Security & Encryption

Data Protection & Access Control

Encryption at Rest

AES-256 Encryption

Industry standard encryption algorithm

KMS Integration

AWS Key Management Service

Transparent

No application changes required

Performance

Minimal performance impact

Encryption in Transit

EC2 to EBS

Data encrypted between instance and volume

Automatic

Enabled by default for encrypted volumes

TLS Encryption

Secure network communication

No Configuration

Transparent to applications

Key Management Options

AWS Managed Keys

Default EBS encryption key

  • • No additional cost
  • • Managed by AWS
  • • Cannot be deleted

Customer Managed Keys

Full control over key lifecycle

  • • Custom key policies
  • • Key rotation control
  • • Audit trail in CloudTrail

Cross-Account Access

Share encrypted volumes

  • • Key policy permissions
  • • Cross-account snapshots
  • • Resource sharing

Default Encryption

Account-Level

Enable for entire AWS account

Region-Specific

Configure per AWS region

New Volumes

All new volumes encrypted automatically

Snapshots

Snapshots inherit encryption

Access Control

IAM Policies

Control EBS operations

KMS Permissions

Key usage permissions

Resource Tags

Tag-based access control

Service Roles

EC2 instance roles for access

Encryption Best Practices

Enable by Default

Use account-level default encryption

Customer Keys

Use CMKs for sensitive data

Key Rotation

Enable automatic key rotation

Monitor Usage

CloudTrail for key usage audit

Encryption Migration

Snapshot Method

Create encrypted snapshot, restore

Copy Encrypted

Copy unencrypted snapshot with encryption

Data Migration

Application-level data copy

Compliance

FIPS 140-2

Level 2 validated encryption

HIPAA Eligible

Healthcare data protection

SOC Compliance

SOC 1, 2, and 3 reports

Security & Encryption Exam Tips

  • • EBS encryption uses AES-256 and is transparent to applications with minimal performance impact
  • • Encrypted volumes automatically encrypt data in transit between EC2 and EBS
  • • Default encryption can be enabled at account level to encrypt all new volumes automatically
  • • Snapshots of encrypted volumes are automatically encrypted with the same key
  • • Cannot directly encrypt existing unencrypted volumes - must use snapshot method
Previous: Snapshots & Backup Next: Advanced Features
Back to Home Search Topics