16

AWS provides the ability to encrypt EBS volumes, the value of which I am wondering about. In the "Overview of Security Processes (October 2016)" whitepaper, page 24, they say:

Encryption of sensitive data is generally a good security practice, and AWS provides the ability to encrypt EBS volumes and their snapshots with AES-256. The encryption occurs on the servers that host the EC2 instances, providing encryption of data as it moves between EC2 instances and EBS storage.

So what is the threat model there? Whom the feature is supposed to protect data from? Bad guys who may get physical access to the EBS server racks and try to scan/analyze/extract the data they need from the myriads of physical disks?

Or, maybe, from AWS admins who have access to the host machines, have control over the RAM and hypervisor where encryption happens and can potentially access the unencrypted data anyway?

Limit
  • 3,191
  • 1
  • 16
  • 35
Greendrake
  • 669
  • 1
  • 8
  • 17
  • Good question. I would assume it would be useful if you have an instance or admin /IAM account compromised and the attacker tries to mount offline volumes from escalated privileges? I've always preferred to use LUKS and keep my own keys because of this very same question. – MrMookie Nov 20 '16 at 12:27
  • 1
    @MrMookie The thing is — you never actually use/enter encryption keys anywhere when you mount encrypted volumes. EC2 does it for you automatically behind the scenes. So attacker who has access to the account will be able to mount encrypted volumes just like you. – Greendrake Nov 20 '16 at 21:59

2 Answers2

7

tl;dr Auditors

Many data security audits require data to be encrypted at rest. Often the threat model is an old hard drive ending up on eBay or picked out of the dump. If the data is unencrypted on these drives and they are not properly handled/destroyed there could definitely be data loss. There is also the classic "truck backing up into the datacenter" threat vector where people make off with whole servers but no decryption keys.

John Downey
  • 1,915
  • 13
  • 12
  • 2
    +1 For "truck backing up the datacenter". The former point is weak though as AWS procedures include a decommissioning process — storage devices are degaussed and physically destroyed in accordance with industry-standard practices. – Greendrake Nov 25 '16 at 23:31
  • 1
    And every data security standard says you must have those too. They are worried about the disk that manages to slip through that process. Not saying it is a very realistic scenario if you're organization is as mature as AWS, but it does happen from time to time. – John Downey Nov 26 '16 at 03:07
  • "They" you mean AWS or AWS customers? Mind that EBS encryption is optional — AWS does not and their auditors cannot require to keep it turned on at all times. – Greendrake Nov 26 '16 at 03:32
  • 2
    They meaning the customers auditors are still worried that AWS will mess up and not destroy a drive properly. – John Downey Nov 26 '16 at 06:53
3

Other suggestion: it's an added layer of security in case of a failure of multi-tier isolation for EBS (for example a bug in AWS makes that another account suddenly has access to your data volumes): it would also require to have accesss to your encryptions keys, which are provided by another service.

Bertrand Mathieu
  • 163
  • 4