Elastic Block Store (EBS) – AWS Security Fundamentals – SCS-C02 Study Guide

Elastic Block Store (EBS)

Although EBS and EC2 are closely tied together, it is important to remember that they are both separate services. EBS is a storage service that provides network-based storage allocated in the same Availability Zone as the instance and is then mounted for usage. The amount of instance storage allocated to an instance varies by instance type, and not all types of EC2 instances contain an instance store volume.

EBS is different from an instance store in some key ways. The instance store volume is the storage that is physically attached to the EC2 instance. It is best used for temporary storage since the instance store does not persist through instance stops or instance failures. In contrast, data stored on an EBS volume will persist.

EBS volumes can be allocated at the time of instance creation or created after the instance has been placed into services’ additional storage. A key feature to remember about EBS volumes when allocating and restoring EBS volumes is that a volume must stay in the same Availability Zone as where it was created.

Types of EBS Volumes

The following are three main types of EBS volumes, all of which differ in performance, optimal use cases, and cost:

  • Solid State Drives (SSDs): This type of drive is optimized for heavy read and write operations and where a higher number of IOPS is needed. There are two types of SSD EBS volumes that you can choose to provision for your EC2 instances, defined in the next section.
  • General-purpose SSDs: These drives give you a balance of cost and performance and are best used in development and test environments.
  • Provisioned IOPS SSDs: These are the drives you want to use for mission-critical workloads when performance is critical, especially in the case of databases.

Security Considerations for EBS

Now that you have a grasp of the EBS service, consider some of the security considerations to be kept in mind when using the service:

  • When encrypting EBS volumes and snapshots, use KMS Customer Managed Keys instead of Amazon Managed Keys to retain control of the encryption and decryption of data.
  • Enable encryption by default on EBS volumes. Use the AWS Config service to check that this policy is being adhered to across your organization.
  • Make sure that all EBS snapshots that you create are encrypted.

Now that you have gone over the EBS service, the next thing to learn about is one of the most popular services—AWS Lambda.