Home AWS EBS Volumes - Why it should be encrypted?

AWS EBS Volumes – Why it should be encrypted?


Organizations want maximum security for their cloud infrastructure. They want to focus on their business rather than worrying about the data and resources on the cloud. EBS stores crucial data in volumes. Hence, it is necessary to ensure that stored data is secured. AWS EBS volume encryption is an efficient way of doing this.

What is AWS EBS?

AWS EBS is a block storage service which you can use to store quickly accessible and high persistent data. Amazon EBS is suitable for EC2 instances by providing block-level storage volumes.

There are mainly three varieties of volumes – General Purpose (SSD), Provisioned IOPS (SSD), and Magnetic which differ in performance, characteristics, and cost. EBS volumes can be attached to an active instance in the same availability zone. These are best-suited to be used as primary storage for file systems or database for any application which requires frequent updates and access to unformatted, raw data. You can use EBS volumes to perform long and continuous read/write operations as well as fast read/write operations.

Why encrypt unencrypted EBS volumes?

AWS provides users to encrypt their EBS volumes to protect their sensitive data. AWS provides simplified encryption solution to encrypt EBS volumes. This doesn’t require the user to manage and secure key management infrastructure. When an EBS volume is created and attached to a resource, data stored at rest as well as the snapshots are encrypted. AWS KMS (Key Management Service) is used to perform cryptographic operations on EBS volumes. A default master key is automatically created to perform encryption and decryption when an EBS volume is created for the first time. The user has the provision of using its own CMK (Customer Master Key) which provides extra flexibility while defining access controls and allows users to create, rotate and disable encryption key specific to individual applications and users.

What happens if you do not encrypt your EBS volumes?

Unencrypted EBS volumes mean that data stored in your AWS EBS volumes might be at risk of potential security attack. Hence it is important to make sure that no compromise has been done as far as the security of your sensitive or confidential data is concerned. Users need to realize that it is important to encrypt their respective EBS volumes. This helps them attain the maximum security level in their cloud environment.

How can Centilytics help you?

Centilytics provides a dedicated insight for your EBS volume encryption where it lists down all the EBS volumes which you have not encrypted. This helps you to take note of those volumes and encrypt them for all the security reasons.

Insight descriptions:

Severity Description
Warning This indication will be displayed when the corresponding EBS volume is not encrypted
OK This indication will be displayed when the corresponding EBS volume is encrypted.


Description of further columns are as follows:

  1. Account Id: Shows the respective account ID of user’s account.AWS EBS Volumes-ss1
  2. Account Name: Shows corresponding account name to the user’s account.AWS EBS Volumes-ss2
  3. Region: Shows the region in which the corresponding snapshot exists.AWS EBS Volumes-ss3


  1. Identifier: Shows the unique snapshot Id of the snapshot.AWS EBS Volumes-ss4


  1. Volume Type: Shows the type of EBS volume in use. AWS EBS Volume Encryption-SS34


Compliances covered:

Compliance Name Reference No. Link
Trusted Advisor https://console.aws.amazon.com/trustedadvisor/home?#/category/security


Filters applicable:

Filter Name Description
Account Id Applying account Id filter will display all the public snapshots for the selected account Id.
Region Applying region filter will display all the public snapshots corresponding to the selected region.
Severity Applying severity filter will display public snapshots according to the selected severity type i.e. selecting critical will display all instances with critical severity. Same will be the case for Warning and Ok severity types.
Resource Tags Applying resource tags filter will display those resources which have been assigned the selected resource tag. For eg- If the user has tagged some resources by a resource tag named environment, then selecting it from the resource tags filter will display all those resources with the tag name-environment.
Resource Tags Value Applying resource tags value filter will display data which will have the selected resource tag value. Let’s say a user has tagged some resource by a tag named environment and has a value say production (environment: production). Therefore, the user can view data of all the resources tagged as “environment:production”. The user can use the tag value filter only when a tag name has been provided.


Read More:

[1] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html

[2] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html

[3] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html


Cloud Management