3

For EBS and S3 encryption (even via the default key from KMS) is disabled by default, as I understood from the documentation, there is no difference to the user if volume/objects is/are encrypted under the hood or not. If it is true, why this option is disabled by default? And if not, what are the drawbacks?

Thanks.

Andrey
  • 133
  • 3
  • You can encrypt any volume, and you can use policies to mandate things are encrypted. "Why" isn't a useful question really, it is what it is. – Tim Feb 19 '20 at 18:01
  • @Tim "Why" is a useful question, because they disable this option on purpose and it is good to know for what reasons they did so, perhaps this encryption has some disadvantages in comparison with no encryption. And the true question is the last sentence "And if not, what are the drawbacks?" – Andrey Feb 19 '20 at 18:39
  • Encryption is not "disabled" by default. Data is not encrypted at rest by default, but you can easily specify that both S3 and EBS are encrypted at creation time. I imagine the reason is because there's an overhead to encryption, so if it's not required why would you spend the CPU cycles / power to do it? – Tim Feb 19 '20 at 19:25
  • @Tim so there is no reason for me to leave it disabled? (And it is fine to always encrypt it?) Thank you. – Andrey Feb 19 '20 at 19:33
  • 2
    So your question is "is there any disadvantage to encrypting my S3 objects and EBS volumes"? You have to be careful not to delete your encryption keys or you'll lose access, unless they're AWS default credentials, and it might add a tiny bit of latency - though not much as I suspect it's done by Nitro hardware in the latest gen instances. All in all there's no significant disadvantage. There's also not much of an advantage - encryption at rest primarily prevents people accessing your data if they steal the storage device, and that's not going to happen in an AWS data center. – Tim Feb 19 '20 at 19:51
  • @Tom may I copy your answer and mark it as a solution or you will do it (copy the text above)? – Andrey Feb 19 '20 at 20:49
  • I'm voting to close this question as off-topic because we are not the S3 design team. – womble Feb 23 '20 at 23:47

2 Answers2

4

It seems the core question is "is there any disadvantage to encrypting my S3 objects and EBS volumes"?

Factors:

  • You have to be careful not to delete your encryption keys or you'll lose access to your data, unless they're AWS default credentials.
  • Encryption might add a tiny bit of latency - though not much as I suspect it's done by Nitro hardware in the latest gen instances.

All in all there's no significant disadvantage that I can see.

There's also not much of an advantage - encryption at rest primarily prevents people accessing your data if they steal the storage device, and that's not going to happen in an AWS data center as they have good physical security and securely destroy devices that are disposed of. However, using Customer Managed Keys and a Custom Key Policy does have some advantages.

Update

As of 5 Jan 2023, S3 objects are encrypted by default. As I mentioned above, this doesn't really help security all that much because AWS has the decryption keys and decrypts the objects when a valid request is received for the objects.

Tim
  • 31,888
  • 7
  • 52
  • 78
0

EBS ROOT volume cannot be encrypted without taking snapshot of it. thats why its not showing by default.

bhuva nesh
  • 1
  • 1
  • But I can select KMS key to use for encryption while creating a new EC2 instance, am I wrong? – Andrey Feb 19 '20 at 11:07