I am trying to better understand what happens when a CMK is disabled in AWS KMS. Specifically, if I have an EBS volume which is encrypted with this key, what. happens to this volume and the EC2 attached to the volume?
Does the volume become unusable for the duration when the CMK is disabled? Is the EC2 to which the volume is attached turned off?
Would greatly appreciate any guidance.
Best,
From docs:
If you disable a CMK, it cannot be used to encrypt or decrypt data until you re-enable it.
When you use your CMK to encrypt a root EBS volume and then disable it, you won't be able to start it again.
Only few operations are possible on a disabled key, such as DescribeKey, CreateAlias or GetKeyPolicy.
When you disable the key when the instance is running, it will keep running. The reason is (I think) same as when you delete key:
Several AWS services integrate with AWS KMS to protect your data. Some of these services, such as Amazon EBS and Amazon Redshift, use a customer master key (CMK) in AWS KMS to generate a data key and then use the data key to encrypt your data. These plaintext data keys persist in memory as long as the data they are protecting is actively in use.
Scheduling a CMK for deletion makes it unusable, but it does not prevent the AWS service from using data keys in memory to encrypt and decrypt your data. The service is not affected until it needs to use the CMK that is pending deletion or deleted.
