.
When encrypting first EBS volume, AWS creates a default CMK key. After that each newly encrypted volume is encrypted with a unique AES-256 encryption key. This key is used to encrypt the volume, its snapshot and any volume created of its snapshots.
A customer master key (CMK) is a logical representation of a master key. The CMK includes metadata, such as the key ID, creation date, description, and key state. The CMK also contains the key material used to encrypt and decrypt data.
Before you share a snapshot, the following considerations apply to sharing snapshots:
- By default, only account owner can create volume from account snapshot.
- Snapshots are constrained to the Region in which they were created. To share a snapshot with another Region, copy the snapshot to that Region and then share the copy. — EBS volume—create Snapshot in S3—Copy to another AZ –Create new Same EBS volume.
- You can’t share snapshots that are encrypted with the default AWS managed key. You can only share snapshots that are encrypted with a customer managed key.
- You can share only unencrypted snapshots publicly. You can share unencrypted snapshots with the AWS community by making them public.
- You can also share unencrypted snapshots with other AWS accounts by making them private and selecting the accounts to share them with.
- When you share an encrypted snapshot, you must also share the customer managed key used to encrypt the snapshot.
- You cannot make encrypted snapshots public.
When encrypting first EBS volume, AWS creates a default CMK key.
Default CMK key is used for your first volume encryption, encryption of snapshot created from this volume, volume created from these snapshots. If your snapshot has default CMK key-it cannot be shared.
Steps to Change encryption key:
- You cannot change the encryption key directly which is used to encrypt an existing EBS volume
- If you want to change the key, create a copy of snapshot and specify during the copy process that you want to re-encrypt the copy with a diff key
- This comes handy when you have a snapshot that was encrypted using default CMK key and you want to change the key in order to share the snapshot with other account.
Steps to share unencrypted volume with specific account:
1.Make sure you use non default key to encrypt the snapshot, not the default CMK key
2.Configure cross account permissions in order to give the account with which you want to share the snapshot, access to custom CMK key to encrypt the snapshot. Without this the other account will not be able to copy the snapshot, not will be able to create volume of snapshot.
AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys in the AWS Cloud. It helps you meet corporate, contractual, and regulatory compliance requirements for data security by using FIPS 140-2 Level 3 validated HSMs.