Snapshots

EBS snapshots provide point-in-time backups of your volumes and are stored in S3, inheriting its durability features. They play a crucial role in data recovery, allowing you to restore your volume to a previous state. Snapshots are incremental, meaning only the blocks that have changed since the last snapshot are stored. This makes it a cost-effective and efficient backup solution.

Snapshots can be triggered manually on-demand from the EC2 console. It is also highly advisable to automate them using Amazon Data Lifecycle Manager. This service automates the creation, retention, and deletion of snapshots, making it easier to adhere to data retention policies and minimizing the risk of human error.

Snapshots can be shared across accounts or even made public. This feature can be both an advantage and a risk. On the one hand, it facilitates data sharing and migration; on the other, it can lead to data exposure if not managed correctly. Therefore, it is crucial to implement proper access controls on your snapshots, similar to how you would manage AMIs.

Encryption

EBS provides robust encryption solutions for both volumes and snapshots to ensure data at rest is secure.

Volumes encryption

EBS offers seamless encryption for volumes that rely on KMS keys for centralized management. Once a volume is encrypted, the data stored on it, the I/O operations, and all snapshots created from it are encrypted.

The process of encrypting an EBS volume is straightforward. When creating a new volume, simply enable encryption. If you don’t specify a KMS key, the default AWS-managed key for EBS (aws/ebs) is used. However, for more control, you can specify a KMS CMK.

For existing unencrypted volumes, while you can’t directly encrypt them, a common workaround is to create a snapshot of the volume, and then create an encrypted copy of that snapshot. From this encrypted snapshot, a new encrypted volume can be created.

It is important to note that incorrect KMS permissions can lead to unexpected issues. For example, a stopped instance with a KMS-protected root volume will fail to start if the entity attempting to start it lacks the necessary permissions to use the KMS key.

Snapshots encryption

When you create a snapshot of an encrypted volume, the snapshot is also encrypted. Moreover, when you copy a snapshot, you have the option to re-encrypt it with a different key. This flexibility is crucial for various scenarios, such as sharing snapshots across accounts where each account has its own set of KMS keys.