EBS snapshots and S3 encryption

Question

I know that EBS snapshots are stored in S3 in a hidden location not accessible by the customer.   
  
My question was how the snaps are stored within this hidden section of S3.  Is it a single bucket per account holding all of the snaps or just some secret mechanism not based on what customers normally see when managing a bucket in the console or api  
  
Though my main question, coming from my security officer, was if the snaps in S3 are stored in an encrypted bucket or just encrypted at rest in general.  Or if that's left up to the customer to encrypt their EBS volumes themselves so the snaps will be encrypted as well when they get to the S3 location.  
  
Thanks for any answers.

Answer

Thanks!

Answer

Hi James  
If you refer to this information, https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html, you will see that snapshots of un-encrypted EBS volumes are not encrypted. So for snaphots encryption it really is about encryption of the EBS volumes first, and then they get encrypted once you snapshots. It will use the same KMS keys and mechanism it was used at EC2 level/EBS. I hope this answers your security team question.   
My advice is always encrypt the EBS volumes.  
Augusto

EBS snapshots and S3 encryption

관련 콘텐츠