EBS snapshots and S3 encryption


I know that EBS snapshots are stored in S3 in a hidden location not accessible by the customer.

My question was how the snaps are stored within this hidden section of S3. Is it a single bucket per account holding all of the snaps or just some secret mechanism not based on what customers normally see when managing a bucket in the console or api

Though my main question, coming from my security officer, was if the snaps in S3 are stored in an encrypted bucket or just encrypted at rest in general. Or if that's left up to the customer to encrypt their EBS volumes themselves so the snaps will be encrypted as well when they get to the S3 location.

Thanks for any answers.

asked 4 years ago407 views
2 Answers

Hi James
If you refer to this information, https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html, you will see that snapshots of un-encrypted EBS volumes are not encrypted. So for snaphots encryption it really is about encryption of the EBS volumes first, and then they get encrypted once you snapshots. It will use the same KMS keys and mechanism it was used at EC2 level/EBS. I hope this answers your security team question.
My advice is always encrypt the EBS volumes.

answered 4 years ago


answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions