brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 13:44:24 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
504e8ef68175c48e3105ae5e5bf7c73f2683ef79
oam/knowledge base/cloud computing/aws/ebs.md

7.9 KiB
Raw Blame History

Elastic Block Store

Persistent block storage for EC2 Instances.

  1. TL;DR
  2. Snapshots
  3. Encryption
  4. Further readings
    1. Sources

TL;DR

Real world use cases 
# Clean up unused volumes.
aws ec2 describe-volumes --output 'text' --filters 'Name=status,Values=available' \
  --query "Volumes[?CreateTime<'2018-03-31'].VolumeId" \
| xargs -pn '1' aws ec2 delete-volume --volume-id

# Check state of snapshots.
aws ec2 describe-snapshots --snapshot-ids 'snap-0123456789abcdef0' \
  --query 'Snapshots[].{"State": State,"Progress": Progress}' --output 'yaml'

# Wait for snapshots to finish.
aws ec2 wait snapshot-completed --snapshot-ids 'snap-0123456789abcdef0'

Volumes can have their size increased, but not reduced.
After increase, the filesystem must be extended to take advantage of the change in size.
Apparently, Linux machines are able to do that automatically with a reboot.

Snapshots

The first snapshot is complete, with all the volume's blocks being copied. All successive snapshots of the same volume are incremental, with only the changes being copied.
Incremental snapshots are stored in EBS' standard tier.

Snapshots can be unbearably slow depending on the amount of data needing to be copied.
For comparison, the first snapshot of a 200 GiB volume took about 2h to complete.

Snapshots can be archived to save money should they not need frequent nor fast retrieval.
When archived, incremental snapshots are converted to full snapshots and moved to EBS' archive tier.

The minimum archive period is 90 days.
If deleting or permanently restoring an archived snapshot before the minimum archive period, one is billed for all the remaining days in the archive tier, rounded to the nearest hour.

When access to archived snapshots is needed, they need to be restored to the standard tier before use. Restoring can take up to 72h.

Encryption

Refer How Amazon EBS encryption works.

One can encrypt both boot and data volumes.

At the time of writing, only symmetric keys are supported.

Volumes attached to supported instance types encrypt the following types of data:

  • Data at rest inside the volume.
  • Data moving between the volume and the attached instance.
  • Snapshots created from the volume.
  • Volumes created from said snapshots.

Volumes are encrypted with a AES-256 data key.
The key is:

  1. Generated by KMS.
  2. Encrypted by KMS with another KMS-managed key.
  3. Stored with the volume's information.

EBS automatically creates a unique AWS-managed key in each Region where one creates EBS resources, using the aws/ebs alias. EBS then uses this KMS key for encryption by default.
Alternatively, one can use a symmetric customer managed encryption key of one's own creation.

EC2 integrates with KMS to encrypt and decrypt EBS volumes in ways that differ depending on whether the original snapshot for encrypted volumes is itself encrypted or unencrypted.

The original snapshot is encrypted
  1. EC2 sends a GenerateDataKeyWithoutPlaintext request to KMS specifying the KMS key for volume encryption.
  2. If the volume is encrypted using the same key as the snapshot, KMS encrypts that key using that same data key as the snapshot.
    If the volume is encrypted using a different KMS key, KMS generates a new data key and encrypts it using the specified key. The encrypted data key is then sent to EBS to be stored with the volume metadata.
  3. When attaching the encrypted volume to an instance, EC2 sends a CreateGrant request to KMS to be allowed to decrypt the data key.
  4. KMS decrypts the encrypted data key and sends the decrypted data key to EC2.
  5. EC2 uses the plaintext data key in the Nitro hardware to encrypt disk I/O to the volume.
    The plaintext data key persists in memory as long as the volume is attached to the instance.
The original snapshot is not encrypted

  1. EC2 sends a CreateGrant request to KMS to be allowed to encrypt the volume that is being created from the snapshot.

  2. EC2 sends a GenerateDataKeyWithoutPlaintext request to KMS specifying the key chosen for volume encryption.

  3. KMS generates a new data key, encrypts it using the specified key, and sends the encrypted data key to EBS to be stored with the volume metadata.

  4. EC2 sends a Decrypt request to KMS to decrypt the encrypted data key, which it then uses to encrypt the volume's data.

  5. When attaching the encrypted volume to an instance, EC2 sends:

    1. A CreateGrant request to KMS to be allowed to decrypt the data key.
    2. A Decrypt request to KMS specifying the encrypted data key.

  6. KMS decrypts the encrypted data key and sends the decrypted data key back to EC2.

  7. EC2 uses the plaintext data key in the Nitro hardware to encrypt disk I/O to the volume.
    The plaintext data key persists in memory as long as the volume is attached to the instance.

When KMS keys become unusable, the effect is almost immediately subject to eventual consistency.
The key state of the impacted KMS keys change to reflect their new condition, and all requests to use those keys in cryptographic operations fail.

EC2 uses the data key, not the KMS key itself, to encrypt all disk I/O while a volume is attached to the instance. As such, there is no immediate effect on the EC2 instance or its attached EBS volumes when performing an action that makes a key unusable.
When the encrypted EBS volume is detached from the instance, however, EBS removes the data key from the Nitro hardware. As such, the next time the encrypted EBS volume is attached to an EC2 instance the attachment will fail due EBS being unable to use the KMS key to decrypt the volume's encrypted data key. To use the EBS volume again, one must make the KMS key usable again.

Further readings

Sources