Encrypting S3 Buckets and EBS Volumes Using KMS

Learn how to secure EBS volumes and S3 using AWS Key Management System.

In this lesson, we'll explore the encryption mechanisms for two prevalent AWS resources—S3 buckets and EBS volumes—secured using AWS KMS.

EBS volume encryption

The data stored on an EBS volume can be accessed by attaching the EBS volume with an EC2 instance and then reading the stored data using that instance. Note that, an EBS volume can be attached with multiple EC2 instances at the same time. So, if our EBS volume is unencrypted, anyone who gets access to our EBS volume can attach the volume with an EC2 instance and read the stored data.

Note: When we launch an EC2 instance, a root EBS volume is automatically created and connected to it. By default, this volume is not encrypted.

How does EBS volume encryption works?

To start off the encryption, we have to create a KMS key. After that, we specify that key as the encryption key for the EBS volume. KMS key, however, doesn’t directly encrypt the EBS volume. When we create an encrypted EBS volume, KMS generates a data key using the KMS key for encryption. An encrypted version of that data key is then stored within the metadata of the EBS volume.

Now, when an EBS volume is attached to an EC2 instance, AWS first checks if the principal attaching this volume to the EC2 instance has access to the specified KMS key. If yes, the EBS volume is attached; otherwise, this attachment fails. After the volume has been attached, the EC2 instance fetches the encrypted data key from the volume’s metadata, requests KMS to decrypt the key, and then uses the decrypted key to encrypt the data before storing it on the EBS volume.

Get hands-on with 1400+ tech skills courses.