Encrypted EBS

Encrypted EBS feature guarantees data at rest encryption. That means anything saved on the volume will be protected automatically as long as it resides on the volume.

Risks for Unencrypted Volumes

By encrypting volumes, you have them protected against the below threats;

  • The loss of control of storage media
  • The loss of control on storage media at where the snapshots created from the volume resides.
  • Compromise of the networks attached to the storage systems

Supported Instance Types and Roles

Instances that use encrypted volumes are limited to the instance types T2, C3, C4, M3, M4, and R3.

Encrypted EBS can be used with any instance role (Database, Application, Utility) selectively. For application and utility instances, encryption can be used on a case by case basis unless you set the 'Encrypt All Instances' option in the Edit Environment page.

Performance matters

Encrypted EBS feature provides the same IOPS performance on encrypted volumes as on unencrypted volumes, with a minimal effect on latency and at no additional cost.

Enable Encrypted EBS

New Instances

For new instances, it can be enabled through the environment options page. When selected, the mount points /db, /data, /mnt, and swap will be encrypted on an encrypted EBS host. 

Existing Instances

It is not possible to convert an existing unencrypted volume or snapshot directly to an encrypted state. Application and Utility instances can be created using a new volume. Database instances require a migration similar to a major database version upgrade but can also be done through Professional Services.

If enabled, a key icon next to the instance names will appear on the environment page, which means the volumes are encrypted.

Database Backups

Backups of data should also be taken into consideration to ensure data at rest encryption, as well as the volumes.