SAA-C02: Amazon EBS Encryption

  • by

This blog will cover SAA-C02 exam must have knowledge : Amazon EBS Encryption.

Official Site:

  1. When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted:
  • Data at rest inside the volume
  • All data moving between the volume and the instance
  • All snapshots created from the volume
  • All volumes created from those snapshots

2. Amazon EBS encryption uses AWS Key Management Service (AWS KMS) customer master keys (CMK) when creating encrypted volumes and snapshots. Amazon EBS does not support asymmetric CMKs.

3. Encryption by default is a Region-specific setting. If you enable it for a Region, you cannot disable it for individual volumes or snapshots in that Region.

4. Encrypting unencrypted resources: Although there is no direct way to encrypt an existing unencrypted volume or snapshot, you can encrypt them by creating either a volume or a snapshot. If you enabled encryption by default, Amazon EBS encrypts the resulting new volume or snapshot using your default key for EBS encryption. Even if you have not enabled encryption by default, you can enable encryption when you create an individual volume or snapshot. Whether you enable encryption by default or in individual creation operations, you can override the default key for EBS encryption and select a symmetric customer managed CMK.

Restore an unencrypted volume (encryption by default not enabled)

Those are some important points about Amazon EBS Encryption which must to be kept in mind for SAA-C02 exam.

This blog is the part of SAA-C02 serial of this site.