I am a beginner of AWS and I have a question about the EBS volume. I know that when we create an EBS volume, there is an option for enabling the encryption (default is unencrypted). With security concern, it is better to enable the encryption of EBS volume, why EBS is not force to be encrypted? What is the use cases/reasons for choosing unencrypted EBS volume?
2 Answers
1
votes
My guess is that it would be because Amazon EBS encryption was not always available. It was a feature added at some point, so the ability to use a non-encrypted volume remains.
Encrypted volumes also make some tasks more difficult, such as sharing AMIs publicly or between Accounts. There's plenty of reason to offer non-encrypted volumes.
Therefore, it would not be a good idea to "force" encryption.
However, you are welcome to force encryption within your organization, but be aware that there may be times when you do not want it activated.
0
votes
This is likely down to the fact that it might change the way in which users can interact with their resources (and is technically a breaking change as the previous default was unencrypted volumes), so a user should understand these changes before they actually start using encryption.
Encryption in AWS is actively encouraged but by enabling it for services such as EBS, it does change some flows for example snapshots will be encrypted. If you need to migrate these between regions (or accounts) for DR you have additional steps to allow this.
Regarding security, yes it is better for security primarily from the physical level of AWS. It means that should anyone gain physical access to the storage they will not be able to access the data without access to the key used to encrypt the volume. However, should someone SSH into your server it will behave like normal.
AWS has enabled a feature for users who was this to be the default, you need to Opt-In to default encryption to enable this.
