Amazon Elastic Block Store (EBS) is a block-storage service for Amazon Elastic Compute Cloud (EC2). EBS volumes can be encrypted, ensuring the security of both data-at-rest and data-in-transit between an instance and its attached EBS storage. In the case that adversaries gain physical access to the storage medium they are not able to access the data. Encryption can be enabled for specific volumes or for all new volumes and snapshots. Volumes created from snapshots inherit their encryption configuration. A volume created from an encrypted snapshot will also be encrypted by default.
There is a risk if you answered yes to any of those questions.
It’s recommended to encrypt EBS volumes that contain sensitive information. Encryption and decryption are handled transparently by EC2, so no further modifications to the application are necessary. Instead of enabling encryption for every volume, it is also possible to enable encryption globally for a specific region. While creating volumes from encrypted snapshots will result in them being encrypted, explicitly enabling this security parameter will prevent any future unexpected security downgrade.
import { Size } from 'aws-cdk-lib';
import { Volume } from 'aws-cdk-lib/aws-ec2';
new Volume(this, 'unencrypted-explicit', {
availabilityZone: 'us-west-2a',
size: Size.gibibytes(1),
encrypted: false // Sensitive
});
import { Size } from 'aws-cdk-lib';
import { Volume } from 'aws-cdk-lib/aws-ec2';
new Volume(this, 'unencrypted-implicit', {
availabilityZone: 'eu-west-1a',
size: Size.gibibytes(1),
}); // Sensitive as encryption is disabled by default
import { Size } from 'aws-cdk-lib';
import { Volume } from 'aws-cdk-lib/aws-ec2';
new Volume(this, 'encrypted-explicit', {
availabilityZone: 'eu-west-1a',
size: Size.gibibytes(1),
encrypted: true
});