AWS ebs documentation change
Summary
Updated encryption documentation to clarify process for encrypting existing volumes/snapshots via snapshot copies and encryption by default
Security assessment
Changes clarify encryption workflows but do not indicate a security vulnerability. Focuses on explaining existing security features of EBS encryption.
Diff
diff --git a/ebs/latest/userguide/ebs-encryption.md b/ebs/latest/userguide/ebs-encryption.md index 5f7acc99a..95831198e 100644 --- a//ebs/latest/userguide/ebs-encryption.md +++ b//ebs/latest/userguide/ebs-encryption.md @@ -54 +54 @@ Public snapshots of encrypted volumes are not supported, but you can share an en -You cannot directly encrypt existing unencrypted volumes or snapshots. However, you can create encrypted volumes or snapshots from unencrypted volumes or snapshots. If you enable encryption by default, Amazon EBS automatically encrypts new volumes and snapshots using your default KMS key for EBS encryption. Otherwise, you can enable encryption when you create an individual volume or snapshot, using either the default KMS key for Amazon EBS encryption or a symmetric customer managed encryption key. For more information, see [Create an Amazon EBS volume](./ebs-creating-volume.html) and [Copy an Amazon EBS snapshot](./ebs-copy-snapshot.html). +You can't directly encrypt existing unencrypted volumes or snapshots. @@ -56 +56 @@ You cannot directly encrypt existing unencrypted volumes or snapshots. However, -To encrypt the snapshot copy to a customer managed key, you must both enable encryption and specify the KMS key, as shown in [Copy an unencrypted snapshot (encryption by default not enabled)](./encryption-examples.html#snapshot-account-off). +To encrypt an unencrypted volume, create a snapshot of that volume, and then use the snapshot to create a new encrypted volume. For more information, see [Create snapshots](./ebs-create-snapshot.html) and [Create a volume](./ebs-creating-volume.html). @@ -58 +58 @@ To encrypt the snapshot copy to a customer managed key, you must both enable enc -###### Important +To encrypt an unencrypted snapshot, create an encrypted copy of that snapshot. For more information, see [Copy a snapshot](./ebs-copy-snapshot.html). @@ -60,3 +60 @@ To encrypt the snapshot copy to a customer managed key, you must both enable enc -Amazon EBS does not support asymmetric encryption KMS keys. For more information, see [Using Symmetric and Asymmetric encryption KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) in the _AWS Key Management Service Developer Guide_. - -You can also apply new encryption states when launching an instance from an EBS-backed AMI. This is because EBS-backed AMIs include snapshots of EBS volumes that can be encrypted as described. For more information, see [Use encryption with EBS-backed AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html). +If you enable your account for encryption by default, volumes and snapshot copies created from unencrypted snapshots are always encrypted. Otherwise, you must specify the encryption parameters in the request. For more information, see [Enable encryption by default](./encryption-by-default.html).