EBS Encryption: AWS Block Storage Encryption at Rest

What is EBS Encryption?

EBS encryption is AWS’s mechanism for encrypting data stored on Elastic Block Store (EBS) volumes — the virtual hard drives attached to EC2 instances. When enabled, data is encrypted at rest on the volume, during transit between the instance and the volume, and on any snapshots created from the volume.

EBS encryption uses AWS Key Management Service (KMS) keys — either the default AWS-managed key (aws/ebs) or a customer-managed key (CMK) that you control. The encryption is AES-256, handled transparently at the hypervisor level with no performance penalty on modern instance types.

Why It Matters

Unencrypted EBS volumes are one of the most common findings in cloud security assessments and a CIS Benchmark failure:

Data exposure risk — If an EBS volume or snapshot is accidentally shared or exposed, unencrypted data is immediately readable
Compliance requirement — PCI DSS, HIPAA, SOC 2, and ISO 27001 all require encryption at rest. Unencrypted volumes are automatic audit failures.
Snapshot sharing — EBS snapshots can be shared across accounts or made public. Without encryption, this is a data leak vector.
Decommissioning — When AWS retires physical hardware, encrypted volumes are cryptographically erased. Unencrypted volumes rely on physical destruction processes.

The CIS AWS Benchmark (Section 2.2.1) specifically requires: “Ensure EBS volume encryption is enabled by default.”

How It Works / Key Concepts

Encryption Scope

When EBS encryption is enabled for a volume:

Data at rest on the volume is encrypted
Data moving between the EC2 instance and EBS volume is encrypted
All snapshots of the volume are encrypted
Volumes created from encrypted snapshots are encrypted

KMS Key Options

Key Type	Control	Cost	Use Case
AWS-managed key (`aws/ebs`)	AWS manages rotation	Free	Default compliance
Customer-managed CMK	You control policy, rotation, deletion	$1/month + API calls	Regulated workloads, cross-account control

Customer-managed keys provide additional controls: you can restrict which IAM principals can use the key, enforce automatic rotation, and revoke access instantly by disabling the key.

Default Encryption

AWS allows enabling EBS encryption by default at the account level per region. Once enabled:

All new EBS volumes are automatically encrypted
New snapshots inherit encryption
You can specify the default KMS key (AWS-managed or CMK)

This eliminates the “forgot to check the encryption box” problem. It’s a one-time setting that prevents future findings.

Migration: Encrypting Existing Volumes

You cannot encrypt an existing unencrypted volume in place. The migration process:

Create a snapshot of the unencrypted volume
Copy the snapshot with encryption enabled
Create a new volume from the encrypted snapshot
Stop the instance, detach the old volume, attach the new one
Delete the unencrypted volume and snapshot

This process requires downtime, which is why enabling default encryption early is critical.

Common Findings

Unencrypted volumes — The volume was created before default encryption was enabled
AWS-managed key instead of CMK — Compliance frameworks may require customer-managed keys
Unencrypted snapshots — Legacy snapshots from before encryption was enabled
Cross-region snapshots without encryption — Copied snapshots that lost encryption settings

How Kloudle Helps

Kloudle flags unencrypted EBS volumes and snapshots as high-severity findings, checks default encryption settings per region, and verifies KMS key configurations. These checks are part of Kloudle’s CIS Benchmark coverage across 1,890 security checks. With sovereign deployment, your storage security posture data — including which volumes store what — never leaves your infrastructure.

Scan Your Cloud Free →

What is Cloud Misconfiguration? — Unencrypted EBS is a common misconfiguration
What is CIS Benchmark? — CIS requires EBS encryption
What is CSPM? — Tools that detect encryption gaps