How does an EBS volume in an Availability zone get restricted only to a specific AWS account & its users?

Question

In AWS, an EC2 instance is launched within a subnet created in an Availability Zone which is again, in a VPC. So, the VPC can be thought of like a container to which only the AWS account and its users have access to. But when creating EBS volumes, only the Availability Zone is asked for / provided and the same EBS volume can be attached to any EC2 instance irrespective of the VPC it belongs to (Of course, for the same AWS account only). My question is - How does AWS prevent other AWS accounts from seeing this EBS volume present in the AZ? Is that implementation abstracted by AWS?

John Rotenstein John Rotenstein · Accepted Answer · 2019-03-04T22:53:29

An Amazon VPC is a virtual construct that is used to connect virtual computers according to traditional networking. Resources (eg EC2 instances, RDS databases) can be connected via a VPC, which determines how network traffic flows between them. It is not necessarily how the resources are physically created.

An Availability Zone is a physical data center (or a group of data centers). Resources are created in an AZ, which determines their physical location. For example, an Amazon EBS volume resides in a data center, so it is in only one AZ. It can be logically connected to any EC2 instance in the same account in the same AZ.

Amazon EBS volumes are connected via a backplane that is invisible to the resources. It just magically "attaches" to the instance. It does not use the same network as a VPC.

The Amazon EBS service will only provide EBS volumes to EC2 instances in the same AWS account.

How does an EBS volume in an Availability zone get restricted only to a specific AWS account & its users?

2 Answers